The ethical hacker or pentester is not a cyber attacker: even if he uses the same techniques, he has no criminal intent. From a purely legal point of view, it also means that he only acts under contract, mandated by a company that gives its consent to be “hacked”. The attack perimeter is always defined by the latter and never crossed.
The purpose of a pentester is to help an entity improve its defensive capabilities against a potential attacker. “Ethical” also underlines his desire to promote the development of cybersecurity skills inside the company that commissions him.
For Gartner[1], intrusion tests, more commonly referred to as “penetration tests” or “pentests” “go beyond vulnerability scans, use a multi-step approach, based on multi-vector attack scenarios, which first find vulnerabilities and then attempt to exploit them to penetrate an organization’s infrastructure.”
In other words, vulnerability scans are only one component of a pentest. They list the weaknesses found at a given time without analyzing them or ensuring that they are exploitable.
Focus on security audits:
Security audits can be organizational or technical. When they do not test the exploitability of the vulnerabilities found, we cannot talk about pentest.
Pentests start with different levels of information. For those of the “black box” type, pentesters have none, except the name of their target or basic technical information (URL, IP addresses…). They must find a way to bypass the protections put in place by the company.
In a “grey box” pentest, technical auditors have a limited amount of information at their disposal, such as a username and a password for example.
For the last option, the “white box” pentest, the expert has a large amount of information: source code, application architecture diagrams, etc.
These three ways of doing the pentest depend on the objective of the company.
In addition to detecting vulnerabilities and analyzing their exploitative capacity, Red Team techniques make it possible to set up realistic attack schemes, very similar to those conducted by real cybercriminals. Thus, the Red Team proposes to create links between the exploitable weaknesses found, to trace an intrusion path. In other words, it is a realistic cyberattack.
Red Team takes more time and has a wider scope. It can start with only the company name (black box type) as information.
Focus on: Purple Team
“Purple Team” is the name given to the collaboration between the pentesters (Red Team) and the company’s defense teams (Blue Team). The idea is to evaluate the Blue Team’s ability to detect and block attacks led by the Red Team while carrying out a thorough assessment after the attack. The goal? Improve its defense capabilities. It is a transmission of knowledge from the ethical hackers to the company that commissions them.
The most appropriate moments are as follows:
Before launching a product, such as a new application or website for example. This allows us to test the security level as soon as possible and thus correct vulnerabilities before they harm the company.
During the use phase, at regular intervals: a pentest is like a photograph taken at a time T. Over time, new vulnerabilities and attack techniques are to be discovered. Thus, testing your organization from time to time is part of the continuous improvement processes necessary for safety.
After a cyber-attack, specifically following remediation actions, to ensure that the entity is safe from further attack.
Focus on: defining the scope of the pentest
It is up to the company to define the scope of intervention of the Ethical Hacking team it commissions. To do so, it is advisable to answer these questions, as the list is not exhaustive[1]:
Which perimeters will be audited?
Are there servers, networks, infrastructures…?
What access will be prohibited?
Is this prohibition limited in time? What are the periods during which technical auditors can act? Some companies prefer when employees are present, others when they are not.
When the pentesters switch to Red Team mode, how far can they go?
What incident response is in place to remedy this type of attack so as not to paralyze the company’s activity?
Are social engineering techniques (contact with employees) allowed? Can the pentesters have access to the premises?
What is the level of autonomy that the company leaves to the pentesters? The larger, the more relevant the results will be.
Notes
[1]Gartner, How to select a penetration testing provider, 2019