Guide to Modern Penetration Testing [Part 3]: A Digital Adventure
List of Related Blog Posts:
- Part 1. Guide to Modern Penetration Testing: Two Extreme Cases
- Part 2. Guide to Modern Penetration Testing: Choose Your Box
- Part 3. Guide to Modern Penetration Testing: A Digital Adventure
To conclude the series of articles about penetration testing, we’ll discuss what is more important for successful pentesting: a routine step-by-step approach as written in a manual, or improvisation based on own feeling and past experience.
A Standard for Art
While pentesting might be a sort of chaotic playground, documentation should always be in order. One of the most complex challenges for a pentester is to effectively describe the results of their work to a customer. This is the very moment when “pure art” becomes standardized.
A Kill Chain Model by Lockheed Martin is commonly used to show the relations between different findings and vulnerabilities, and how they could be combined by an attacker to get full unauthorized access to the target object and an end customer local-area network. This model also demonstrates what damage the customer could suffer in case of a successful attack.
E.g., vulnerability scanning gives some basic information about the possible penetration. Vulnerability exploitation provides full access to target object parts. Subsequent post-exploitation and privilege escalation are described to show the customer how far the attackers can go, how long they can remain undetected, and what damage can be caused.
Unfortunately (or luckily), “striking” results of pentesting are not that common – not without a reason, of course. What if we take away creativity, and stick to the standards only? Let’s find out.
It Takes Two to Tango
It’s not a secret that a penetration testing project entails lots of aspects and areas of focus. E.g., initially focusing on breaking defenses, in the course of a project an expert may realize that the protection of the target object is extremely strong (which is good for the customer, of course).
Realizing that this path may not bring the desired “striking” results, the expert may alter their research intention: instead of looking for a penetration path, they will focus on proving the security of the target object, especially if the “checklist” approach prevails in this project. Such change of intentions during the test may result in deviating too far from realistic conditions.
At a glance, both research intentions may look the same. However, each requires a different reasoning, urging pentester to switch their mindset. For instance, instead of looking for vulnerabilities, an expert might pay more attention to documenting evidence of the proper operation of the target object security features or to compiling a list of priorities and goals for the next session of this target object pentest. While having documentation in order is always beneficial, the real hackers won’t be doing that. They will be improvising – in an organized way.
Thus, due to a huge difference between these two research intentions and, consequently, methods and approaches, sound pentests require the participation of at least two or more professionals.
The first expert or group of experts will be improvising to find the most effective ways of implementing the kill chain model. Meanwhile, the others will conduct a more routine project work: collecting security evidence, documenting results and listing attack vectors for the future pentest projects of this target object. This division of labor to “routine” and “artistic” parts allows achieving maximum pentest effectiveness and professional improvement of specialists as artists in their field.
Organized Chaos + Organized Order
Customer security depends on many aspects, such as the organized approach to pentests, long-term planning of pentests, management of the customer’s risks over the years, integration of pentest results of different years, use of previous results and planning of future penetrations. At Infopulse, we monitor changes in the risks of customer target objects over the years and consider pentests one of the security management processes rather than one-time events.
To manage security and risks related to vulnerabilities discovered during pentests and other security assessment projects, we recommend using the following standards and methodologies:
From our experience at Infopulse, we found that it’s better to utilize the abovementioned frameworks and supplement them with both our own developments and those of our customers, allowing us to meet customers’ requirements and surpass their expectations.
It is important not only to find vulnerabilities and show how they can be exploited but also to assess possible damage as well as its probability. Creative freedom is appropriate both to find the ways of penetration and to adapt risk assessment as well as risk evaluation techniques. E.g., we should predict what level of training, knowledge, experience, and resources an attacker may need to carry out any given attack. Add here risk mitigation planning to finish the painting.
To sum it up, some stages of security assessment do require standardized approaches. At the same time, creative approaches help to uncover the full potential of security assessment projects. That is why penetration testing requires both technological skills and prowess of an artist to the utmost benefit of customers and protection of their legitimate interests.
Conclusion
International standards and best practices may have varying degrees of detail and focus. Always based on someone else’s experience, standards are rightfully considered cornerstones to solving the aforementioned security assessment challenges.
Yet, standards should never be the only tool to rely on. Many challenges must be solved based on the first-hand experience rather than on someone else’s, e.g., planning, preparing and estimating the economic effectiveness of security assessment activities, managing technical and legal issues, etc.
The key to the success of any cybersecurity project, security assessment and management is an efficient combination of the first-hand and someone else’s experience.
Security assessment standards are an effective tool only in combination with building own proprietary methods.
A reasonable combination of standards and non-typical creative initiatives allows pentesters’ skills to manifest themselves most effectively on the “light side of the force” – in security assessment and penetration testing projects. A combination of routine and art, pentesting provides top-quality results in security assessment and security management projects, highly valued by enterprises.