Guide to Modern Penetration Testing [Part 2]: Choose Your Box
List of Related Blog Posts:
- Part 1. Guide to Modern Penetration Testing: Two Extreme Cases
- Part 2. Guide to Modern Penetration Testing: Choose Your Box
- Part 3. Guide to Modern Penetration Testing: A Digital Adventure
Here’s where Penetration Testing Execution Standard (PTES) may be of help – a beacon for those who strive to find their way through pentest planning as a service. PTES connects customers’ business requirements and pentesters’ talents, providing reasonably detailed recommendations on pentests projects preparation.
Infopulse continues a series of blog posts dedicated to art and science of penetration testing. In this part, we’ll review three core types of penetration testing and their differences. That’s where the abovementioned PTES will help us as well.
What’s Inside a Black/Grey/White Box?
According to PTES, a number of steps, parameters and options should be considered during the pre-engagement stage. Specifically, we need to review communication channels, interaction and control rules, specific ways of monitoring incidents and responding to them, etc. Then, pentersters come up with the description of information collection, threat modeling, methods of vulnerability analysis, exploitation of vulnerabilities, discovering the best way of attack, post-exploitation, infrastructure analysis, subsequent penetration into the customer’s infrastructure, cleaning and robustness. Besides, the PTES standard specifies the structure of reports compiled from test results.
And of course, one of the most common parameters to be discussed is a selection of a pentesting mode: Black Box, White Box or Grey Box. A quick overview of three core pentesting modes is given below:
But are they really different? Let’s find out!
There’s No White without Black
The Black Box mode is commonly requested by these customers, who conduct pentests for the first time or are hesitant about pentesting for some other reasons. Black box testing is a perfect bet when a customer wants to evaluate their new pentesting provider. As the level of the customer’s confidence rises, allowing them to establish a trustful relationship with the pentesting provider, the customer may switch from the “Dark Side” to the “Light Side” and request Grey Box or White Box pentesting. These “brighter” scenarios provide more information about the target object since the attack surface and pentest effectiveness are increased compared to the basic black box testing.
Some clients are very scrupulous about planning pentesting and ask to conduct multiple types of testing within the framework of one project: a Black Box one first, then Light-Grey Box, then Dark-Grey Box testing.
A “gradual brightening” of pentesting modes within one project is a common procedure outlined in security assessment standards, e.g., NIST 800-115.
The Beauty of Grey
Grey Box pentesting service is very popular among enterprises since it shows excellent results, especially when the target object is an application. In fact, the information obtained during grey box testing might be so valuable, that grey-ification of the Black Box pentesting project can happen in the middle of the pentesting process.
E.g., a company needs a Black Box penetration testing. While this type of testing requires a target object address only, in the course of the project, clients realize that providing extra information will facilitate the work of security experts, improving the project results. Thus, security specialists will receive more information than needed for the initially planned Black Box testing. By demonstrating intermediary results during the project, pentesting experts may justify the advantages of obtaining additional information, direct access or temporary suspension of security features. This allows obtaining confirmation of the previous results, making a more profound evaluation, assessing deeper security layers and obtaining additional results while saving project time.
Changes that take place during the project formally constitute the on-demand “brightening” of the pentest modes – the transition from pure Black Box to one or another “shade” of Grey Box penetration testing.
It’s Bigger On The Inside
In addition to selecting a proper pentesting mode, there are several dozens of other parameters to consider during the preparation of each (commonly, grey-box) pentest specification and scope description. Usually, such pentest specifications are called Rules of Engagement, urging pentesters to find out and describe the following:
- customer’s motivation, their drivers and business requirements, regulatory documentation;
- systems and components within the scope and outside of it;
- attack vectors and attacker profiles;
- allowed access channels to the target object;
- restrictions related to the productive target objects, if any;
- permitted time of work, the procedure for responding to emergency situations;
- acceptable and unacceptable methods and means, e.g., admissibility and necessity of methods of socio-technical attacks (“social engineering”), DoS attacks, brute force attacks, etc.;
- check if the customer’s cyber security personnel can detect penetration attempts, and how they will respond to them;
- the possibility of unplanned changes during the project, restrictions, and dependencies known to the customer, as well as exceptions (e.g., exclude from test everything already known to the customer), etc.
Careful research of the customer’s needs and expectations, their formalization and documentation in the Rules of Engagement is what makes a difference in Infopulse’s approach to pentesting. In addition to the already mentioned frameworks OWASP, EC-Council, PTES and NIST 800-115, we rely on the methods provided by Offensive Security for planning and performing penetration testing projects. These standards, guides, and methods help to obtain ultimately better testing results when properly implemented.
Now, in the last part of our article, we’ll discuss why following these rules and standards only is not a good idea.