This post is about globally accepted LEGAL technique to exploit a system or network to validate their deployment of security controls. Yes I am talking about PENETRATION TESTING.
With this post I would like to share an ideal approach during penetration testing and importance in following the rules of engagement. Of what I have experienced following is the normal scenario:
Customer signs engagement and scope letter. Most of the time this engagement/scope letter contains very vague and/or no proper description of How’s and who’s of Penetration testing methodology. Sometimes they will just mention Person A and Person B will be performing a Penetration Testing on Customer A Network and rest is legal and contractual stuff. Some will also add type of penetration testing (no they won’t mention Black/Grey/White Box testing). They will say Web application Pen testing, Network Pen Testing. Although, they are in a way correct but still we need to mention it.
Suggestions : Organisation must let customers know what will be included in a Pen test. There is no room for assumptions. For any pen test one must provide the techniques and methods and especially what will be tested. One does not need to provide the tools name but techniques are important.
Defining this in the scope/engagement letter can assist pen tester to make sure he/she is not stepping over the boundaries – which are normally considered RULES OF ENGAGEMENT. Management and Pen Testers must understand this rules for a successful pen testing.
Management and organisation should also understand Pen testing should not be only performed because of compliance – unfortunately this is the driver in most cases. As Pen testing simulates an attack on any organisation it should be performed on a regular basis and for extended period of time. One should also perform external pen test to test their security controls and simulate real world attacks. Adversaries and/or cyber criminals have no time limit to gain access to your network, but Pen testers do and management must take this into consideration. Having a pen test for a week and next one next year will have zero value.
Another suggestions to pen testers is to be ready with their own way to exploit systems. Most of the time due to time constraints we use available tools and exploits to perform pen test which may give you some good results but we need to think or try to go beyond that and writing your own exploits has been proved to be a good method. If a vulnerability is identified it is a good idea to exploit it with multiple techniques if known.
Pen testers should also spend a good chunk of time in information gathering (active or passive). The more information you gather the better you will be able to exploit your target. I have always used 2 pen testers whereby PT A will continue performing information gathering – provide the results to PT B, PT B will give some information back to PT A and PT A will continue to gather information. Consider this as a to and fro situation but PT A and PT B will exchange information continuously.
PT B should concentrate on fingerprinting, enumeration, attempt to gain access to the systems, vulnerability assessment. There are many organisations and pen testers preferring running Vulnerability scanners upfront when performing pen test which I personally believe is wrong step. As we are trying to simulate attacks on organisation, we must think from the attackers point of view. Normally they don’t run vulnerability scanners straight up – the traffic generated by them is heavy and easily detectable by various security controls. These scanners can be used for verification and/or add-on to pen testing methodology to make sure we didn’t miss anything.
Lastly, providing a report of pen test to customer. Report should provide all the findings, techniques and methods use to collect information and how information was used to gain access to the system, what vulnerability, types of exploit used and outcome of the exploitation – privilege access, data exfiltration, install/modify applications and/or files etc. Screenshots are considered ideal. Having these information will assist pen testers to draft recommendations that are actionable rather just telling to update and patch.
Please visit following site for more information :