Blog of a Penetration Tester: Issue 1 – Some Important Definitions
This blog is about Penetration Testing, or more descriptively, the rants of a senior Pentester with seven years of field experience delivering penetration testing services to clients in the US, European Union, United Kingdom, and Australia.
Penetration Testers are the undisputed rock stars of the cyber security space. Lately, it seems like everybody wants to be a penetration tester; or worse, security professionals without any specialized training or experience download and install Kali Linux (after all it is free), and start calling themselves Penetration Testers and offering their services to clients. These are the “script-kiddies” of the world of penetration testing.
Before we begin talking about penetration testing, red teams, blue teams, vulnerabilities, hackers, and cybercriminals, it is important that we establish some common definitions to avoid misunderstandings.
Penetration Testing vs. Security Testing
So, what exactly is a Penetration Test? According to Wikipedia, a penetration test, colloquially known as a pen test, pentest, or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. This is not to be confused with a vulnerability assessment.
A penetration[KZ8] test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed. A pen test is an authorized simulated cyberattack, it is offensive in nature, and it seeks to identify and exploit vulnerabilities to compromise the Confidentiality, Integrity, and Availability of information resources.
In Penetration Testing the emphasis is on the “Penetration” rather than “Testing.” A pen test is not a test as the term is commonly understood by software engineers, but rather, a simulated “cyberattack” executed by a highly skilled professional hacker, for assessing the effectiveness of security controls and the overall security posture of a system.
Therefore, the key difference between penetration testing and security testing is that the former is an attack, the latter is not.
Penetration Testing vs. Vulnerability Scanning
“If it can’t be exploited; then it’s not a vulnerability.” —CSC StrikeForce
Application scanning can only go so far. Time-consuming human input (training and analysis, followed by more training and refinement) is an essential part of the process. Most web application scanning tools miss vulnerabilities and generate false positives on their own public testing sites, according to a recent study.
Larry Suto, an application security consultant, tested the web app scanners for accuracy and false positives as well as the time it took with each to get the best possible results, including running, reviewing, and supplementing the results from the scans. He found that, overall, the tools missed nearly half of the vulnerabilities on the sites—even when they were fully “trained,” or tuned, rather than set to point and scan the sites.
Suto’s findings in his web app scanner tests reflect the challenges facing Web application security, as Web applications are often riddled with flaws. “This is a lot harder problem than network scanning. These results should cause security professionals to have significant reason for concern if they are relying on one of the less-accurate tools. There is a good chance that they are missing a significant number of vulnerabilities,” he wrote in the report.
The pen tester can prove or disprove if a vulnerability is indeed exploitable in its current environment. A vulnerability scanner cannot make such distinctions.
Blue Team/Red Team (yes, we know there’s Purple Team as well)
Red teams are offensive security professionals who are experts in attacking systems and breaking into defenses. Blue teams are defensive security professionals responsible for maintaining internal network defenses against all cyber-attacks and threats.
Red Team – A “Red Team” exercise is a digital attack simulation. The Red Team approach is also known as “assume breached.” The adversary is already inside the security perimeter and the goal is for the Blue Team to detect, identify, contain, and eradicate the threat as it moves laterally across the network and before any data exfiltration can take place. The time that it takes for a threat to elevate privileges and begin lateral movement is known as the “breakout time.” The typical breakout time for an Advanced Persistent Threat (an advanced attacker with time and resources such as those of a nation state) has been estimated at 20 minutes. That is, 20 minutes from the time a victim clicks on a malicious link in an email (foothold), to moving laterally across the network (breakout).
Blue Team – Includes the functions and activities of the Incident Response and Threat-Hunting teams. Their focus is to detect, identify, contain, and eradicate threats to the Confidentiality, Integrity, and Availability of information resources, and to ensure compliance with security policies, guidelines, and procedures. They are located inside the network looking out. Vulnerability scans are mainly used to verify that systems have been patched with the latest updates issued by the vendors. They are administrators and defenders. Top certifications: CISSP and CASP+.
The term “Red Team” is also used to refer to teams of penetration testers working collaboratively. These tend to be large exercises employing Phishing Campaigns, Social Engineering, and external asset attacks to establish a foothold and “penetrate” the internal network. Once inside, the goal is to elevate privileges to domain admin and to take over a domain controller and dump all the credentials. These can then be unhashed or used in pass-the-hash attacks. These are the hackers or threat emulators. Top Certifications: OSCP and GPEN.
Hacker vs. Cybercriminal
Hacker IS NOT synonymous with cybercriminal. Unskilled hackers typically don’t know how to code and rely on scripts and tools written by others. As mentioned previously, they are known in the hacker community as “script kiddies.” Skilled hackers know enough coding to write their own tools in Bash, Python, JavaScript, and PowerShell. Generally, they are not developers, but can leverage the programming language’s documentation, Google, and Stack Overflow to write code that meets their needs.
By definition, hackers are computer programmers who use their technical skills to breach digital systems, networks, and devices.
Cybercriminals are people who use computers or the internet to commit crimes. Both black- and gray-hat hackers may break the law, effectively becoming cybercriminals. All 50 states have computer crime laws governing the damage or disruption of computer systems.
Just as there are many ways to break these laws, there are many faces of cybercriminals. Some are petty thieves: lone wolves who steal information for financial gain. On the other end of the spectrum, there are organized crime groups who use the internet to buy and sell illegal goods — think weapons and drugs — or broker unlawful services. Corporations may break the law by engaging in cyber espionage, while nation states have been known to hire cybercriminals to spy on other governments, steal information, or otherwise engage in cyber warfare.
An ethical hacker may be employed as a security engineer for a major corporation or a computer forensics investigator for the NSA. This type of hacking is legal and necessary work; practitioners can even earn special credentials and certificates designed specifically for ethical hackers. If ethical hacking is a simulated attack to assess the effectiveness of security, then the hacking skills of the attacker are key in determining the validity of test results. In other words, just because a script-kiddie couldn’t break into your system doesn’t mean that the system is secure. How can you ensure your test results are valid? Hire an OSCP- or GPEN-certified ethical hacker to perform the testing.