Where I work recently had our annual Pen Test. Overall it was not too shabby, we detected them early and could have kicked them out. I’m proud of the defenses and alerting I have helped set up and I monitor. That is not what concerns me. Action items made from the report is what does concern me.
I have yet to see a pen test that does not succeed in some way. There is always vulnerabilities. Pen tests help find them so you can fix them. The disconnect comes in with how they can be reported.
When a report comes in, there is always a dissection of that pen test report to create actionable items, patches, configuration changes and more, that will help make the company more secure. When dealing with a single vulnerability that gets exploited, a level of severity is made by the pen testers on the report, and that should match up with a level of severity on any action list the company set up internally, so that you are patching the most serious issues first and then work down the line. So if you are susceptible to Eternal Blue, that is at a high level of severity, and there is a patch you should apply immediately.
Using all of this, a compromise of say Active Directory is a huge finding. If Domain Admin was gotten well, you are pwned and that is game over man. Yes it is a critical finding, but how did AD get compromised? I tend to see on a report the AD compromise put as a critical finding but it is tends to be more from a chain of vulnerabilities and exploits. Those get broken out and are actionable items at a specific level, which is usually lower than the actual AD compromise. Fixing any one part of that chain would result in AD not being compromised (at least not in that fashion). So now the owners of systems see the report, and the action list created by it, and see Critical: AD Compromised by chaining x, y, and z together. They see each individual link in the chain at Low, Low, medium. What happens? The fix for any part of that chain is now pushed back instead of any one of them getting fixed immediately. There has to be some way the report either shows that getting to AD was done by chaining vulnerabilities that have a low level of being found/exploited, or changing the most severe of the links in the chain to a much higher severity.
I am not a pen tester, I am blue team. I do not know how pen testers decide that X vulnerability is Y severity (for that matter why the same vulnerability would be one severity one year and a different severity the next). I do know that if you go over the report with the pen testers, they should be willing to work with you on finding a way to get at least part of a chain leading to a critical compromise fixed. The best ones should be taking that into account when they write up the report initially.
Think of it this way, IT departments are swamped. They have to pick and choose what they are willing to put on their plate and what they are going to push off. Every0ne though wants critical issues fixed, be they security or other. Coming up with a way, even when the pen test is set up, of reporting the different levels should be done. How a pen test company reports chained compromises should be stated up front. In the end we all want to get to a better security point. Red Teamers should spend some time understanding how hard buy in can be when the Blue Team puts out the Red Teams findings.