Most folks are starting to gain familiarity with Hollywood’s interpretation of hacking, if not the real-world. Mr. Robot‘s ascension and the rapid-fire news cycle has seen a ton of prominent stories bombard the public. You probably get some interesting dinner conversations 😉 Inevitably, the public’s views of hackers as malicious and evil agents, either working for profit or for an adversarial nation-state, has come to dominate the discussion.

mrrobot.jpeg

The black hat folks seem to grab a lot of attention, but there is a fantastic community of ethical “white-hat” hackers out there that are doing their best to help companies and organizations address their environment’s shortcomings and be more secure in the face of relentless attack. These folks have skills across a massive number of disciplines, and I’m always amazed to see how unique each security professional’s path into the business is. The variety of life experiences and personalities is what makes the cyber security field so much fun to learn from and interact with. Twitter is loaded with awesome folks sharing the know-how – look them up and follow for some great free technical and career advice!

Not so fast!

Before employing pen testing for defensive purposes, it is always a good idea to evaluate the basics and use other tools or processes first.  Penetration testing services can be both lengthy and expensive, depending on the scope of work. If no homework has been completed prior, a pen test can provide an overwhelming and demoralizing myriad of findings that have the opposite of the intended effect: defenders will tune out and become defensive, rather than proactively address the findings. So where do we start?

Talent: I find that the single most important piece of the puzzle in my customers is hiring and building skills appropriate to the environment. 27558279615_668ee26f1c_zWhen we see that there is a massive shortage of cyber security professionals – 1 million jobs in the US alone – I can personally vouch for the effects.  Companies are throwing their money away when they neglect  proper design, deployment, and operation of the many pieces of any enterprise.  Management needs to hire folks who either have or more importantly can learn the right way to build and maintain a secure network. Degrees are not as important here. Industry certifications and a body of work or track record for learning are a MUCH better focus for hiring professionals.  My best security customers are those who are always learning, and their formal pedigree is a distant second. The learning must be continual and timely.  And for all of those managers out there with ideas about instant fixes? Don’t just expect them to learn without support – back them with formal training time and budget. A few dollars spent here can help avoid millions of dollars in Incident Response (IR).

Procurement: These well-trained and motivated folks, if empowered to do so, can also assist in the next part – purchasing the right products from the right vendors at the right time. Honest assessments of the current and objective architecture are critical to maintaining a prioritized list of projects and procurements, and this is where you can help bring order to the chaos.  Trust those folks to help you find vendors and partners you can trust! Now you may think I am biased, working for one of those vendors, but I would rather see a smart team buy a worthy competitor than to make a hasty decision just to check a box.  Just as important as picking the right solutions is ensuring the integrate. No one wants to have too many silo’d solutions to work with. Too much of that pushes talent away.  If you have your act together and a strategy for procurement, it will lure smart folks onboard.

Assessments Audits, and Scans: Once you have procured the right products and deployed them the right way, you still have some work to do before pursuing a penetration test. This is all about making sure you did what you said you would do – consistently and completely. Continual assessments and scans can be invaluable in helping identify known flaws or misconfigurations that even a novice hacker could take advantage of. Closing those holes quickly typically involves patching and configuration remediation, and many of these can be done internally, as part of any change process or project plan.

The path outlined here is about doing things you have to do already, just with more rigor and eyes wide open. You’ll find that your attack surface is reduced greatly and that you pose a much greater challenge to script kiddies and opportunists.  Are you out of the woods?  Not yet, but now you can employ penetration testing to find those hard to reach areas and help validate your hard work.

Types of Penetration Testing

There is by no means a singular vision of how folks must specialize or differentiate in the field.  That being said, there are some interesting forms of hacking that Jason and I have discovered in our learning that might be helpful in focusing your learning. Most of these pen testing types try to follow the processes used by attackers, in order to test the target and it’s operators accurately and ensure the best coverage. Regardless of the type of attack or pen test, the industry often times will use the Cyber Kill Chain to help break down the phases in a test. Developed by Lockheed Martin in the early stages of cyber defense, this methodology can be used to help break down most test approaches:

cyberkill.jpg

These categories or disciplines are by no means mutually exclusive, and we’d encourage you to learn and gain proficiency in as many areas as you can to help provide greater insights to you teams.  In no particular order, here are some of those areas:

Network: This is where Jason and I started our learning path – working for a networking company, it was of great interest to us. This form of pen testing often involves finding ways to exploit misconfigured or vulnerable infrastructure (routing, switching, firewalls, wireless, etc.) to establish a beach head and snoop, steal, disrupt, or corrupt traffic running on the network. This is a popular discipline, as there are a ton of tools and even more networks in need of this service.

Web: Web applications are a source of significant pain in recent breaches.  Ashley Madison, Panera Bread, Office of Personal Management, and many others either consisted of or were aided by hacks to web applications. This discipline involves understanding the many components of the server-client relationship (browser, application, database, web tiers, authentication, encryption, etc.) and finding ways, sometimes with just a browser, to convince some portion of that architecture to give up the goods.

Social Engineering: Social engineering is effectively hacking the User.  While this may seem the least technical, it is often times the most seasoned or well-rounded folks who make great SE professionals.  They combine technical savvy with psychological know-how to influence users and teams and gain privileged information. SEs might act from afar (crafting phishing campaigns or forging look-alike websites. SEs that interact in real life might be the most cloak-and-dagger of them all – knowing how to get what they need from a user or what might be useful in what was received takes some nerves of steel, or a great poker face. I have very little background in this, but think this would be a great skill to work on.

Physical: Much like a Social Engineer, a physical pen tester needs to understand the tendencies of the users in an environment.  Rather than using this knowledge to interact, they may be using these skills to minimize interaction so as to achieve their ultimate goal – the physical infiltration of an environment to either implant or otherwise alter the environment for other forms of pen testing. This is usually incorporated as part of a Red Team exercise – where the client has asked for the entire range of tests to be applied to the company.

Mobile: Mobile devices now outstrip traditional laptops and desktops by a large margin, meaning that they are a primary focus for delivering content and user experience. This also makes them a great place to concentrate pen testing efforts. Hackers have long realized the potential of so many information sources and applications converging on an extremely vulnerable platform, and so it is encouraging to see so many thought leaders in the space helping secure your phones, tablets, and watches.

Application: Similar to web applications, and probably an older discipline, is your thick application testing. Compute paradigms come and go (mainframe/terminal, distributed PC, server/client, etc.) but applications are the engines. An entire class of specialists work to uncover and help secure applications, operating systems, drivers, and other software that helps make the entire environment work.  These folks are heavy in their software skills – programming, APIs, architecture, etc.

Hardware/Firmware: Last but not least are the hardware hackers – with so much moving into compute resources to implement functions and processes, it might be tempting to write this off. The truth is that today, hackers target firmware and other platform-architecture soft-spots with alarming regularity, with threats like DarkEnergy and the more recent VPNFilter showing just how dangerous these hacks are. If you can’t trust the bricks in the house, how can you trust the walls or foundations?

As you can see, it is a huge field, and we’re in our own discovery phase, just scratching the surface! The categories blur too – showing just how many ways there are to hack an objective. For a perfect example we have only to look to the Internet of Things. IoT hacks might be of interest in the Hardware/Firmware specialties, or within the Application, Web, Network or Mobile disciplines…that will completely depend on the backgrounds of resources employed to test!

Hacking scopes

Depending on the financial resources, technical competency, and maturity of the team and environment contracting or commissioning the test, some or all of the above hacking disciplines might be employed separately or as part of a blended team. A single customer might maintain a more frequent tempo of application or web pen tests for their own applications as part of their Software Development Life Cycle (SDLC) while employing outside testers as part of a more comprehensive suite of tests or to mimic full-scope attacks. It is often helpful to think of these tests involving some combination of both scope and prior knowledge of the attacker.

White Box: White box pen tests usually involve a very specific system or subsystem, and the tester typically has significant context and knowledge pertaining to the target, topology, or application under test.  The owners or defenders may be performing the testing themselves, but at the very least they have knowledge of the test and its scope.  These are often internally performed and likely part of a project’s implementation plan.

Gray Box: These tests usually involve limitations to the above – the target’s ownership may know a test is coming but lack the details. Likewise, the tester might have a head-start, but be left to recon and infiltrate the objective with much less information. While this is not always the same potential impact, this could be akin to an insider from another department or simulate the starting position of a hacker who has benefitted from some social engineering. These sorts of tests provide significant bang for the buck in that they test deeper into the defenses of an environment and allow for some improvisation on the parts of both attacker and defender.

Black Box: The most extensive and realistic engagements are also the most costly and lengthy in time.  Armed with little more than permission and a contract, testers target an environment that possibly no operator understands is under test. This is akin to what a new adversary might do, but given the lack of focus it can, in a less mature security environment, lead to a lot of findings that lay bare shortcomings not only on the technical side, but in the people and processes responsible for operating them. It may also be possible that the testers never actually stress test the portions of the environment that the client is most interested in. Defining scope and potentially nudging them in the right direction (toward a gray box test, maybe?) might actually provide more fruit.

Summary

Hopefully this helps set the stage and give you some background as to the extensive world of pen testing. As an engineer for a major manufacturer, I can tell you, without a doubt, that the single biggest differentiator between the secure and not-so-secure businesses is the care and feeding the staff in place. Well trained and empowered staff will pay dividends. I don’t perform pen tests for clients but rather to help understand where products and approaches can fail. I do, however, interact with many agencies that perform these tests, and those clients we share that seem most secure tend to take testing as a serious follow-on to their own internal process, audits, assessments, and planning.