While you would probably need to be in a large organization to have monthly internal red team/blue team exercises, all companies could benefit from running monthly vulnerability scans and phishing test emails, AD auditing, and other limited internal pentesting types of activities on a monthly basis.
You would need to get approvals but you could start with the tools mentioned above. Monthly vulnerability scans can show you how up to date your patching is on clients and servers. Once you identify certain problems you can begin by engaging the systems team to perform the patching and follow that up with a remediation scan.
This is done to verify or sign off on the completing of the patching-if the remediation scans shows those systems were fully patched then you are all set-until next month when the process begins again. It’s important to do all of this as quickly as possible as you don’t want to be running your remediation scans into the next month. For patching you could use WSUS, SCCM, Solarwinds or Manage Engine. For the vulnerability scans some top solutions are Nessus, Qualys, and Nexpose.
Phishing test emails are a way to ensure compliance as many Standards and regulators require this but also as a way to social engineer and train your own users on best security practices. You can run reports on repeat offenders. It’s important obviously after the solution is vetted and purchased that the security team develop an SOP and have it approved by management before deploying the system.
The SOP should deal with how to respond to employees that have failed the phishing test, should you contact the supervisor after the 1st attempt the 3rd attempt? Should the user be emailed that they need to retake the training videos on security awareness? Should you require as a precaution and to train the users on best practice that they be forced to reset their password on their AD Account? These things need to be clarified BEFORE you start your phishing test campaigns. Some good vendors here are Wombat and Knowebe4.
AD Auditing is very useful as a monthly internal pentesting process. Most corporate networks are client/server based and access to resources are granted by Active Directory Services on a Domain Controller. Testing Active Directory for weakness can give you a good idea of how easy you can or cannot get breached. Either way you will get a better understanding of your environment and hence be in a much better position to defend it.
Some things you can check for are weak admin passwords or passwords set never to expire, the lack of account lockouts especially on admin or privileged accounts also can be troubling as it sets you up for the potential success of a brute force attack against it, especially if they are using rainbow tables and the password is weak to begin with. Pen Testing your own AD is a very useful exercise. You can use a tool named HYENA but there are others.
Network access should be controlled and tested-first of all do you have any open ports so that anyone can just plug in a laptop with an ethernet cable and have internet in your offices? This should be avoided at all costs. If you have conference rooms or guest offices/guest areas/reception areas there should be a network segmented guest vlan that has zero access to the internal domain. By using a laptop and ethernet cable you can easily test for this.
Testing for rouge wireless networks is also useful. While enterprise grade solutions can be quite expensive you can install Netspot on a laptop and walk around the building when you’re bored on a Friday-IF you are in a small to midsized environment. Otherwise you will need to purchase an enterprise grade product.
There is a good chance that if you are in a building with other companies renting space nearby that you will pick up some of their networks. Also, Wireless printers and cell phones will invariably pop up so you need to make sure to filter these out when you analyse the Wireless Networks. You will want to have the network team provide you with the make and model number, serial number and SSID of your WAP’s in order to validate that the networks detected are legitimate.
You can also run DumpSec which is a windows based tool that can connect to a windows system remotely and obtain user account info and share permissions.
A simple email from the CISO/ISO/CIO/CTO/IT Director will suffice if you are a member of the internal security team but you will want to plan this out carefully and notify other teams like systems and networks in case there are any issues.
Unless you work for a very large organization you won’t have the budget or headcount to have monthly internal red team/blue team exercises. All companies could benefit from running monthly internal pentesting types of activities by the security team.
Have fun and enjoy Ethical Hacking!