You’ve been running vulnerability scans on a regular basis, you’ve expanded that into a broader vulnerability assessment approach, and you’ve been fixing everything that’s been found and that is a legitimate security concern.
So what now?
Well, you can turn to something called penetration testing to strengthen your organization’s security posture.
Pentesting is a topic that you can expect to get questioned on, so this article covers important pentesting concepts for the Security+.
What is penetration testing?
A penetration test is designed to test an organization’s defenses to see if they can be defeated by an attacker who’s trying to achieve specific goals.
So again, with vulnerability scans, you’re looking at the big picture of what known issues exist, and you’re creating a list of issues that need to be corrected, in a prioritized order.
With pentests, whoever is performing it will act as an attacker who is trying to breach your defenses in order to achieve an objective: maybe it’s to gain administrative or root access to an internal system, maybe it’s accessing private and sensitive data, or maybe it’s making modifications to a system that should be off limits.
Pentests can be performed by internal teams within your organization, although many times, organizations will hire external groups to come in and perform these tests.
Pentests are not only important to do to maintain a healthy security posture, but they may sometimes become a requirement for compliance reasons.
For example, PCI DSS which is required for those handling cardholder data, has certain requirements. One of those requirements is for certain penetration tests to be done.
An industry-accepted pentesting approach is defined by NIST – or the National Institute of Standards and Technology – “Technical Guide to Information Security Testing and Assessment” (SP 800-115)
Another internationally recognized accreditation is the CREST Framework. CREST is a not-for-profit accreditation and certification body that provides information on how pentests should be performed, and it can help provide access to qualified firms or talent.
So we know that pentests are important, but how do they work?
A typical pentest engagement will involve the following steps:
1. Reconnaissance and Discovery
This is an important part of pentesting that we talk more about in our course, but that gives pentesters useful information to start their testing.
2. Initial Exploitation
This step uses information from reconnaissance to exploit a vulnerability or weakness in order to gain access to a network or device. This could mean:
- Finding vulnerabilities that provide an entry point
- Unpatched software
- Using social engineering to gain access
3. Pivoting and Privilege Escalation
This step uses the initial exploitation to look for ways of escalating privileges, and to pivot to another device on the network…the initial entry point may not be the intended target, so an attacker will often have to find a way to pivot through the network. Pivoting is when an attacker is moving from one compromised system to another.
- Pentesters will look for PrivEsc vulnerabilities
- They may try to use brute force tools or other automation tools like Metasploit that can help automate a lot of this
- They may find less secure devices and accounts in internal networks that they can hop to from their initial entry point
- When a pentester is able to move across different users in order to either move to other systems in the network, or to move to more privileged users in the network, this is called lateral movement
After pivoting and/or escalating privileges, an attacker will want to establish persistence on the targeted system or network…that way an attacker can more easily access its target and they can try to persist even if their initial intrusion was detected.
- Backdoors are useful for this kind of persistence
- Attackers may also create their own privileged users
- Or they may look for unprotected accounts that they can connect back to at a later time
After a pentester successfully or unsuccessfully executes all of this, they will need to undo all of their changes in order to leave the network and its devices in their original state. This means:
- Deleting any user accounts created during the test, or reverting user accounts back to their original state
- Removing any backdoors or other forms of persistence
- Deleting any files created or uploaded, or anything that was installed on the network
6. Data Collection and Reporting
The final step that a pentester must take is to collect all of their notes and data about the testing they performed and providing it in a well-documented report for the customer or for their manager
Before we get to even execute these steps as a pentester, though, we first need to go through a process that defines the Rules of Engagement.
Rules of Engagement
What we’re talking about here is a major undertaking…especially if you’re hiring an external firm to do it for you. They will gain access to potentially highly sensitive data and systems, which means you need to trust that they will be professionals.
You can’t just hire anyone to do this, and you also need to define ground rules. We call these Rules of Engagement (RoE)
RoEs are important documents that:
- Define the purpose and scope of testing
- Define the rules of what can be done
- Define success metrics
- Make everyone aware of what will be tested, and how
These documents help answer questions like:
- Are we performing a physical, on-site pentest?
- Are we testing a single application, or internal networks?
- Will the tests be performed during work hours or after work hours?
- Who will need to be involved?
- Who will be the point of contact?
- What will the testers need to have access to? What will be off-limits?
This is also the time when other important and logistical details will be determined, such as:
- What IP addresses will be used by the testers?
- What domains, if any, will they use? Like maybe they will try and set up a Command & Control server that we should be aware of
- If sensitive data is accessed, how should that be handled by the testers?
- How often will we get updates from the testing team?
- and so on…
As you can see, a lot goes into making sure that we set goals and establish boundaries before any testing even takes place.
Rules of Engagement help us avoid unnecessary issues that could result in inferior test results, or even in potential lawsuits, so they need to be taken seriously.
White vs. black vs. gray box testing
Another important concept to understand when we’re talking about pentests is the difference between white box, black box, and gray box testing.
White box testing
White box testing is when the testers have complete visibility into the inner workings of the application, network, or system that they are testing. They can see the architecture, technology, code, flow charts, databases, and virtually anything else they need. They can even reach out to the team working on those systems to ask them questions about how something works or how it was designed.
They essentially act as if they are employees of that organization, and they have a massive advantage that most attackers won’t have unless they are insider threats.
Black box testing
Black box testing is just about the direct opposite of white box testing. Instead of having insider knowledge, they are completely in the dark and they have to find everything on their own. Obviously, this means that they are at an information disadvantage, but they are going to perform a much more realistic test because they are acting more like a non-insider threat actor.
Also, sometimes when you have access to too much information, you will test the system in a different way than you would have if you had no internal information. Again, this is usually a disadvantage, but it can sometimes skew how you test the application or network…
Gray box testing
…and that’s part of why there’s a middle ground! Gray box testing.
With gray box testing, the tester has some knowledge of the inner workings of the network, application, or system, but not all of it.
Gray box testing is helpful because it can help the pentesters avoid wasting time on areas that won’t lead anywhere. It can help them focus their efforts and it can help them move faster.
Pentesting for the Security+ Conclusion
As you can see, penetration testing goes beyond vulnerability scans and they can provide actionable reports that show not only which vulnerabilities still exist, but also how they can be exploited and what the damage would be.
Pentests will not find every single vulnerability that you still have in your systems, but they will help improve your organization’s security maturity.