Chapter 8 - 05 - Understand Fundamentals Of Penetration Testing and its Benefits - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Rules of Engagement QO ROE 4 & Top-level O The rules of engagement (ROE) is the formal permission to conduct penetration testing ROE provides “top-level” guidance for conducting the penetration test Guidance ‘ , ROE’s Assistance O ROE helps testers overcome legal, federal, and policy-related restrictions to use different penetration testing tools and techniques Copyright © by L. All Rights Reserved. Reproduction is Strictly Prohibited. Rules of Engagement (Cont’d) 01 Scoping and ROE are two aspects that need to be handled independently while engaging in a penetration testing assignment 03 Scoping defines what should be tested, while ROE defines the agreement on how testing should be performed within certain limitations and rules during penetration testing Copyright © by EC-Council. The ROE specifies the manner in which the penetration test should be conducted All Rights Reserved. Reproduction is Strictly Prohibite Rules of Engagement ROE is the formal permission to conduct a penetration test. It provides “top-level” |N guidance for conducting the penetration test and certain rights and restrictions to the test team for performing the test. It also helps testers to overcome legal and policy-related restrictions and use different penetration testing tools and techniques. Module 08 Page 1099 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Based on the organization’s requirements, the ROE may allow testers to conduct some technical and nontechnical activities such as port scanning, social engineering, and network sniffing and may restrict certain activities such as password cracking and SQL injection attacks. All the activities that a penetration tester must perform during the test are explicitly defined in the ROE, and therefore, it acts as a guide to penetration testers. Scoping and ROE Scoping and ROE are two aspects must be handled independently while engaging in a penetration testing assignment. Scoping defines what should be tested, while ROE defines the agreement on the process of testing that must be performed with certain limitations and rules. The ROE specifies the manner of conducting the penetration test. Framing an ROE involves the steps listed below: 1. Estimate the cost, time, and effort that the organization can invest. 2. Decide on the desired depth for penetration testing. 3. Conduct precontract discussions with different penetration testers. 4 Conduct brainstorming sessions with the top management and technical teams. Module 08 Page 1100 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Comparing Security Audit, Vulnerability Assessment, and Penetration Testing @ Security Audit Vulnerability @ Assessment O A security audit checks Q A vulnerability assessment whether an organization O focuses on discovering the vulnerabilities in an information system but provides no indication of whether the vulnerabilities can be exploited or of the follows a set of standard security policies and procedures Penetration Testing Penetration testing is a methodological approach to security assessment that encompasses a security audit and vulnerability assessment, and it demonstrates whether the vulnerabilities in a system can be successfully exploited by attackers amount of damage that may result from the successful exploitation of the vulnerabilities Copyright © by EC ¢l All Rights Reserved. Reproductionis Strictly Prohibited Comparing Security Audit, Vulnerability Assessment, and Penetration Testing Security audit: A security audit is used to evaluate whether the security of a company’s information fulfills a set of established criteria and to ensure that the company is in compliance with its regulations, security policy, and legal responsibilities. Different types of audits are used to evaluate a company’s security processes. A security audit only checks whether procedures. Vulnerability the organization assessment: vulnerability in a system; follows It is used for a set of standard identifying and security measuring usually, it is used to identify common policies the severity and of vulnerabilities in a system’s configuration. Vulnerability assessment provides to organizations a list of vulnerabilities that need to be fixed, without estimating specific goals or scenarios. The list is provided according to the severity level of the vulnerability or business criticality. Vulnerability assessment is suitable for an organization that is not secure, wishes to get started, has a medium-to-high security maturity, and wishes to maintain the security posture of its network. vulnerabilities in an Although information vulnerability assessment system, it provides vulnerabilities can be exploited or of the amount successful exploitation of the vulnerabilities. Penetration testing: A penetration time attacks instead of discovering a a hacker and follows all the steps a testing is suitable for organizations testing security Module 08 Page 1101 is a methodological audit and indication of whether the of damage that may result from the test is a goal-oriented exercise; it focuses on realspecific vulnerability. The penetration tester acts as real hacker would to breach a system. This type of at a high maturity level of security. Penetration approach vulnerability no focuses on discovering the to security assessment, and assessment it that demonstrates encompasses whether a the Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 vulnerabilities in the system can be successfully exploited by attackers as well as the amount of damage that may result from the successful exploitation of the vulnerabilities. Module 08 Page 1102 Certified Cybersecurity Technician Copyright © by EG-Counecil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Blue Teaming/Red Teaming Blue Teaming O Red Teaming An approach where a set of security responders performs analysis of an information system to assess the adequacy and efficiency of its security O controls O O organization’s internal resources Blue team has access to all the organizational resources and O IGton O Primary role is to detect and mitigate red team (attackers) activities, and to anticipate how surprise attacks might occur An approach where a team of ethical hackers perform penetration test on an information system with no or very limited access to the { v ) It may be conducted with or without warning Itis proposed to detect network and system vulnerabilities and check security from an attacker’s 2] perspective approach to network, system, or information access Copyright © by EC-( cil. All Rights Reserved. Reproductionis Strictly Prohibited. Blue Teaming A blue team (also known as defender team) is a group of highly skilled individuals, who undertake assessment of information security or products to identify security deficits, to determine the adequacy of security measures, to foresee efficacy of proposed security solutions, and so on, to defend against various attacks. Blue team The blue team may include system administrators and general IT staff and has access to all the organizational resources and information. Blue teaming is the least expensive and the most frequently used security assessment approach. Its primary role is to detect and mitigate red team (attackers) activities, and to anticipate the surprise attacks that might occur. Red Teaming A red team (also known as aggressor team) is a group of white-hat hackers (ethical hackers) who attempt to launch attacks against an organization’s digital infrastructure, as would a malicious attacker, to test the organization’s security posture. It is proposed to detect network and system vulnerabilities and check security from an attacker’s perspective approach to network, system, or information access and it may be conducted with or without warning. Red teaming may include system administrators from various departments in an organization and they perform penetration test on an information system with no or a very limited access to the organization’s internal resources. Module 08 Page 1103 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Purple Teaming/White Teaming Purple Teaming White Teaming O A purple team includes both blue and red team members, i.e., both the aggressor team and defender team O This team acquires knowledge on both the red and blue team.. L O A white team acts as a mediator for negotiating an engagement between a red team and blue team Q This team does not perform any testing and only monitors the activities of the red and blue teams Q The purple team can establish continuous communication, provide real-time feedback, perform frequent security auditing and threat hunting, implement the latest defense techniques, etc. O The white team is responsible for gaining insight by conducting post-engagement activities Purple Teaming A purple team includes both blue and red team members, i.e., both the aggressor team and the defender team. The core motive of the purple team is to enhance protection and boost the security standards of the organization. Purple team members acquire knowledge on both the red team and blue team by combining all the defensive strategies and mechanisms from the blue team with the threats and susceptibilities determined by the red team. Threat intelligence data are shared between the red team and blue team to improve security practices and gain insight into the attackers’ tactics, techniques, and procedures (TTPs). A purple team can establish continuous communication, provide real-time feedback, perform frequent security auditing and threat hunting, implement the latest defense techniques, configure detection mechanisms, and monitor the network for known threats. The combined work of both the blue team and red team also improves the skills of the team and can further help in scrutinizing the security posture of the IT assets in large organizations. White Teaming The white team acts as a mediator for negotiating an engagement between a red team and blue team in an operation dealing with information and systems in an organization. This team mainly focuses on analysts, logistics, management, and compliance. White team members can also be third-party individuals who do not perform any testing and simply monitor the activities performed by the red and blue teams. This team is responsible for framing rules of engagement, establishing boundaries for the attacks to protect company assets or systems, organizing the teams efficiently, and setting specific strategies to avoid possible threats in the future. Module 08 Page 1104 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools The white team has prior knowledge Exam 212-82 of the activities of the red team and the defensive techniques utilized by the blue team. The white team monitors the activities of both teams and ensures that the testing range does not exceed a pre-defined limit. The white team is also responsible for gaining insight by conducting post-engagement activities for further improvements. For this purpose, the team generates a report comprising the information regarding various approaches and tactics used by an attacker and defensive procedures required to counteract the attacks. Module 08 Page 1105 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.