Guide to Modern Penetration Testing [Part 1]: Two Extreme Cases
List of Related Blog Posts:
- Part 1. Guide to Modern Penetration Testing: Two Extreme Cases
- Part 2. Guide to Modern Penetration Testing: Choose Your Box
- Part 3. Guide to Modern Penetration Testing: A Digital Adventure
Infopulse starts a series of cybersecurity posts dedicated to art and science of penetration testing.
In this blog post, we will demonstrate the viability of both existing pentest standards as well as innovative approaches. We will also illustrate an importance of conducting preparations for penetration testing, including the development of pentest design specifications (Rules of Engagement).
Disclaimer. Stories and examples presented in the article below feature practical aspects of applying different modes of penetration testing from Infopulse own experience and best practices.
The Basic Uncertainty of Pentesting
IT security management on a project and process basis stands out from the other areas of IT engineering and management. The core differences lay in the necessity to do the following:
- To evaluate and process abstract undetermined values, e.g., values related to possible future events or security risks;
- To formalize these uncertainties and operate them to make decisions;
- To establish a high level of credibility with a customer, learn intensively and educate the customer.
Penetration testing is no exception from these rules.
Pentest as a service is a research activity with the results unknown in advance. Hence, it features lots of unknown values and challenges. First, the goals and tasks should be set up correctly. Then, we’ll assess the degree of achieving these objectives as well as the quality of their achievement. The hardest challenges would be to anticipate the complexity of work, foresee whether it would be labor-intensive, and, as a result, estimate the final budget.
In other words, it is very difficult to predict how pentesting will proceed, which target object tests will be executed, how complex and time-consuming they will be, and what results will be obtained.
A common practice among freelance pentesting specialists is to calculate their rates based on customer’s size, budget and other irrelevant assumptions rather than the expected business value of the pentest results. At the same time, large IT service companies have flexible contract engagements, including SLA, fixed price, Time-and-Material and other models, which are much more accurate and precise in terms of budget and final results.
The subtle difference here lays in measuring the intensity of labor. Like any other service, pentesting should be estimated in advance, most importantly, to coordinate the terms with the customer and allocate a budget for these services.
Estimating the Inestimable
There are several methods to estimate pentest workload. In most cases, previous service experience dominates among any other estimations.
Here’s the biggest mistake. Experience may vary from one pentester to another, as well as from one project to another.
We do not pretend to formalize all the methods of estimation in this article. Instead, we’ll demonstrate what factors may affect pentesting processes and why it might be hard to select one on the example of two polar methods, commonly used together in pentest service project planning: Checklists and Red Teaming. We shall assume that it is possible to identify two ideal extreme cases, i.e., two opposite approaches to project penetration test planning.
Now, let’s play a pentesting game, accompanied with methods of mathematical analysis.
Pentests: Check, but no Mate
Checklists are based on up-front planning of work scope while limiting the freedom and creativity of a pentester. While the latter may (not) be a drawback, checklists are all about planning the pentest as a predefined set of tests, according to OWASP Testing Guide or EC-Council methodology.
Some customers select this approach because it is compelling in being rather straightforward and simple. This allows to easily generate security assessment reports. Upon conducting a specific set of tests, the client receives the evidence of success or failure of the penetration attempt. Thus, one can easily establish the baseline for the project report, making it relatively easy to determine labor intensity, and hence, calculate the project costs.
The core issue here is that pentests are always limited in timeframes, tempting (and forcing) pentesters to record a negative result for a difficult test vector. This temptation grows dramatically, especially when the pentesters’ remuneration does not depend on the fact of penetration.
Possible drawbacks: in the end, the checklist results may appear to be very far from reality. A pentest, by definition, is an imitation of the cybercriminal’s actions. With constricted timeframes, the cybersecurity expert should not go through all the tests one-by-one. Instead, the expert is forced to test only those areas that most possibly could bring a striking, clear result – penetration. It is the specialists’ experience, which is the most instrumental for the choice of the target areas.
Conclusion: Ideally, penetration testing should be a combination of technology and art. The above listed challenges and drawbacks of checklists approach show that following a predefined pentesting strategy may be harmful for the enterprise security. Pentesting requires improvisation, and stepping away from the defined processes could be crucial for the pentesting results. We’ll return to this matter in the third part of our blog.
Now, we are gradually getting down to the second approach.
Red Teaming: Capture the Flaw
The Red Teaming approach is not a mere remote attack on the network with the help of zero-day exploits, distributed on the black markets of the Darknet. The most realistic mode of penetration testing, the Red Teaming approach brings forward pentesters’ creative freedom along with high motivation and their good reputation.
Red Teaming combines digital methods and means with all others used in the real life: bribing staff, physical penetration into the customer’s office (through employment), and even physical, biochemical, or psychological methods of influencing company personnel, etc.
The Red Teaming approach takes close after the real hacking market. High-level cybercrime, industrial espionage, and state intelligence institutions use similar approaches, including Preparations for Advanced Persistent Threat (APT) attacks.
The ultimate manifestation of this approach is a “Guaranteed Penetration”, which resembles the real attack of a hacker. The main differentiating factors are the price and the amount of damage.
During negotiations with the customer and before making the deal, the pentester would estimate the value of the customer’s assets (e.g., $1-10Mln). The pentester will analyze existing protection at his own expense, and will come up with the share amount (e.g., 5-10% of the asset value). On these conditions, the pentester would demonstrate the business ways to compromise or steal these assets for real, thus conducting a guaranteed penetration of customer’s cyber defenses. The compromise or theft could also be simulated to verify the penetration model, but still – it’s much better to discover the flaws in the defenses before the real hackers do.
Possible drawbacks: Red Teaming and “Guaranteed Penetration” bring forward a set of problems associated with trusting the pentester and high probability of privacy or psychological issues. The normal operation of the business can be disrupted during the pentest. Therefore, Red Teaming is used less often than ordinary pentests, and a “guaranteed penetration” in its pure form is applied extremely rarely.
Conclusion: real penetration is more of a game and an investment activity rather than a fixed-price service. . A hacker could spend an infinite amount of effort, resources and time on the attack preparation, and make much more of this “investment”. If a pentester understands he could take the risk of not penetrating the asset, he offers the pricing model based on the possible penetration results, e.g., a bonus for successful penetration. In some cases, only a successful penetration is considered a real result to be paid for. As for the Red Teaming, the price and the findings of pentesting remain under control of the targeted company.
How to Select the Right Pentesting Approach?
Combining various approaches helps to bypass most of the challenges and uncertainties described in this blog post. Before the testing begins, all possible threats, attack vectors, and methods should be documented in as much detail as possible. This may not necessarily be a testing checklist, but some form of a component- or threat priority list. At the same time, the pentesters will have a creative freedom in their actions, ability to utilize past experience, and modeling cybercriminal’s reasoning within strict timing conditions.
As for some specific dangerous tests utilized during Red Teaming, it is extremely important to define red lines, so that the customer suffers no real damage as a result.
Now that we’ve discussed some basics, in the next part of our story, we’ll discuss the importance of pentesting “color” – jokes aside! We will also have a look at how pentests are planned in real life.