Skybox - How Skybox (Risk Control) can be used in a Pentest Engagement

So i went for a 3 day Skybox training to learn the fundamental uses of the product and i kinda liked it and although Skybox is meant to be used as an 'in house' product, it can be used for pentesting engagement.

Basically there are Five components in Skybox:
1) Firewall Assurance
     - http://www.skyboxsecurity.com/products/firewall-assurance
2) Network Assurance
     -http://www.skyboxsecurity.com/products/network-assurance
3) Risk Control
     -http://www.skyboxsecurity.com/products/risk-control
4) Threat Manager
     -http://www.skyboxsecurity.com/products/threat-manager
5) Change Manager
     -http://www.skyboxsecurity.com/products/changemanager

In this article, i will focus on the Risk Control component and how it can be used for a penetration testing scope. I will be using a Demo Model used during my training to illustrate to you the cool stuffs of Risk Control.

Note: The demo model was provided to me during the training. As it was a brief introduction of Skybox, there were no time to have a practical lessons on how to create a model and input information such as the vulnerabilities, hosts, etc from scratch and map it out into an architecture.

Once i loaded the model, the first thing i see is the list of vulnerabilities in the whole organization's network.

Finding Information

One of the features that i liked was the finding the information i want for example, if i want to find how many Critical vulnerabilities are there:

If i want to find a list of hosts with the name "app_0_db"

By default it wont show the Vulnerabilities tab, therefore we need to customize the window to view it.

Vulnerabilities Analysis

To view the information of the vulnerability, the General tab provides lots of information about it

It also shows the CVSS score of the vulnerability

Creating an Attacker

Let's create an virtual hacker/attacker from the Internet. This hacker will then be used to simulate the attacks later.

After creating the virtual attacker, we analyze the exposure of what are the possible targets of the attacker.

Simulating the Attack

Now that we have analyzed the exposure, its time to explore the attack.

After analyzing, we will see the kind of targets and the description of the attack as well as the Risk level.

To view a simulated attack, choose on a Target and click 'Attack Explorer'

From the above simulated attack, we can see how the attack was done, the vulnerabilities used, the steps of the attack, the ports used and the hosts that was attacked.

How can this integrate to a Penetration Testing Engagement

The Risk Control component of Skybox can be used to illustrate attacks and simulate hacking situations based on Live environment or What If scenarios without using the actual production environment itself. With this, it will be easier for pentesters to then perform a POC of the attack to confirm the possibility of the penetration. This would be useful for client organizations who wants to have an engagement but are very very afraid that such engagement could lead to a DOS or service failures.

The Disadvantage

1) While finding information and simulating attacks are fun and cool, one needs to do ALOT of work to get the initial config files, scanned hosts files, modelling it in Skybox and organizing it to output into something like this:

Only personnel who have extensive experience on designing the layout would be an advantage of using the Skybox.

2) While this component is very good and useful, the down side to it is that how many of the clients would actually provide all the switches, IPS/IDS and firewalls configurations to another Penetration Testing company? As Skybox is only useful to perform a proper security/network architecture analysis when fed with all the necessary config files. Without them, we cant make full use of Skybox capabilities....