Circling beyond the cyber security practice of penetration testing (pen testing) are a number of supporting, complementing, extrapolated and evolved engagements. With so many varying controls to implement for assessing and improving cyber security, it can get confusing as to what purpose each control serves. There are lots of types of tests, teams and tactics that each have a place.
Pen testing is an essential part of a mature cyber security program, with several types of tests that can be conducted, as detailed in our part one, ‘Understanding Penetration Testing’.
In this part two, we’ll explore some of the ways traditional pen testing has evolved and the ways pen testing complements holistic cyber security functions.
Vulnerability Scanning vs Penetration Testing
Vulnerability scanning and pen testing are sometimes confused or mixed up with vulnerability testing. It is true that different organisations may use terminology in their own ways. Typically, the industry understanding should separate these two as follows:
- Vulnerability Scanning: The practice of using tools to scan networks and applications for known security weaknesses, such as in the operating system, software version, ports and protocols available. The tool provides ratings and rankings of the identified findings to allow prioritisation of the remediation (patching). This is a fairly non-invasive means of security health-checking.
- Penetration Testing: The practice of attacking and exploiting an environment, application or even location, through a structured methodology to identify security risks and vulnerabilities. These could be in hardware, software, people, processes, configurations etc. Pen testing involves both manual and automatic tools and processes and takes on the view of a possible threat actor to provide context.
Vulnerability scanning is vital to the upkeep of security across infrastructure and applications due to new security flaws and vulnerabilities being constantly discovered and the fast-paced development that occurs. Regular scanning and rating allow an organisation to ensure the latest patches are installed to prevent known exploits from being conducted against them.
Pen testing may involve some vulnerability scanning during the reconnaissance phase of the attack. This is what a threat actor would most likely do to discover what applications, devices, ports, services etc., are available and where the versioning may permit exploits to be run. However, this is just one initial part of a pen test, as the ultimate objective of pen testing is to go beyond just identifying the vulnerabilities to actually exploiting them to see what may be gained in doing so.
Both vulnerability scanning and pen testing are common security compliance requirements and have various ways of being engaged and implemented. For instance, the PCI DSS standard requires vulnerability scanning to be undertaken quarterly and critical risks identified to be remediated within thirty (30) days of patch release.
What about social engineering?
Social engineering is a technique that may be paired with a pen testing engagement as it complements the view of an attacker in understanding how people work as a security control. Social engineering aims to have a person take action or divulge something using manipulation through any possible means. Commonly, social engineering leverages human emotions, goodwill, lack of knowledge or awareness, poorly defined behavioural practices, or straight-up deception.
Several forms of social engineering exist.
- Phishing: One of the most lucrative and age-old techniques used is via emails to phish user information and credentials and engage a person into performing actions that benefit the threat actor. The evolution of phishing now includes SMS (smishing), voice call (vishing), as well as any other messaging platform or service like WhatsApp or Instagram.
- Phone call: Whilst this may be categorised by some as vishing, over-the-phone social engineering does tend to differ in sophistication and complexity. Phishing in any form is often not so focused and targeted. When it is, that is called spear-phishing. Phone call social engineering usually requires a high level of reconnaissance and background work, maybe through open-source intelligence (OSINT), to manipulate a phone operator in a specific way. Where typical phishing is a bit more passive, social engineering is very active with a high degree of persuasion involved.
- Physical: Physical social engineering involves testing human interactions, responses and actions through real-life scenarios. This may be through posing as a legitimate identity to see how well other people identify and authenticate others. It may be through navigating physical security controls dependent on human behaviour. An example of this may be wearing an identifiable uniform and approaching the reception of a building to request access that requires specific authorisation.
Social engineering is related to or complements pen testing in that many attacks rely on some form of social engineering in order to glean access credentials that can be used to compromise an initial boundary to the environment or application.
Which team to pick?
The cyber security world loves its different teams and roles, and there are some common terms that are important to understand and distinguish in order to appreciate their respective value. The team names come from cyber security exercises. During a simulated cyber security incident, one team performs the duties of the attacker whilst another team performs the duties of the defender. Assessment and insights are established based on the interaction and results of both respective teams. Through this, a better level of incident response preparedness can be determined and improved.
- Blue Team: The defending team during an attack exercise. Usually, this team is represented by members of the security operations centre (SOC). These are analysts that use tools to monitor infrastructure, network and end-user devices for indicators of compromise, threats and unusual activities. In addition to the ability to identify, they may also be able to prevent and stop attacks in real-time.
- Red Team: The offensive team during an attack exercise. Usually, this team is represented by offensive security experts, like pen testers. Within the rules of engagement for the exercise, the Red Team seeks to attack and exploit the environment whilst evading the detection of the Blue Team. The Red Team may have objectives like exfiltrating data, gaining specific control of a system or gaining access up to a certain point of the environment.
- Purple Team: By combining the efforts of a Blue Team and Red Team, it is possible to create a dialogue that results in greater communication. Learning and evolving cyber security defences and strategies to respond and further protect the organisation are what a Purple Team are all about. Rather than simply looking at offensive vs defensive, a Purple Team exercise adds a strategic layer that can be leveraged as more than just a point-in-time effort to set a roadmap for greater security controls.
- Gold Team: Sometimes heard of in the cyber security industry, this is a non-technical team and exercise. The aim of a Gold Team is to respond during a cyber security incident crisis. It tackles senior management’s response and the use of the organisation’s incident response and business continuity controls for a tailored scenario.
No one team is better than the other in cyber security. Each serves its own function and is important. Depending on the organisation, its maturity and the business requirements, one, some or all of the teams may be called upon to assess and grow the cyber security posture.
Is adversary simulation better?
Depending on who you talk to, adversary simulation may be called Red Teaming or even something else. Regardless of the branding, what makes adversary simulation a next-level exercise is the sophistication that goes into the scenario and preparation work. Adversary simulation includes a detailed amount of threat intelligence groundwork and adversarial technique mapping that is specific to the client’s vertical or business.
A pen tester may have duties of creating a threat actor profile to give insights into motive, skills, and resources and could also work with a cyber threat intelligence specialist. A cyber threat intelligence specialist researches and stays apprised of the cyber threat landscape, as well as the top active threat actors and groups. They develop cases for who is targeted and why, trends the industry is seeing as well as what techniques and tools are popular.
By determining the most likely adversaries and their tactics, techniques and tools, the red team can emulate a likely, real-life scenario to test the security controls and defences the organisation has implemented. Providing the threat landscape context empowers the organisation to accelerate key resilience controls, rather than just hoping for the best or slogging away at industry best practices.
Adversary simulation often includes crafting social engineering using human intelligence (HUMINT) combined with OSINT. Combining physical and digital means of gleaning intelligence gives a holistic insight into security awareness gaps as well as the digital fingerprints an organisation’s staff have.
Adversary simulation may have a broader scope and timeframe with the client permitting the testing team to leverage more than traditional pen testing or red team exercises in order to best emulate the no-holds-barred approach that a motivated threat actor would take. Adversary simulation is often performed with only extremely limited stakeholders and staff who are aware in order to best capture the impact at every stage of the attack.
How long, how often and how to decide?
The duration of a pen test really comes down to the budget of the client, the available resources of the testing entity, and the goal of the engagement. The longer the testing is conducted, the more comprehensive the results are likely to be, but also the greater investment required. A key factor is the size of the test to be undertaken as well. The greater the infrastructure, for example, a large range of IP addresses or web application URLs, the longer and more involved the testing will be. Similarly, a large enterprise organisation undertaking an adversary simulation could see an engagement that requires months instead of weeks to be truly valuable in testing the large attack surface it faces.
Commonly, external infrastructure pen testing sees a duration of about 5 to 7 days for mid-sized organisations. Internal testing may be shorter at 3 to 5 days. Web applications could range from 4 to 10, and it really does depend. Red team and adversary simulation exercises are rarely less than 10 days to 2 weeks in duration because of the preparation and reconnaissance work involved, along with the detailed reporting that follows. Some engagements could be upwards of 22 weeks, like the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework programme for Australian financial institutions.
How often an organisation should conduct pen testing depends on several factors. A good practice is for pen testing to be conducted on infrastructure and applications after any significant changes and at least annually or more frequently as required by regulation or compliance with security standards and frameworks.
What to test should be driven by a risk-based approach in addition to meeting any compliance requirements. Assessing where the organisation’s crown jewels are and knowing what types of valuable data sit where in the environment, as well as the impact of comprise to confidentiality, integrity, and availability, will help guide what should be pen tested.
Pen testing opens the doors to many aspects of cyber security with varying flavours of engagements that can be undertaken. It is a career path that many choose because the room to grow and diversify in skillsets is large, with new and evolving challenges and work arising constantly.
Having a foundation in cyber security and working as a pen tester could see you leading secretive, sophisticated adversary simulations. You could find yourself working on the cutting edge of threat intelligence cyber know-how. Or perhaps pen testing becomes steppingstones to leading organisations to bring together various teams for greater cyber resilience and incident response.
Being a pen tester requires keen perception and a high level of attention to detail. The cyber industry also needs more candidates with vision and leadership qualities that can bring a range of diverse skills to pen testing engagements and beyond.
If pen testing could be the cyber pathway for you, book a career consult with a course advisor today to learn more about how you can get the job-ready skills to step up and into the industry.