Ideas For Defining Testing
Updated: Apr 23, 2020
Not only is cyber security itself considered confusing, possibly because it isn't as highly regulated or because technology changes so frequently, some terms are often used interchangeably, or their meaning has been stretched from its first use. Such as: Ethical Hack, Penetration Test, Red Team Exercises, or any other team colours that companies appear to use. What's more, every organisation seems to make their own definition; this creates a confusion on what services you are actually procuring.
Because I am extremely opinionated, I have decided to create my own definitions of security testing. Disclaimer: these definitions have come from years of working with non-technical persons when selling the different options. They may be slightly different to how I'd view them as a technical person, but I've found by defining them this way, it is easier to express in selling of the services.
I would be interested in hearing your thoughts on how you would define each, and what sources you've used to gather this, such as OWASP, NIST, NCSC, etc. Who knows, maybe we can eventually agree on these!
Let us start with defining a couple terms, which, generally we agreed on.
Attack Surface: the entire scope of what can be targeted.
Threat Map: the analysis of actors capability vs motivations. Understanding of your threat map will allow you to prioritise security controls.
Threat Actors: persons or entity that has the capability to cause disruption. Also known as a malicious actor.
Threat: a possible danger that has the capability to cause harm.
Vulnerability: a weakness that has the potential to be exploited.
Exploit: as defined in my SANS 501 course book "the use of a specific attack against a specific identified vulnerability of that target" by a threat actor with the intent to cause harm.
Credential Harvesting: an attack the has the goal of obtaining your login information. Such as a username or email, and password.
Social Engineering: influence or manipulation by a threat actor on a human target, to cause an action, opinion, or choice in favour of the threat actor.
Phishing / Vishing: using social engineering to cause the target to reveal confidential information, open a malicious document, financial fraud, or some other action the victim might not otherwise willingly do. The difference is in the vector i.e. Phishing is via email, whilst Vishing is via phone call or voicemail.
Insider Threat: a threat actor that either is inside the organisation, such as a disgruntled employee, or bad leaver, as well as a non-malicious employee through human error.
Black Box: in regards to testing, this is starting out with no prior internal information to an organisation. All information for the test, such as IP address space, is gained through open-source intelligence.
Grey Box: in regards to testing, this is being provided with a bit of confidential information, where the tester fills in the gaps typically using open-source intelligence.
White Box: in regards to testing, receiving all confidential information prior to beginning the test. This is ideal with limited budget, but often can be questioned on how "real-life" it may be.
Tailgating: the process of following an authorised user into a restricted area, such as having someone open the door for you.
Now, let us look at terms that are not as agreed on:
Automated Vulnerability Scans
Using paid for or free software, an automated scan will run across your network, checking for open ports, active IP addresses, and in some cases authenticate to the system being tested to attempt to verify the vulnerability. Typically, I would suggest your cyber security supplier (i.e. in-house cyber team or third-party) to run these for you regularly, or at the very least used between review periods. Such as if an organisation has a bi-annual ethical hack, they have an automated scan done every 3 weeks. The reason these are helpful is because each time your landscape changes, such as installing a patch, you can introduce further vulnerabilities without realising it. An automated scan, typically low cost, can help your team stay on top of concerns. Whilst you do not have to make these authenticated scans, it typically is in your best interest, to minimise false positives/negatives.
External a solely technical exercise aiming to identify vulnerabilities in the publically exposed services.
Internal a solely technical exercise aimed to identify vulnerabilities in the internal network that may or may not be externally exploited.
Using Social Engineering to send a malicious email to target employee(s), with an ultimate goal of testing specific practices, such as credential harvesting or being conscious of malicious documents. Again, depending on capabilities, this can be run in-house or using a third-party provider to create Phishing campaigns. To increase effectiveness, these Phishing campaigns should be designed around educating the employees, not simply highlighting the percentage of failures. Often, this means starting out with very basic campaigns and working towards more challenging. Phishing Dark Waters chapter 6 goes into great detail on this. It is vital effective statistics are recorded, to measurable the success of these campaigns. Reporting of Phishing emails must be effective, and at a low barrier to employees, but also maintainable to the cyber security supplier.
Also known as a “PenTest” is a technical exercise, with the goal to actually exploit vulnerabilities, not just identify them. The value here is, instead of receiving a list of vulnerabilities to your organisation, you would receive a breakdown of actual compromises the ethical hackers exploited. In the cases I've worked on, this would also include advice surrounding next steps.
Physical Penetration Test
This covers the physical security bit, penetration tests on their own do not do this. Using social engineering skills, research, and determination, physical pentesters are well interesting to follow.
The reports are different, because there’s a variety of things to consider. This would cover physical security, technical vulnerabilities, and informational considerations on possible further vulnerabilities not explored in the engagement.
Few brilliant physical penetration testers I follow on Twitter:
Red Team Exercise
Now, here we get a bit tricky. In my view, a Red Team exercise, is a focused set of offensive attacks for a specific scenario/malicious actor. This is where, the organisation knows exactly what they want tested, such as testing an App, or perimeter devices. Which then may continue into how much “damage” they can cause - depending on the organisation's request.
Whilst I know some people include a red team within an ethical hack, I see the difference being: extremely narrow scope, reporting only provides feedback on narrow scope, and the team are highly specialised. They often do make note of possible further vulnerabilities they did not explore but are worth noting.
This can be both technical and social. Using technology, as well as manipulating humans through social engineering techniques to gain access to the organisation’s assets. In my view, some examples are:
Physical entry, such as tailgating to gain entry to restricted areas.
Phishing campaigns for credential harvesting, malicious documents, or websites
Whilst very similar to Red Team exercises, I define this separately due to having a less focused scope, more than offensive team members, and again a slightly different focused report. However, I base this off what I have seen sold vs what the purchaser has wanted. In my own view, I don’t think I would separate this out specifically.