Hey everyone,
Our enterprise is currently in the process of designing a VA/Pentest system for use on its own networks. Historically we’ve used a standard Windows host with Kali VM, Nessus and a smattering of other tools. Our team had no real oversight and were able to modify the toolset to our needs. This was great for keeping up with industry standards and ensuring we had the “right tool for the right job”. The “engineers” involved in creating this new system are attempting to make it NIST compliant. This is due to a risk based approach to the use of the system.
Having tested their beta product, many features that should be available are blocked… can’t even perform simple operations such as opening a port with python http module etc. Further controls such as USB whitelisting, application whitelisting (that is not controlled by the analyst) are hindrances to performing a VA/Pentest. We also anticipate massive lag times of 6-8 months between version updates for this system, which is a serious issue.
Is there anyone currently in industry that can share their enterprises approach to creating a system for this purpose? My thoughts are that the system should emulate that of an attacker and not bring into question whether something you are doing is being blocked by controls on the system under assessment or just the laptop you’re using to assess the system. The risk is mitigated by the short time the laptop is connected for the assessment and the fact it is freshly imaged prior to an engagement and wiped following it.
Thanks in advance for any feedback.