Explain Penetration Testing Concepts

Automated vulnerability scanning does not test what a highly capable threat actor might be able
to achieve. Penetration testing is a type of assessment that adopts known tactics and techniques
to attempt intrusions. Devising, planning, and leading penetration tests is a specialized security
role, but at a junior level you are likely to participate in this type of engagement, so you should be
able to explain the fundamental principles.

PENETRATION TESTING

A penetration test—often shortened to pen test—uses authorized hacking techniques to

discover exploitable weaknesses in the target's security systems. Pen testing is also referred to
as ethical hacking. A pen test might involve the following steps:

 Verify a threat exists—use surveillance, social engineering, network scanners, and

vulnerability assessment tools to identify a vector by which vulnerabilities that could be
exploited.

 Bypass security controls—look for easy ways to attack the system. For example, if the
network is strongly protected by a firewall, is it possible to gain physical access to a
computer in the building and run malware from a USB stick?

 Actively test security controls—probe controls for configuration weaknesses and errors,
such as weak passwords or software vulnerabilities.

 Exploit vulnerabilities—prove that a vulnerability is high risk by exploiting it to gain access

to data or install backdoors.

The key difference from passive vulnerability assessment is that an attempt is made to actively
test security controls and exploit any vulnerabilities discovered. Pen testing is an intrusive
assessment technique. For example, a vulnerability scan may reveal that an SQL Server has not
been patched to safeguard against a known exploit. A penetration test would attempt to use the
exploit to perform code injection and compromise and "own" (or "pwn" in hacker idiom) the
server. This provides active testing of security controls. Even though the potential for the exploit
exists, in practice the permissions on the server might prevent an attacker from using it. This
would not be identified by a vulnerability scan, but should be proven or not proven to be the case
by penetration testing.
RULES OF ENGAGEMENT

Security assessments might be performed by employees or may be contracted to consultants or

other third parties.Rules of engagement specify what activity is permitted or not permitted.
These rules should be made explicit in a contractual agreement. For example, a pen test should
have a concrete objective and scope rather than a vague type of "Break into the network" aim.
There may be systems and data that the penetration tester should not attempt to access or
exploit. Where a pen test involves third-party services (such as a cloud provider), authorization to
conduct the test must also be sought from the thirdparty.

The Pentest-Standard website provides invaluable commentary on the conduct of pen

tests .

Attack Profile

Attacks come from different sources and motivations. You may wish to test both resistance to
external (targeted and untargeted) and insider threats. You need to determine how much
information about the network to provide to the consultant:

Black box (or unknown environment)—the consultant is given no privileged information about the
network and its security systems. This type of test would require the tester to perform a
reconnaissance phase. Black box tests are useful for simulating the behavior of an external
threat.
White box (or known environment)—the consultant is given complete access to information about
the network. This type of test is sometimes conducted as a follow-up to a black box test to fully
evaluate flaws discovered during the black box test. The tester skips the reconnaissance phase in
this type of test. White box tests are useful for simulating the behavior of a privileged insider
threat.
Gray box (or partially known environment)—the consultant is given some information; typically,
this would resemble the knowledge of junior or non-IT staff to model particular types of insider
threats. This type of test requires partial reconnaissance on the part of the tester. Gray box tests
are useful for simulating the behavior of an unprivileged insider threat.
A test where the attacker has no knowledge of the system but where staff are informed that a test
will take place is referred to as a blind (or single-blind) test. A test where staff are not made aware
that a pen test will take place is referred to as a double-blind test.

Bug Bounty
A bug bounty is a program operated by a software vendor or website operator where rewards are
given for reporting vulnerabilities. Where a pen test is performed on a contractual basis, costed
by the consultant, a bug bounty program is a way of crowd sourcing detection of vulnerabilities.
Some bug bounties are operated as internal programs, with rewards for employees only. Most
are open to public submissions .

EXERCISE TYPES

Some of the techniques used in penetration testing may also be employed as an exercise
between two competing teams:

 Red team—performs the offensive role to try to infiltrate the target.

 Blue team—performs the defensive role by operating monitoring and alerting controls to
detect and prevent the infiltration.
There will also often be a white team, which sets the rules of engagement and monitors
the exercise, providing arbitration and guidance, if necessary. If the red team is third
party, the white team will include a representative of the consultancy company. One
critical task of the white team is to halt the exercise should it become too risky. For
example, an actual threat actor may attempt to piggyback a backdoor established by the
red team.

In a red versus blue team exercise, the typical process is for the red team to attempt the intrusion
and either succeed or fail, and then to write a summary report. This confrontational structure does
not always promote constructive development and improvement. In a purple team exercise, the
red and blue teams meet for regular debriefs while the exercise is ongoing. The red team might
reveal where they have been successful and collaborate with the blue team on working out a
detection mechanism. This process might be assisted by purple team members acting as
facilitators. The drawback of a purple team exercise is that without blind or double-blind
conditions, there is no simulation of a hostile adversary and the stresses of dealing with that.