Penetration Testing Overview and Types

Questions and Answers

Which team is primarily responsible for conducting penetration tests?

White team

Red team (correct)

Purple team

Blue team

What role does the blue team play in cybersecurity?

Managing the engagement between different security teams.

Defending the system from attacks and security breaches. (correct)

Conducting penetration tests to find vulnerabilities.

Identifying and reporting ethical hacking vulnerabilities.

What is the primary purpose of a vulnerability scan?

To identify and evaluate potential security issues (correct)

To conduct user training on security best practices

To exploit vulnerabilities in a system

To provide real-time updates on system performance

What role do security operations teams play in vulnerability management?

They classify and prioritize vulnerabilities for remediation.

What is the main function of a SIEM tool?

To collect and correlate security event data

Study Notes

Penetration Testing Overview

• Penetration testing, also known as pentesting or ethical hacking, simulates an attack against an organization's security infrastructure.
• The goal of penetration testing is to identify vulnerabilities in network and physical security.
• Different types of tests simulate internal or external threats, ranging from full knowledge of the target to no knowledge at all.

Types of Penetration Tests

• Known environment (white box) testing: The tester has complete knowledge of the target, allowing for thorough testing but is unrealistic.
• Unknown environment (black box) testing: The tester has no information, simulating an external attack best and ignoring insider threats.
• Partially known environment (gray box) testing: The tester has partial information, like IP configurations, simulating insider threats.
• Bug bounties: Programs where organizations offer rewards for identifying vulnerabilities. Ethical hackers operate within set guidelines and report findings based on severity.

Security Teams

• Red team: Ethical hackers responsible for performing penetration tests.
• Blue team: Defense of the system, responsible for stopping the red team's advances.
• Purple team: Combines red and blue team members, working on both offense and defense.
• White team: Referees of cybersecurity, managing engagement between red and blue teams. Typically consists of managers or team leads.

Documentation and Contracts

• Two crucial documents define the penetration testing process:
  • Scope of work: Outlines the specific details of the test, including:
    • Who: Specific IP ranges, servers, and applications included.
    • What: Exclusions, such as servers or tactics.
    • When: Timeframe, deliverables, and deadlines.
    • Where: Location of the pentester and applicable laws.
    • Why: Purpose and goals of the test.
    • Special considerations: Travel, certifications, or unexpected elements.
    • Payment and additional work: Defining payment and handling requests for extra work.
  • Rules of engagement: Specifies how the test will be conducted:
    • Type of test: White box, black box, or gray box.
    • Data handling: Explicit statement on handling sensitive data encountered during the test.
    • Notifications: Detailed process for notifying the IT team.

Penetration Testing Life Cycle

• The penetration testing life cycle involves several distinct phases:

  • Perform reconnaissance (footprinting): Gathering information on the target, including publicly available data, social engineering techniques, and even physical investigation.
  • Scan/enumerate: Actively engaging with the target, scanning for vulnerabilities and obtaining information like:
    • Usernames
    • Computer names
    • Network resources
    • Share names
    • Running services
  • Gain access: Exploiting discovered vulnerabilities to gain access to the target.
  • Maintain access: Installing backdoors, rootkits, or Trojans to maintain persistent access.
  • Report: Generating test results and supporting documentation. This crucial phase produces a detailed report for both the pentester and the organization.

Vulnerability Scan

• An automated process used to identify and evaluate potential security vulnerabilities
• Targets networks, operating systems, applications, and other operational areas
• Detects known vulnerabilities including insecure configurations, outdated software versions, or missing patches
• Requires regular scanning to maintain an accurate security posture and identify new vulnerabilities

Threat Feeds

• Real-time, continuously updated sources of information about potential threats and vulnerabilities
• Aggregate data from cybersecurity researchers, vendors, and global security communities
• Integrate data into vulnerability scanning tools, improving detection capabilities
• Help organizations stay ahead of the threat landscape, enabling prioritization and addressing of critical vulnerabilities

Threat Feed Platforms

• Common platforms include AlienVault's OTX, IBM's X-Force Exchange, and Recorded Future
• Gather, analyze, and distribute information about new and emerging threats
• Provide actionable intelligence for vulnerability management practices and security infrastructure tools

Threat Feed Types

• Third-party Threat Feeds:

  • Open-source and proprietary feeds providing real-time information on cyber threats and vulnerabilities
  • Open-source feeds are free and accessible to all, ideal for smaller organizations with limited budgets
  • Proprietary feeds offer more comprehensive information and advanced analytical insights, but come at a cost

• Threat Feed Outputs:

  • Behavioral Threat Research: Narrative commentary describing attack examples and TTPs
  • Reputational Threat Intelligence: Lists of IP addresses and domains associated with malicious behavior and file-based malware signatures
  • Threat Data: Computer data correlating events observed on customer networks and logs with known TTPs and threat actor indicators, often packaged as feeds integrated with SIEM platforms

Threat Intelligence Platforms

• Closed or proprietary platforms, offering paid subscriptions to access threat research and CTI data
• Examples include IBM X-Force Exchange, Mandiant's FireEye, and Recorded Future

Open-Source Intelligence (OSINT)

• Collecting and analyzing publicly available information to support decision-making in cybersecurity operations
• Gathers data from blogs, forums, social media platforms, and the dark web
• Provides insights into new malware types, attack strategies, and recently discovered vulnerabilities
• OSINT tools automate the collection and analysis of this information, identifying potential threats

Common OSINT Tools

• Shodan for investigating internet-connected devices
• Maltego for visualizing information networks
• Recon-ng for web-based reconnaissance activities
• TheHarvester for gathering emails, subdomains, hosts, and employee names

Information-Sharing Organizations

• Collaborative groups exchanging data about emerging cybersecurity threats and vulnerabilities
• Collect, analyze, and disseminate threat intelligence from various sources
• Enhance collective cybersecurity resilience and promote a collaborative approach to tackling cyber threats

Examples of Information-Sharing Organizations

• Cyber Threat Alliance
• Information Sharing and Analysis Centers (ISACs)

The Deep and Dark Web

• Sources of threat intelligence
• Deep web: Parts of the World Wide Web not indexed by search engines, including pages requiring registration, pages blocking search indexing, unlinked pages, and non-standard DNS content
• Dark web: Network established as an overlay to Internet infrastructure using software like The Onion Router (TOR), Freenet, or I2P, ensuring anonymized usage and preventing third-party monitoring
• Dark websites are hidden from regular browser access, often accessed through word of mouth
• Useful for counterintelligence but participate in illegal activities is strictly prohibited

Other Vulnerability Identification Methods

• Penetration Testing:
  • Aggressive approach to vulnerability management
  • Ethical hackers attempt to breach an organization's security, simulating real-world attack scenarios
  • Effective at identifying specific vulnerabilities that may be missed by automated scans and threat feeds
• Bug Bounties:
  • Organizations incentivize external security researchers ("white hat" hackers) to discover and report vulnerabilities
  • Offers rewards for finding and reporting vulnerabilities
  • Allows for diverse skill sets and perspectives, potentially uncovering complex, difficult-to-find vulnerabilities
• Responsible Disclosure Programs:
  • Organizations establish procedures for reporting and addressing security vulnerabilities
  • Encourages individuals to report vulnerabilities, allowing organizations to fix them before they are exploited
• Auditing:
  • Assess an organization's security controls, policies, and procedures using benchmarks like ISO 27001 or the NIST Cybersecurity Framework
  • Identify technical vulnerabilities and operational weaknesses impacting security posture
  • Includes compliance, risk-based, and technical audits
  • Penetration testing fits into technical audits by providing a practical assessment of the organization's defenses
  • Plays a crucial role in compliance audits, as regulations often mandate regular penetration testing

Vulnerability Management

• A key aspect of cybersecurity, encompassing identification, classification, remediation, and mitigation of vulnerabilities.
• Involves using vulnerability scanners to systematically detect security weaknesses in systems and networks.
• Performed both internally and externally to gain insights from different network perspectives.

Vulnerability Scanning

• Involves specialized software tools for probing systems and networks.
• Identifies vulnerabilities such as open ports, active IP addresses, running applications, missing patches, default accounts, misconfigurations, and missing security controls.
• Classified and prioritized for remediation by security operations teams.
• Supports application security by identifying misconfigurations and missing patches in software.
• Advanced techniques include specialized application scanners, penetration testing frameworks, and static and dynamic code testing.
• Tools like openVAS and Nessus offer comprehensive features for analyzing network equipment, operating systems, databases, patch compliance, and configurations.

Vulnerability Scan Options

• Intrusive Scan: Attempts to exploit vulnerabilities for accurate results, but not suitable for live systems.
• Non-Intrusive Scan: The more common type, identifies potential vulnerabilities but doesn't validate their exploitability. Can be performed on live systems, requiring further action from security personnel.
• Credentialed Scan: Uses privileged user accounts for in-depth analysis, especially for detecting misconfigured applications or security settings. Similar to an insider attack.
• Non-Credentialed Scan: Uses unprivileged network access without authentication, resembling the perspective of an attacker without high-level permissions. Suitable for external assessments and web application scanning.

Application Vulnerability Scanning

• Specialized technique for identifying software application weaknesses.
• Includes static analysis (code review without execution) and dynamic analysis (testing running applications).
• Focuses on vulnerabilities such as unvalidated inputs, broken access controls, and SQL injection.
• Handled separately from general vulnerability scanning due to the unique nature of software applications and their vulnerabilities.

Package Monitoring

• Critical for application vulnerability assessment.
• Tracks and assesses the security of third-party software packages, libraries, and dependencies.
• Ensures these components are up-to-date and free from known vulnerabilities.
• Related to managing software bills of materials (SBOM) and software supply chain risk management.
• Typically achieved through automated tools and governance policies.
• Automated Software Composition Analysis (SCA) tools track and monitor software packages, identify outdated or vulnerable ones, and suggest updates.
• Governance policies may include regular software audits, approval processes for new packages, and procedures for updates or patching.

Security Information and Event Management (SIEM)

• SIEM software collects and analyzes security data from various sources to provide reporting and alerting.
• Data sources include network sensors, appliance/host/application logs, switches, routers, firewalls, IDS sensors, packet sniffers, vulnerability scanners, malware scanners, and data loss prevention (DLP) systems.
• SIEM uses three main types of data collection: Agent-based, Listener/Collector, and Sensor.

Data Collection

• Agent-based collection installs an agent service on each host to filter, aggregate, and normalize logging data before sending it to the SIEM server.
• Listener/Collector approach configures hosts to push log changes to the SIEM server, where a process parses and normalizes the data.
• Sensor collection gathers packet captures and traffic flow data from sniffers, which record network data using switch mirror ports or network taps.

Log Aggregation

• SIEM normalizes data from different sources for consistency and searchability.
• Connectors or plug-ins interpret data from various systems and account for differences in vendor implementations.
• Each data source requires a parser to identify attributes and content for mapping to standard fields in the SIEM's reporting and analysis tools.
• SIEM standardizes date/time zone differences for a single timeline.

Alerting

• SIEM uses correlation rules to interpret relationships between data points and diagnose significant security incidents.
• Correlation rules are logic expressions using operators like AND, OR, ==, <, >, and in.
• Examples include multiple user login failures for the same account within one hour.
• SIEM can be configured with a threat intelligence feed to associate observed data points with known threat actor indicators.

Validation and Quarantine

• Validation during analysis determines if an alert is a true positive (actual threat activity).
• False positives are alerts triggered without actual threat activity.
• Quarantine isolates the source of indicators, such as a network address, host computer, or file.
• Playbooks guide alert response and remediation steps, automating validation and remediation in some cases.

Reporting

• SIEM provides reporting capabilities for managerial control and insight into security system status.
• Reports are tailored to different audiences, including:
  • Executive reports: High-level summaries for planning and investment decisions.
  • Manager reports: Detailed information for cybersecurity and department leaders for operational decision-making.
  • Compliance reports: Information required by regulations.
• Common reporting use cases include:
  • Authentication data (failed login attempts and file audit data).
  • Hosts with missing patches and vulnerabilities.
  • Privileged user account anomalies.
  • Trend reporting of key metric changes over time.
• Two types of reporting:
  • Alerts and alarms: Detect threat indicators and initiate incident cases.
  • Status reports: Communicate threat levels, incident counts, security control effectiveness, and response procedure efficiency.

Archiving

• SIEM enacts a retention policy to keep historical log and network traffic data for a defined period.
• This enables retrospective incident and threat hunting and provides forensic evidence.
• Archiving also meets compliance requirements for security information storage.
• A log rotation scheme moves outdated information to archive storage to maintain SIEM performance.

Alert Tuning

• Correlation rules assign criticality levels to matches (Log only, Alert, Alarm).
• Alert tuning is crucial to reduce false positives and prevent alert fatigue.
• Techniques for managing alert tuning include:
  • Refining detection rules and muting alert levels.
  • Redirecting sudden alert "floods" to a dedicated group.
  • Redirecting infrastructure-related alerts to a dedicated group.
  • Continuous monitoring of alert volume and analyst feedback.
  • Deploying machine learning (ML) analysis to automate rule tuning.

Description

This quiz covers the fundamentals of penetration testing, also known as ethical hacking. Learn about different testing environments, including white box, black box, and gray box testing. Understand the goals of pentesting in identifying security vulnerabilities.