There is understandably quite a bit of confusion in the market place when it comes to offensive security engagements. Consultants use a number of terms and phrases that often times overlap with one another quite a bit, but often times fail to differentiate effectively. For example:
- Vulnerability assessment
- Vulnerability research
- Penetration test
- Security Audit
- Red teaming
- Social engineering
- Phishing Campaigns
With so many words for related concepts, it’s no surprise that people unfamiliar with them get confused. But even some security firms blur the lines when it comes to what they’re offering and what they deliver on.
Automated tools and vulnerability scanners (Nessus, Metasploit Pro, Acunetix, etc.) make it easy to equate a vulnerability assessment with a penetration test, but it’s dishonest. Using those tools to find vulnerabilities is a good first step, but it’s not an end-all.
The majority of engagement types fall into one of five categories with room for overlap based on a client’s needs.
Think of this as taking inventory of low-hanging fruit. Scanners like Nessus, its open-source version OpenVAS, Acunetix, etc. have a lot of power under the hood.
But, they don’t take much expertise to use. Getting results on a network can be as easy as specifying the network range, clicking “Start” and going out for lunch.
Calling this a penetration test doesn’t make sense because it lacks remediation. The client has to deal with the vulnerabilities on their own schedule, which may or may not happen at all.
A good penetration test report outlines the route to exploiting a vulnerability, not just the existence of one. Clients can look at that route and find the weak points and pentesters can assist them.
A dossier of vulnerabilities doesn’t provide any new information. Every company has them, so just giving them name tags doesn’t make them more fixable.
- Not actionable
- Not comprehensive
Penetration Test (Internal)
Internal penetration tests are a good step toward the flashy, cinematic hacking engagement you see in Mr. Robot.
What makes them less involved is that they’re usually white-box or gray-box tests.
Black-box – No insider knowledge of the environment
Gray-box – A little insider knowledge of the environment
White-box – Complete insider knowledge of the environment
The pentester starts with a lot or a little privileged information. This makes discovering exploitation points much less time-consuming, but still doesn’t provide an accurate idea of what a real hacker could accomplish.
On the other hand, assumptions about breakable perimeter security save time (money). When a client wants an internal test for a greater purpose, such as a compliance requirement, assumptions don’t matter as much.
Curious tinkerers like myself lament at that notion, but there is a time and place for a more complex engagement.
- Faster than an external test
- Actionable remediation items
- Least realistic type of penetration test
Penetration Test (External)
External penetration tests, typically gray-box or black-box, are much more realistic simulations of attacks.
Without access to the network or private office space (as an example), pentesters have to work from the outside to find vulnerabilities. Typically, the only method not employed in external pentests is social engineering.
The added benefit of performing tests externally is that it simulates an unforeseen attack. Because pentesters aren’t given access to the physical environment, they have to find ways in from the outside, exploiting wireless network and/or perimeter security, for example.
- More realistic than internal testing
- More pertinent remediation items
- More expensive
- More time-consuming
Attack Surface Analysis
An attack surface analysis isn’t quite as flashy as the pentest above and the next section below, but it belongs in this spot due to its position of exercise.
Attack surface analyses, which are really just risk assessments with a hacker on the team, cover what pentesters consider the “recon” phase of a full red team exercise. In this phase, they gather public information about members of management, influential staff and the financial dealings and relationships of a client.
Coupled with an assessment of infrastructure, an attack surface analysis can provide a lot of insight into the possible benefits of a pentest or larger security program build-out.
As the most intense level of engagement, all is fair in lies and scams. In red team engagements, pentesters will use every tactic under the sun.
The client won’t give the pentesters a specific window in which to perform a red team exercise, making the approach harder to detect.
This most closely simulates a legitimate outside threat, thus providing the most accurate status of a client’s security implementations.
- Most realistic type of test
- Assesses all areas of security measures in place
- Most pertinent remediation items
- Erodes trust
- Most time-consuming
Clarifying the facets of a security assessment benefits everyone.
With information security being a large, ambiguous field, standardized language is a good first step to understanding exactly what information security is in practice.