Your message is highly valuable for us. One of our experts will follow up with you within 1-2 business days to discuss your request or to inquire for additional information if needed.
Ready or not, here I come, you can’t hide
In the recent years, penetration testing services have gained a rightful place in the information security market. Despite some minor issues in this branch of security assessment connected to specific aspects in terminology, methodology, technology, marketing and management, pentests are widely regarded as one of the most important cybersecurity measures, required for a proper protection against cyberthreats.
Infopulse starts a series of cybersecurity posts dedicated to art and science of penetration testing.
In the first part of our blog post, we will demonstrate the viability of both existing pentest standards as well as innovative approaches. We will also illustrate an importance of conducting preparations for penetration testing, including the development of pentest design specifications (Rules of Engagement).
Disclaimer. Stories and examples presented in the article below feature practical aspects of applying different modes of penetration testing from Infopulse own experience and best practices.
The Basic Uncertainty of Pentesting
Information security management on a project and process basis stands out from other areas of IT engineering and management. The core differences lay in the necessity to do the following:
- To evaluate and process abstract undetermined values, e.g., values related to possible future events or security risks;
- To formalize these uncertainties and operate them to make decisions;
- To establish a high level of credibility with a customer, learn intensively and educate the customer.
Penetration testing is no exception from this rule.
Pentest as a service is a research activity with the results unknown in advance. Hence, it features lots of unknown values and challenges. First, the objectives and tasks should be set up correctly. Then, you will need to assess the degree of achieving these objectives as well as the quality of their achievement. The last and the hardest challenges would be to anticipate the complexity of work, foresee whether it would be labor-intensive, and consequently, determine the final budget.
In other words, it is very difficult to predict how pentesting will proceed, which target object tests will be executed, how complex and time-consuming they will be, and what results will be obtained.
A common practice among freelance pentesting specialists is to calculate their rates based on customer’s size, budget and other irrelevant assumptions rather than the expected business value of the pentest results. At the same time, large IT service companies have flexible contract engagements, including SLA, fixed price, Time-and-Material and other models, which are much more accurate and precise in terms of budget and final results.
The secret here is hidden in measuring the intensity of labor. Like any other service, pentesting should be estimated in advance, most importantly, to coordinate the terms with the customer and allocate a budget for these services.
Estimating the Inestimable
There are several methods to estimate pentest workload. In most cases, previous service experience dominates among any other estimations.
Here’s the biggest mistake. Experience may vary from one pentester to another, as well as from one project to another.
We do not pretend to formalize methods of estimation in this article. Instead, we’ll separate and show two polar considerations, commonly used together in pentest service planning: Checklists and Red Teaming. We shall assume that it is possible to identify two ideal extreme cases, i.e., two opposite approaches to project penetration test planning.
Now, let’s play a pentesting game, accompanied with methods of mathematical analysis.
Pentests: Check, but no Mate
Checklists consider up-front planning of work scope while limiting the freedom and creativity of a pentester. While the latter may or may be not a drawback, checklists are all about planning the pentest as a predefined set of tests, according to   or   methodology.
Some customers select this approach because it is compelling in being rather straightforward and simple. By using this approach, it is quite easy to generate security assessment reports. Upon performing a certain set of tests, the client receives evidence of success or failure of the penetration attempt. Thus, you can easily establish the baseline for the project report, which also brings in a relative simplicity of determining the labor intensity, and hence, calculating the project costs.
The core problem here is that pentests are always limited in time, tempting (and forcing) pentesters to record a negative result for a difficult test vector. This temptation grows dramatically, especially when the pentesters’ remuneration does not depend on the fact of penetration.
Possible drawbacks: in the end, the checklist results may appear to be very far from reality. The core problem is that a pentest, by definition, is an imitation of the cybercriminal’s actions. With constricted timeframes, the cybersecurity expert should not go through all the tests one-by-one. Instead, the expert is forced to test only those areas that most likely will bring a striking, clear result — penetration. The choice of the target areas is based mainly on specialists’ experience.
Conclusion: real penetration testing is more of an art rather than a technology.
And now we are gradually getting down to the second approach.
Red Teaming: Capture the Flaw
The Red Teaming approach is not a mere remote attack on the network with the help of zero-day exploits, freely sold and bought on the black markets of the Darknet. The most realistic mode of penetration testing, the Red Teaming approach brings forward pentesters’ creative freedom along with high motivation and their good reputation.
Red Teaming combines digital methods and means with all others used in the real life: bribing staff, physical penetration into the customer’s office (through employment), and even physical, biochemical, or psychological methods of influencing company personnel, etc.
The Red Teaming approach takes close after the real hacking market. High-level cybercrime, industrial espionage, and state intelligence institutions use similar approaches, including Preparations for Advanced Persistent Threat (APT) attacks.
The most extreme manifestation of this approach is a “Guaranteed Penetration”, which resembles the real attack of a hacker. The main difference is in the price and amount of damage.
During negotiations with the customer and before making the deal, the pentester would estimate the value of the customer’s assets (e.g., $1-10Mln). The pentester will analyze existing protection at his own expense, and will come up with the share amount (e.g., 5-10% of the asset value). On these conditions, the pentester would demonstrate the business ways to compromise or steal these assets for real, thus conducting a guaranteed penetration of customer’s cyber defenses. The compromise or theft could also be simulated to verify the penetration model, but still – it’s much better to discover the flaws in the defenses before the real hackers do.
Possible drawbacks: Red Teaming and “Guaranteed Penetration” bring forward a set of problems associated with trusting the pentester and high probability of privacy or psychological issues. The normal operation of the organization can be disrupted during the pentest. Therefore, Red Teaming is used less often than ordinary pentests, and a “guaranteed penetration” in its pure form is applied extremely rarely.
Conclusion: real penetration is more of a game and an investment activity rather than a fixed-price service. It is important to remember that real hackers could spend a certain amount of effort, resources and time on the attack preparation, and make much more of this “investment”. If a pentester understands he could take the risk of not penetrating the asset, he offers the pricing model based on the possible penetration results, e.g., a bonus for successful penetration. In some cases, only a successful penetration is considered a real result to be paid for. In case of a Red Teaming testing, the price and the results of penetration remain under control of the targeted business.
Red Teaming vs. Checklists: What to Choose?
The answer is simple – take two! Real practice of penetration testing skims the cream off both Checklists and Red Teaming. Before the testing begins, all possible threats, attack vectors, and methods should be described in as much detail as possible. This may not necessarily be a testing checklist, but some form of a component- or threat priority list. At the same time, the pentesters will have a creative freedom in their actions, ability to utilize past experience, and modeling cybercriminal’s reasoning within strict timing conditions.
As for some specific dangerous tests utilized during Red Teaming, it is extremely important to define red lines, so that the customer suffers no real damage as a result.
In the next part of our story, we’ll discuss the importance of pentesting “color” – jokes aside! We will also have a look at how pentests are planned in real life.