Wednesday, November 10, 2010

Pen-Testing: Learn your target, Understand your target, Develop your attack specifically around your target

Would it cripple the organization as a whole? What hurts them the most?

Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.

Handing a sixty page 'penetration test' report with five hundred vulnerabilities does absolutely nothing for a company aside from a check mark for whatever regulatory and compliance initiatives they have underway. It's time for a reality check:
  • Good hackers don't need to utilize expensive vulnerability scanners.

  • Good hackers don't use automated penetration testing.

  • Attackers don't have a scope or timeframes.

  • Attackers don't stop after they get root.

  • Attackers don't have portions taken out of scope.
The reality of the current situation with pentests is that the true purpose of a testing is completely wasted. For one, your incident response team doesn't get a true attack against a focused attack. If you are at the point where you can't detect automated scans against your network then these traditional methods are right up your alley and your security program is still immature in nature which is fine, you'll get there. The most important element is there is no true representation of impact or financial loss due to a breach.

In simplistic terms there's no focus on business risk, but instead focused on the vulnerability and the exposure of the attack. We aren't hitting companies where it hurts, what makes their business run.

Penetration testing has to be something that measures the organizations business risk and impact if a breach were to occur. When attacking an organization you have to understand what is sensitive and what hurts the company the most. Intelligence gathering is one of the most important elements of a penetration test as well as understanding and learning the network.

Learn your target, understand your target, develop your attack specifically around your target, nothing is out of scope.

Where can I have the most impact on the organization and how do I represent that? WOW I GOT DOMAIN ADMIN!!!!!! OMG I GOT ROOT! That's fantastic buddy, I'm happy for you but that doesn't mean squat to me. Present them with their intellectual property, future projections, show the ability to change their product, confidential and trade secret information or whatever you identify as what hurts them the most. Some questions to answer in Pen-testing includes but not limited to: would that impact them in a negative manner? Would it cripple the organization as a whole? What hurts them the most?

We're also significantly challenged with the basic penetration tests, how do you go against a cheap vulnerability scan penetration test to something that will cost significantly more than that and be done right. Businesses don't understand the difference, they just go with the cheapest buyer, they don't know what they are about to purchase sucks.

We need to hire qualified people that get it, I will pay extra for a group that knows what they are doing vs. a super cheap scan. The industry is bleeding, let's step it up and do it the right way.

No comments: