Penetration Testing Techniques
Penetration Testing, or Pentest, is a security assessment procedure where real-world attacks are performed against the client organization (emulating real threats) to evaluate the company’s security posture and provide insights on remediation and mitigation solutions when needed. Pentest can be an integral part of the organization’s security program.
Assessors may execute their pentest procedures with different levels of prior information on the inner processes of the target organization. A standard naming convention, slowly being abandoned today, is the box logic: black box testing happens with no prior knowledge, adopting an outsider’s point of view; white box testing implies total prior knowledge; grey box testing situation is when some limited prior knowledge is provided.
Bug bounty programs are a relatively simpler form of Pentest. They are publicly available programs to test externally facing applications and services for vulnerabilities and exploits. The company provides financial rewards for those who find these security gaps. Prestige can also be an excellent motivation for professionals who engage in bug bounty. The program may be available internally, including only the organization’s employees. Together with the predetermined reward, the program also establishes rules of engagement (ROE) that the participants must follow so as not to disrupt operations or compromise sensitive information.
Classic pentest is a much more complex operation. It comprises many stages, resulting in a detailed report on gaps found and proposed solutions. Since Pentest emulates real-world attacks, it tries to actively exploit vulnerabilities so they may disrupt services and compromise data. So, even if PenTest is extensive, ROE must be established, as with bug bounty.
Pentest has clear and sequenced stages: planning, discovery, attack, and reporting. Each stage has unique demands:
- Planning: establishing the contract, pentest objectives, and the ROE that will guide the pentest process;
- Discovery: reconnaissance process on the target organization, collecting necessary intelligence data on potential weaknesses and available exploits;
- Attack: consists of infiltration, privilege escalation, pivoting, lateral movement, persistence, and cleanup;
- Reporting: consolidates and formalizes all the procedures employed, vulnerabilities, and other gaps found and suggests remediation and mitigation measures.
In a more detailed description, the reconnaissance process involves passive and active components. No direct engagement with the target organization characterizes passive procedures. OSINT data gathering is the most common way to execute passive reconnaissance, like accessing the company’s website, performing a whois lookup, looking for externally opened IoT devices through platforms such as Shodan, and finding employees’ professional and personal social media accounts. Active reconnaissance, alternatively, happens through direct engagement with the target, such as what is done in port scanning and service discovery in a company’s network. An active process can disrupt the target’s activities, so these procedures must be determined in the ROE.
War-driving and war-flying are both reconnaissance techniques that may be passive or active, depending on the level of interaction with the target. The former involves driving along the organization’s perimeter to discover potentially vulnerable wireless networks and access points. War-flying has this same objective but uses unmanned aerial vehicles (UAV) to scan instead.
The attack phase is composed of different steps. It begins with an initial exploitation, infiltrating the network through the identified vulnerable gaps (e.g., an open port or a compromised account through social engineering). Privilege escalation follows: the attacker seeks the credentials of more privileged accounts, such as the administrator. With privileged credentials, the attacker may execute more complex commands and access other accounts on the same host (lateral movement) and other machines on the network (pivoting). At this stage, the attacker must establish a foothold for further remote access, even in the presence of countermeasures by the security team (persistence). Finally, after completing the attack objectives, the assessor must clean its traces from the systems and networks (e.g., erasing logs), return the target systems to their original state, and make sure no new vulnerabilities have been introduced (cleanup). During an attack, further intelligence information may be discovered and consequently fed to the data found in the reconnaissance phase.
After the attack’s execution, the assessor elaborates a report describing all data relevant to the organization’s security program, encompassing security weaknesses discovered, effective attack methods, and suggested remediation and mitigation solutions. Reporting is essential as it’s the means of communicating the findings to the client organization.
Teaming is a more extensive security exercise that incorporates pentest. The organization’s staff is divided into offensive (red) and defensive (blue) teams. The Red Team executes attack operations, implementing most of the pentest procedures described above. Blue team elements oppose red team efforts, seeking attack detection and countermeasures implementation. Red and Blue teams may be combined into a Purple Team, collaborating to find vulnerabilities and exploits and rapidly develop solutions for them.
Finally, teaming exercises may incorporate White Teams. They are neutral on the exercise, adjudicating it by following the ROE. Additionally, they provide an interface between the technical results of the exercise and the organization’s cybersecurity policies and strategies. Red, Blue, and Purple Teams staff tend to be more technical and comprised of IT personnel, while administrative, compliance, and legal employees form White Teams.