topic Re: How to highlight a Pen-Tester's IP? in Open Q&A

How to highlight a Pen-Tester's IP?

AntonioSousa — Wed, 05 Jul 2023 07:11:31 GMT

I have had several cases where pen-testing has disrupted monitoring, creating problems that have to be diagnosed and traced back to the user. I have compiled a series of ways of dealing with these issues, including Request Attributes for client IP, MDAs that track those users, maintenance windows, and other tricks. I had the idea to convert some of this data into Problems, but then again, I want to reduce them, not make some more. I have also been considering using custom annotations to highlight these cases in the UI, but have not yet implemented anything.

I believe a lot of you have dealt with this issue. What type of tricks do you have to deal with allowed pen-testers?

Re: How to highlight a Pen-Tester's IP?

chris_v — Wed, 05 Jul 2023 05:42:35 GMT

Sounds like I do most of that, the only thing I'll add is. I use web request naming (a global rule) to rename all requests with the testers IP (a server side request attribute), as (in my case) "Nessus Scan", and then mute that request.

So the testing does not interfere with any real users data going to the normally named web requests, and being muted doesn't raise problems.

added benefit of not filling Dynatraces database with high cardinality data that's full of random characters and invalid paths etc.

Re: How to highlight a Pen-Tester's IP?

AntonPineiro — Wed, 05 Jul 2023 06:49:03 GMT

Hi,

Combination of specific HTTP headers and request attributes. It means, what you see in the documentation.

Best regards

Re: How to highlight a Pen-Tester's IP?

AntonioSousa — Wed, 05 Jul 2023 18:34:28 GMT

@chris_v,

This is an excellent suggestion! I only have one issue here, and that is that you might block other valid requests in the /24 subnet. How do you deal with this?

Re: How to highlight a Pen-Tester's IP?

chris_v — Thu, 06 Jul 2023 00:04:03 GMT

In this use case the permitted testing is run internally, so we can use the full unmasked private IPs, we're only masking public IPs.

The request attribute rule currently has 4 data source rules each a unique IP.

@AntonPineiro suggests some header info. that may be a usable option depending if the testing tools make themselves known that way. Nessus/Tenable from what I've seen often - but not always - includes an identifiable mark in the requests made (e.g. it'll be in the URL and/or user agent). and of course if you can control the requests being made, you can ensure a header is added for identification.

Re: How to highlight a Pen-Tester's IP?

DanielS — Thu, 06 Jul 2023 00:44:33 GMT

👏👏👏👏👏👏👏👏👏

Re: How to highlight a Pen-Tester's IP?

AntonioSousa — Thu, 06 Jul 2023 07:49:16 GMT

@chris_v,

In my case they are masquerading as real browsers, because of browser rules being implemented, but it's another good idea.