Breakout testing

Citrix Breakout

Why do you need a Citrix Assessment?

Citrix is widely used to allow secure program access to remote users. However, these environments are often misconfigured and can be difficult to secure without fully assessing the requirements, permissions and implementation of the Citrix server. Excessive user privileges can lead to the running of arbitrary programs and lead to escalated access to the underlying file systems. This can then allow the bypassing of application enforced controls and potentially lead to compromise of the domain or network itself.

Citrix Specific Services

ProCheckUp provide in-depth Citrix and remote desktop assessments using the latest security testing tools and techniques. We take a holistic approach combining our experience in Citrix breakout analysis and methodologies from related testing domains including network infrastructure and web applications.

Remote desktop services such as Citrix and Microsoft Terminal Services are widely used to allow remote users to access programs and services securely. These products are often misconfigured, allowing users more privileges and access than they require for their role.

ProCheckUp offer testing specific to Citrix environments, utilising the latest security assessment tools and software development frameworks.

The assessment will be performed from the following positions:

1. Without any knowledge of the underlying system.
2. Without any knowledge but with credentials provided by the client.
3. With complete knowledge of the configuration and underlying infrastructure.

Using years of experience and knowledge, as well as proven methodologies, ProCheckUp will identify security issues within the environment. This includes (but will not be limited to) the following commonly found vulnerabilities:

• Citrix Breakout – Checking for common flaws that could allow users to break out of the published applications in order to run any other applications of their choosing.

• Escalation of Privileges– Assessing if a normal user can escalate their permissions to execute programs or access files at administrator level.

• Insecure Programs – Whether any programs are configured insecurely which allows users to subvert intended restrictions.

• Credentials Stored Insecurely – Using file analysis to identify whether any other access credentials are accessible on the system and whether they can be utilised in further attacks.

• Authentication– Identify any weaknesses in the authentication mechanisms, whether there is adequate access controls in place and whether accounts are adhering to a secure password policy.

• Data in transit – Where agreed, we can monitor traffic within the remote sessions to identify any weaknesses in the transport security or identify other escalation opportunities.

In order to complete a Citrix test on a client’s environment, a scoping exercise will be performed;

Whilst ProCheckUp do not run exploits or tools which are designed to cause a Denial of Service (DoS) condition, the very nature of penetration testing means that unusual traffic may be sent across corporate networks which can, on occasion, affect network performance and availability. In the event of any severe degradation of service, ProCheckUp provide a direct line of communication with the consultant performing the test so that it can be paused/stopped instantly.

The diagram below illustrates the full methodology of a Citrix test.

Following a Citrix assessment, ProCheckUp will provide a detailed report via a secure transport mechanism to the agreed recipients. The report will follow the format presented in Section 4 of this document and will be authored at ProCheckUp’s New Oxford Street office in London.

Please contact us for more information on how ProCheckUp Citrix Breakout Services can help you.

Network Breakout/Pivoting

Why do you need a Network Breakout Assessment?

A more advanced version of red team testing exists called adversarial simulation. In this type of testing, consultants emulate real attackers and use their TTPs (techniques, tactics, and procedures) to gauge whether client security controls would identify and block realistic attacks. This type of testing may be prefaced with threat intelligence to identify the risks that face the client organisation.

A red team test differs from standard penetration testing, where a standard penetration test’s goal is to find and exploit vulnerabilities, a red team engagement ensures the security tools and the security operators are able to properly identify and respond to an attack.

Using years of experience and knowledge, as well as proven methodologies, ProCheckUp will identify security issues within the environment.

ProCheckUp follows the Bank of England’s methodology:

Reconnaissance

Background information is gathered on and from the target organisation. This stage will utilise the Threat Intelligence report produced by our approved Threat Intelligence Provider- Digital Shadows.

Staging

Based on the information gathered from reconnaissance activities, staging platforms will be implemented to emulate that of the agreed threat actors. This platform will be used as a base from which further simulated attacks against the target organisation are to be launched.

Exploitation

Using tactics, techniques and procedures similar to those of the agreed threat actors, identified vulnerabilities would be exploited to gain unauthorised access to the target. This will be performed to the level agreed in the scoping study and in line with the results of the risk assessment.

Control and Movement

Once a successful compromise has been performed, attempts to move from initial compromised systems to further vulnerable or high-value systems will be made. For example, this may consist of “hopping” between internal systems, continually reusing any increased access obtained, to eventually compromise agreed target  systems.

Actions on Target

Gaining further access to compromised systems and acquiring access to previously agreed target information and data. Again, this phase will be performed based on the agreed scope and risk assessment, and approved by the target organisation.

Persistence and Egress

By mimicking the activities of an advanced attacker, persistent access to the network will be secured, and simulated exfiltration of staged data will be performed.

Staged data will be created in line with the risk assessment and approved by the target organisation before any action is taken.

Please contact us for more information on how ProCheckUp Network Breakout/Pivoting Services can help you.