Tales From the Road: An External Pen Test Reveals the Dangers of the Dark Web

An external penetration testing engagement with a healthcare organization revealed the importance of simple security measures against the darkest of intent.

A recent external pen test engagement with a longtime client of ours, a prominent healthcare organization, proved the importance of well-performed reconnaissance and information gathering. A data breach can be devastating, and many individuals’ personal information is at risk at a healthcare organization.

This organization already had several recurring security issues we were familiar with, and our deeper understanding of their security posture and threat vectors gave us a head start. Our consultant used the approach we rely on at DirectDefense: thinking like an attacker.

This post details our consultant’s experience with this engagement and what it demonstrates about the importance of reconnaissance and information gathering when performing an external pen test. Spoiler: get ready to explore the dark web.

Outsmarting an Attacker by Thinking Like One

While our five-year partnership with this client gives our team insider knowledge of its ongoing security issues and concerns, we’re always mindful that it can also cloud our judgment. With each engagement, even with long-term clients, we start with a fresh perspective and conduct robust reconnaissance and information gathering while adopting the mindset of an attacker.

When you think like an attacker, you can more easily uncover how a bad actor identifies and compromises an organization’s security vulnerabilities. Our goal is to secure any weaknesses that are open to exploitation and adopting an attacker’s mindset allows us to thwart them at their own game.

Starting with the client’s domain, our consultant set to work finding out everything they could about this organization. During this discovery phase, our consultant decided it was necessary to do a dark web scan for potentially breached company information. Dark web monitoring has become more important for companies across industries, which is one reason why DirectDefense invested in a dark web intel service almost a year ago. As a Managed Detection and Response (MDR) company and MSSP, we hold the power of monitoring in high regard.

The sooner you know about a threat, the sooner you can stop it, and we may have gotten there just in time for this client.

Shining a Light on the Compromised Data in the Dark Web 

During the quest through the dark web (not exactly a fun stroll), our consultant and intel team found what they were looking for: compromised employee and customer credentials. But it wasn’t your run-of-the-mill case of weak passwords; this breach occurred following the use of the organization’s healthcare portal on devices with malware.

Enter the info-stealer logs, a treasure trove for cyber crooks specializing in initial access schemes. These bad actors deploy malware worldwide to snatch credentials and sensitive data, ready to sell or pass on to their shady associates.

After purchasing credentials from one of the client’s doctors, our consultant used them  to log in to the healthcare portal. With no multi-factor authentication (MFA) in sight, they waltzed right in, gaining access to organizational data and a heap of protected health information (PHI). These data breaches are of particular concern for healthcare organizations that hold this type of highly sensitive and confidential information. While not every dark web credential was a winner, even one successful entry poses a serious risk to an organization and those it serves.

Amidst our exploration, we uncovered a few more cracks in the armor, but the compromised credentials and MFA absence were the glaring weak spots.

Next, it was time to make remediation recommendations.

Closing Up the Two Biggest Gaps

After the extensive external pen test, our focus zeroed in on two primary threat vectors: compromised credentials and the lack of MFA. Together, these weaknesses create a gateway for bad actors to access sensitive data. Sadly, this tandem threat isn’t uncommon; compromised credentials rank high among the leading causes of ransomware incidents. Thankfully, DirectDefense is adept at monitoring and mitigating these threats.

Here are our specific recommendations for any company hoping to defend against these kinds of breaches and malicious attacks:

Multi-Factor Authentication

Our top recommendation is to enforce MFA for external access to critical systems. This extra layer of security can foil attempts by malicious actors, especially in the wake of phishing or third-party breaches.

Dark Web Monitoring and Response

A proactive dark web monitoring system is crucial for identifying and addressing vulnerabilities like compromised credentials. Regular scans across dark web platforms can catch wind of any leaked company data, facilitating prompt incident response and password resets.

Patch Maintenance

It’s always a good time to reassess your patch management solutions and processes. Regularly maintaining patches for operating systems and third-party software can eliminate potential issues. Remember to keep all systems and software up-to-date with vendor-supported versions for optimal threat mitigation.

Combine Dark Web Monitoring with Critical Security Measures

This engagement underscores the critical need for dark web monitoring, especially for organizations like healthcare providers entrusted with a significant amount of PHI. When DirectDefense stumbled upon the client’s compromised credentials on the dark web, thankfully, they were freshly posted, making it easier to reverse course. However, the longer these credentials linger in the shadows, the greater the risk of exploitation, such as credential stuffing. Employing a dark web monitoring service allows organizations to stay vigilant against compromised information around the clock.

Yet, dark web monitoring alone won’t suffice for this healthcare entity.

Implementing Multi-Factor Authentication (MFA) is a straightforward yet impactful measure to bolster security. While not foolproof (our consultants have found ways around MFA in other engagements), it’s a significant hurdle for malicious actors. Coupled with strategic vulnerability management and patching, MFA is a formidable defense.

This external pen test shed light on the invaluable role of reconnaissance and information gathering. These tactics are proactive measures to identify and mitigate threats before they escalate, safeguarding private information from malicious intent. By adopting the attacker’s mindset and harnessing reconnaissance for good, organizations can stay one step ahead of potential breaches.

Get Stared with Your Free Reconnaissance and Information Gathering Service

For a limited time, DirectDefense is offering a free reconnaissance and information gathering service to new clients. Our team of experts will delve deep to identify potential vulnerabilities before they can be exploited. Click here to get started!


2023 Security Operations Threat Report