A major difficulty in defending against attackers and performing accurate attribution, lies in the fact that threat actors often route their traffic through the proverbial seven proxies. Defenders often spend many hours determining the source of malicious traffic, only to find that the attacker has compromised the web server of an unrelated victim somewhere on the Internet and is routing all their traffic through this foothold. Efforts to take down the attack source can present logistic and legal challenges. If the IP address being routed through is blocked on the defending firewall, an attacker often can switch their attack over to a yet another compromised server quickly, thwarting attempts to block by IP address.
When an ethical hacker or penetration tester is hired to simulate such attacks and provide remediation advice to an organization, it’s crucial that they have tools available to them which are on par with real-world threat actors. They need the ability to route their traffic from nearly anywhere in the world, and the ability to change their IP address on the fly, to test network defenses and assess security posture. In addition, they need the ability to conduct simulated attacks, without causing alarm to the their own Internet service provider, who could flag the traffic as malicious and shut down their connection.
These challenges can be solved by utilizing a modern, mature VPN solution. As exploit test traffic egresses the penetration tester’s network, they are tunneled through the VPN solution, so that the ISP does not become unnecessarily alarmed. During such engagements, the Blue Team, or defending team, may decide it is appropriate to block the source IP address delivering the attack. The Red Team, or ethical hacker team, can then utilize their VPN product’s feature to change their IP address, as needed. This ultimately allows for a more realistic penetration test, and therefore a more useful report on how to remediate vulnerabilities and optimize defenses. The Blue Team will also be challenged to move beyond traditional IP address blocking techniques, when faced with this type of simulation. They may find themselves migrating to methodologies which operate at a higher network layer, or simply monitoring the attack source IP address closely to learn more about the nature of the attack.
It’s important for a penetration tester choosing a VPN solution to also consider whether they may need to tunnel their C&C (command-and-control) traffic across the VPN. If the VPN solution has a port forwarding feature, this can be used quite effectively to stand up a C&C server which is listening through the VPN for hosts infected with a payload delivered by the penetration tester. This means their C&C’s true IP address can remain hidden, and if the VPN-based IP address is blocked, they can change to another. If a penetration tester’s C&C is detected by defenders, this is typically referred to as “burning your C&C”, and using a VPN can be a great solution for handling this.
If the VPN solution allows the user to choose a VPN node in a specific geographic region, this can also provide benefits to the penetration tester. If they choose a VPN node which is in close proximity geographically to the target, they may be able to decrease latency, to increase performance. Or, in some cases, the penetration tester may actually want to see if they can intentionally alarm defenders, by routing traffic through a nation that would not be expected to be sending traffic. This type of exercise may come late in a project, when the Red Team has already been successful at staying under the radar while achieving full compromise. To benchmark detection abilities, they may decide to pull out all the stops, making their attack as noisy as possible. If they can achieve full compromise a second time against a target organization only serving customers local to Atlanta, for instance, while routing the attack through Istanbul, perhaps the defending team has a lot of work to do.
It’s also important for an ethical hacker to acquire a VPN solution which is compatible with the operating system they’ll be using to launch attacks. Even if the VPN solution offers compatibility with both Windows and Linux, it’s still important to work out any complexities with specialized penetration testing operating systems like Kali Linux. It may be necessary with Kali Linux for instance, to use OpenVPN, so it’s important to make sure the VPN provider supports this.
If you’re a penetration tester looking for ways to simulate stealthy attacks, using a VPN solution in this way can provide tangible value. If you’re a defender, discuss with your penetration testing vendor if they feature full attack simulations that obfuscate the source IP address, and make sure you are choosing a vendor that can tailor their methodologies to your needs. The more realistic a penetration testing engagement is, the more useful information will come from it.