Pentesting Methodologies: OSSTMM and PTES

Questions and Answers

Which of the following is a primary focus of the Open Source Security Testing Methodology Manual (OSSTMM)?

• Outlining a complete methodology for security assessment. (correct)
• Developing secure web applications and services.
• Executing penetration tests under a comprehensive standard.
• Providing a detailed knowledge base of attacker tactics and techniques.

Why should penetration testers supplement the OSSTMM with more current standards and methodologies?

• OSSTMM primarily focuses on web application security.
• OSSTMM does not include a complete methodology for security assessment.
• OSSTMM lacks guidance on compliance and regulatory issues.
• OSSTMM may not reflect the latest threats and technology advancements. (correct)

Which organization is responsible for developing and maintaining the Penetration Testing Execution Standard (PTES)?

• A collaborative community effort (correct)
• ISECOM
• The OWASP Foundation
• MITRE

What is the primary goal of the Penetration Testing Execution Standard (PTES)?

To offer a standardized framework for conducting penetration tests. (D)

Which of the following best describes the focus of the OWASP Web Security Testing Guide (WSTG)?

A guide specifically for testing the security of web applications and services. (A)

In which phase of the Web Security Testing Framework, as outlined in the OWASP WSTG, would you primarily focus on identifying potential vulnerabilities in a web application?

Analysis (D)

MITRE ATT&CK is primarily used to:

Catalog attacker tactics, techniques, and procedures based on real-world observations. (A)

How can penetration testers leverage the MITRE ATT&CK framework to improve the effectiveness of their tests?

By using it to guide the execution of tests, based on real-world attack techniques. (D)

In the MITRE ATT&CK framework, what does a 'Tactic' represent?

The immediate objective an attacker is trying to achieve during an attack. (A)

Which of the following best describes the relationship between 'Techniques' and 'Tactics' within the MITRE ATT&CK framework?

Tactics represent 'what' an attacker is trying to achieve, while Techniques represent 'how' they achieve it. (D)

Why is it important for organizations to stay updated with the latest versions and information within the MITRE ATT&CK framework?

To accurately simulate the most current and relevant threat scenarios. (A)

Among the following options, which is NOT typically considered a primary benefit of following a recognized pentesting methodology?

Guaranteeing complete elimination of all vulnerabilities. (D)

How does using a well-known penetration testing methodology benefit the customer receiving the pentest?

It provides assurance that the pentest will be thorough, consistent, and aligned with industry best practices. (C)

A penetration tester discovers a vulnerability during an assessment that is not covered by the specific pentesting methodology they are following. What should they do?

Document the vulnerability and inform the client, even though it's not part of the planned methodology. (D)

Which scenario demonstrates the most effective application of multiple pentesting methodologies?

A tester integrates elements from different methodologies to create a customized approach that best fits the specific needs and context of the assessment. (C)

Flashcards

OSSTMM

A comprehensive guide to security assessment, covering various aspects of security testing.

PTES

A guide to conducting penetration tests, detailing processes and methodologies for effective testing.

OWASP WSTG

A guide focused on testing the security of web applications and web services.

MITRE ATT&CK

A knowledge base of attacker tactics, techniques, and procedures (TTP) based on real-world observations.

Why use Pentesting Methodologies?

To show that planned methods are valid, using well-known and accepted pentesting methodologies.

OSSTMM Developer

A methodology for security assessment developed by ISECOM.

Primary purpose of OSSTMM

To objectively measure operational security.

Four phases of OSSTMM

Information Gathering, Validation, Attack Phase, Reporting

Purpose of PTES

A guide for conducting penetration tests

Main sections of PTES

Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post Exploitation, Reporting

Purpose of OWASP WSTG

A guide for testing the security of web applications and web services.

OWASP Web Security Testing Framework Phases

Information Gathering, Configuration and Deployment Management Testing, Identity Management Testing, Authentication Testing, Authorization Testing.

What is MITRE ATT&CK?

A detailed knowledge base of attacker tactics, techniques, and procedures (TTP).

Why MITRE developed ATT&CK

Documenting common adversary tactics and techniques to improve post-compromise detection.

ATT&CK Technology Domains

Enterprise, Mobile, and Cloud.

Study Notes

• This lab compares various pentesting methodologies and researches popular ones to validate planned methods for a customer's penetration test.

OSSTMM (Open Source Security Testing Methodology Manual)

• OSSTMM includes a complete methodology for security assessment.
• OSSTMM is a good starting point for planning security tests and audits, use in combination with more up-to-date standards and methodologies.
• The organization develops the OSSTMM, but their specific activities aren't mentioned.
• The OSSTMM publication states primary and secondary purposes without specifics, focus attention to the document.
• Following OSSTM guidelines correctly assures six outcomes without stating specifics so focus on the documentation.
• Applying the OSSTM when combining the 4 Point Process and Trifecta involves ten steps, specifics were not mentioned.

PTES (Penetration Testing Execution Standard)

• PTES is a comprehensive guide to the process of conducting penetration tests.
• PTES comprises seven main sections, specifics are not mentioned.
• The stated purpose of the PTES wasn't specified.
• A document specifies tools and techniques to be used, though which one is not mentioned.

OWASP WSTG (OWASP Web Security Testing Guide)

• The OWASP WSTG is a guide for testing the security of web applications and web services, not a general penetration testing guide.
• It focuses on developing, deploying, and maintaining secure web applications.
• The five phases of the Web Security Testing Framework are not specified.
• The stated purpose of the OWASP WSTG is not clear.
• The OWASP Web Testing Framework defines twelve categories of active tests, but specifics were not mentioned.

MITRE ATT&CK

• MITRE ATT&CK is a detailed knowledge base of attacker tactics, techniques, and procedures (TTP) gathered from real attacks.
• Penetration testers can use it for ideas and guidance about how to exploit vulnerabilities.
• MITRE developed ATT&CK for non stated reasoning.
• ATT&CK has six common use cases, specifics were not mentioned.
• The three ATT&CK Technology Domains are without specified reasons.
• The matrix represents tactics as column headers with techniques as entries.
• Information pages on techniques include sub-techniques, procedures, mitigations, detection methods, and references.
• Three sub-techniques for the Reconnaissance tactic of gathering victim identity information are not defined.
• The Lazarus Group conducted a campaign to gather email addresses for later attacks, with undefined specifics.

Reflection

• There are additional pentesting methodologies in common use, beyond the four researched.
• Following a recognized pentesting methodology is important for unspecified reasons.