Lecture
Penetration testing ( jarg . Pentest ) is a method for assessing the security of computer systems or networks by means of an attacker's attack simulation. The process includes an active system analysis for potential vulnerabilities that could trigger the target system to work incorrectly, or a complete denial of service. The analysis is conducted from the perspective of a potential attacker and may include the active use of system vulnerabilities. The result of the work is a report containing all the found security vulnerabilities, and may also contain recommendations for eliminating them. The purpose of penetration tests is to assess the possibility of its implementation and to predict economic losses as a result of the successful implementation of an attack. The penetration test is part of a security audit.
The penetration tests can be based on several different methods. The main differences are the availability of information about the system under study. When checking closed systems (systems of the black box type), the attacker does not have initial information about the device of the attacked target. The initial task of this type of verification is to collect the necessary information about the location of the target system, its infrastructure. In addition to closed systems, there are open (full information about the target system is available), and semi-closed (only partial information is available).
Target systems include computer systems that are accessed from the Internet. The penetration test must be carried out before the target system is launched into mass use. This gives a certain level of guarantee that any attacker will not be able to harm, directly or indirectly, the work of the system under study.
Their main goal is to confirm or deny the possibility of unauthorized access to the protected information using the vulnerabilities found. And the main principle of implementation is to provide the necessary evidence through the use of techniques and methods used by attackers.
The attacker - the central concept in the field of pentest. The final result largely depends on which fraudster model is taken as the basis for work. Most often two main characteristics of an attacker are considered: awareness (awareness) and qualification. But this is not enough, since in such a two-dimensional world it is quite difficult to distinguish a dismissed employee from a working administrator, and a single hacker from a representative of a criminal group. It is advisable to add the “equipment level” and “motivation” to the characteristics of the alleged attacker, which will allow you to take into account what means the attacker can use and how well he is focused on his actions.
Another important point concerns the conceptual limitations of pentest. When performing a search and analysis of vulnerabilities by the performer, only known vulnerabilities are always considered. The search for unknown vulnerabilities and the development of fundamentally new attack techniques is a separate research task that other people should deal with with appropriate training and resources. Pentest is a purely practical discipline, not a research one, unless the customer is willing to pay for both.
However, it is wrong to take Pentest as a mechanical work to identify vulnerabilities, followed by the selection of suitable means of their operation. If everything were so simple, pentest would be automated long ago. And he requires from the performer a serious analytical work, a deep understanding of the nature of the detected vulnerabilities and readiness to adapt existing methods and techniques for conducting attacks under a specific environment.
Critics claim that most pentests are limited to simple scenarios, and therefore the results obtained are not reliable enough. One could agree with this if it were not for one “but”. The basis of the choice of methods of conducting attacks, among other things, is the principle of simplicity. The simpler and more reliable the specific attack scenario, the more predictable the result will be and the more often it will be used. If you leave aside large corporations that invest significant amounts of money into information security, you will find that complicated scenarios are not required to compromise the average organizations. Critical vulnerabilities are often on the surface. Statistics successful pentest confirmation.
To back up all of the above with a practical example, consider the typical situation in which each pentester finds himself, and which will help to trace the logic of his actions.
Suppose that during the analysis of a public web service, the pentester discovered a critical vulnerability in the version of PHP being used, related to overflow. He also found out that for this vulnerability only PoC (proof-of-concept) is a code that implements a relatively harmless functionality. What should I do in this case?
The answer to this question depends on two things: 1) what model of the alleged attacker is considered in the context of this pentest and 2) whether there are simpler attack vectors for a web service with similar potential. If other attack vectors are not viewed, and a “dark hacker” is selected as the alleged attacker, who has sufficient time and persistence but is limited in resources, the pentester must examine this vulnerability more closely to find the answer to the question whether it is possible to create functional exploit that provides remote code execution.
Now let us ask ourselves the question: how will the situation change if, instead of the public web server where the vulnerability was discovered, the pentester will deal with the organization’s internal web server? Firstly, the model of the alleged attacker will change, and secondly, other promising attack vectors will appear with a high probability. In this situation, the alleged internal attacker is unlikely to be interested in a vulnerability with unknown perspectives. The Pentester should be guided by the same logic.
Let us try to complicate the formulation of the problem. Assume that the vulnerability has a high exploitation potential and therefore was sold on the black market. What should the pentester do in this case? And again, much depends on the model of the alleged attacker. If the attacked web server is of considerable interest to alleged intruders, who are considered to be an organized criminal group, such as theft and sale of bank card numbers, it must be assumed that such a group may have all the necessary tools to exploit this vulnerability. . But the average Pentester does not have the same. Therefore, all that he can do is to collect as much information about the attack vectors for this vulnerability as possible, and set out in the report the details he knows, providing an evidence base of his conclusions.
For dessert, consider a situation in which a pentester deals with a vulnerability that requires a MitM attack to be exploited. Often, such attacks require the use of social engineering practices against employees of the organization under attack. Does this mean that the Pentester should go the same way? There is no single answer to this question. If a potential attacker is less limited in time, then the pentester is strictly limited to the scope of the contract, including temporary ones. Although, let's face it, with a well-thought-out organization of work and the availability of the necessary infrastructure, the additional costs for a social engineering company are small.
Anyway, the choice of additional options Pentest always remains for the customer.
Members of the Special Interest Group (PCI SSC SIG) came to a similar conclusion while working on the Penetration Testing Guidance document. None of the alternatives considered by the group allows to determine the minimum set of test scenarios equally applicable for any customer. Thus, profiling pentest, the definition of a specific methodology for the performance of work is determined in each case individually.
The above examples address only some of the situations encountered by pentesters in their daily work. The logic, which is guided by specific performers, is often opaque and incomprehensible to customers, and decision criteria are not specified. Numerous limitations and assumptions accompanying most pentests leave a feeling of understatement and cast a shadow over the result.
So how is it advisable to transform modern pentest to bring honesty and transparency into this business?
First of all, the customer and the contractor must together approach the choice of the model of the alleged attacker. This model should be sufficiently detailed and as close as possible to reality. Given what services and what data are included in the scope of work, it is necessary to determine the profile of a potential attacker and his probable goals. Terms of work must always be determined by the customer. It should be remembered that the model of the alleged attacker determines the maximum level of complexity of the pentest being performed. The lower limit is the already mentioned principle of simplicity, according to which, when performing work, the contractor moves from simpler attack vectors (for example, picking up primitive and standard administrative passwords) to more complex ones (for example, social engineering using specially prepared malicious code). The penetration testing policy should also be mentioned in the contract terms. A common practice is when a pentester stops work if, while testing one of the scenarios, a positive result was achieved (the goal of the pentest was achieved). It seems logical that increasing the level of complexity is necessary only if the simpler attack vectors did not lead to the desired result.
The composition of the implemented attack scenarios for a specific model of the alleged attacker is the artist's internal kitchen. The development of this very approach is the future of pentest. Improvement of the scenario approach is associated with both the evolving model of the attacker and the new techniques of conducting attacks, as well as the level of development of technologies in general. If simple attack scenarios remain virtually unchanged, then the implementation of complex attacks, implemented by the most dangerous attackers, is an objective necessity for the customer and the competitive advantage of the contractor.
Comments
To leave a comment
Malicious, and information security
Terms: Malicious, and information security