In this chapter we discuss outcome-led penetration testing and intelligence-led penetration testing.
Outcome-led penetration testing relies first on set objectives and outcomes which drive how a penetration test should be carried out, in order to satisfy these objectives.
Intelligence-led penetration testing relies upon contextualised intelligence which defines the attack vectors of an organisation and allows the penetration tests to be positioned from the right angle. The benefit of this is that it provides a structured and effective approach for an organisation to mitigate its actual risks based on its attack vectors and the associated threat landscape that is relevant to their current infrastructure set up and security controls. In the second half of this chapter we explain how penetration tests can be designed to be more targeted and focused to mimic the strategies and approaches used by real-world threat actors based on the intelligence gathered about them.
HOW PENETRATION TEST PROGRAMMES SHOULD BE INFORMED BY DEFINED OUTCOMES
To specify the desired outcomes of a penetration test programme, it is important to be aware of your organisation’s functions, infrastructure, area of expertise and goals. This is because one of the primary purposes of a penetration test programme is to meet some (if not all) of the security-related organisational objectives. These objectives are aligned with the organisation’s best practices and are employed in order to define and enhance the security in place.
On top of this, the organisation has to establish why a penetration test is required in their case. The reasons why a company would start considering a penetration test can vary from a simple system vulnerability discovery and assessment, to regulatory compliance and customer protection. Different reasons for conducting testing indicate different approaches to a penetration test – and as a result, different outcomes too. By defining outcomes, this leads to:
• The right definition of the scope – if a test is mis-scoped, it will be of limited use or even no use at all.
• The right type of tests – there are lots of different types of penetration tests and using the right ones are vital.
• The time that the tester(s) need to carry out such tests – the scale and complexity of the targets in scope will be impacted based on the set outcomes.
• The allocation of an appropriate budget to enable the management of the project’s lifecycle.
‘Working back’ from defined outcomes to design test programmes
Once the defined outcomes are aligned with the organisational objectives, the client IT team along with the penetration testers have to create the test path that will be followed during penetration testing. The resulting test programme which will be created must not collide with the organisational objectives, and only work alongside them in such a manner that no disruption will be caused.
The testing should be aligned with the reason why the organisation decided a penetration test is required, as this is crucial in defining the methodology used and the resources the organisation is willing to expend.
By ‘resources’, we do not only mean the financials of the matter, but also the human resources that will be involved, as well the system resources (for example, one standby engineer and a full clone of the environment, or two engineers while testing the live environment).
Based on defined outcomes and scope of the penetration test, the strategy which will be followed must include involvement of key functions of the organisation as agreed and each individual test should be tailored based on the functionality of every application and system within the scope.
Avoidance of ‘scope creep’ – and how this can be achieved
‘Scope creep’ is very common in projects including any penetration testing activity against a set target; it can cause delays in project delivery, meeting the required objectives and pricing, if not addressed in the early stages of the project. This often occurs where the importance of an outcome has not been defined properly or where an outcome has not been aligned with the organisational test objectives and contractual agreements. To be precise, the scope may not have been appropriately defined and agreed by the relevant parties (customer, service providers and other third parties) before any contractual agreement. To eliminate any scope creep the following must always be set in stone before the testing begins:
• Defined starting dates and times.
• Specific IP addresses, network ranges, URLs and domain names. Validation of the target ownership should be carried out to ensure that the scope is not deviating to assets not belonging to the current customer.
• Post-exploitation activities. These must be clearly defined as they tend to go beyond the agreed scope and if they are not controlled they can cause operational issues and legal problems.
Changes to the agreed scope during the execution of the test must be avoided and should be planned at a different time interval; this is because the time needed, the types of tests, the pricing and skillset of testers vary.
The first and most important measure to take to avoid scope creep is for both the organisation and the penetration test team and manager to actually understand the outcomes that have been defined for the penetration testing. By saying this, we are referring to instances where an organisation has stated what it wants, but it actually wants a different result, often due to different interpretations of requirements and their associated objectives between the organisation and the testing company. As a simplified example, X organisation wants to test how good its IT security posture is. While engaging for a penetration test the organisation is trying to say that it wants to see if it can be compromised by any means. However, it only mentions possible compromise via its external-facing web services. In that case, while scoping, the service provider would only consider any online website, portals and so on.
However, what the organisation actually wants is a full-scale penetration test that not only includes testing the externally facing web applications and portals but also the internal systems and digital assets.
There is a clear case of what the business is expecting out of a penetration test (outcome) and what the service provider has understood about the requirements. Straight away, from a seemingly small (comparatively) task of penetration testing the web applications, we went to a full organisational penetration test, as this is what the organisation really wanted from the start. Hence, clearly communicating what exactly is required out of a penetration test, making sure that the business and the service provider clearly understand and are on the same page regarding the desired outcomes can avoid the trouble of adding extra hours and delays in the completion of the testing activity.
The second way to avoid scope creep is to properly define the scope. Although scope should always be agreed upon prior to any penetration testing action being taken, there are often occasions where an organisation has resources that, although they can be used to exploit something within the scope, are actually outside of it.
Third, as in other routine business practices, ensure a framework agreement is in place in writing and the price is agreed in advance. It might sound straightforward, but the agreed price does not only apply to the test programme, but also applies to the reporting, potential patch process, re-testing and so on. If on the initial agreement nothing is specified, it is not always possible to assume what post-activities are included following the report delivery (i.e. re-testing).
THREAT INTELLIGENCE-LED PENETRATION TESTING
Organisations are under tremendous pressure to manage different types of data security-related threats affecting their businesses. Traditional security, if implemented correctly and effectively, can negate many known threats. However, how about the threats that the organisation is unaware of? How does one acquire knowledge about the unknown threats?
As the threat landscape is constantly evolving and different threat actors – unknown, known and new – surface regularly, it becomes imperative for organisations to know who the enemy is – and what their motivations are – to be able to make effective decisions in order to improve their businesses’ security posture (SANS Institute, 2005). These questions can be answered by cyber-threat intelligence that can assist organisations in acquiring an up-to-date security posture towards previously unknown threats.
Cyber-threat intelligence has been a buzzword in the information security domain for some time. Simply put, threat intelligence is knowledge. This knowledge contains information about threat actors, the attack vectors they use and the organisations or businesses that are being targeted by them. This information can be highly valuable to any organisation in identifying information security threats targeting their industry and in helping them to make informed decisions to deal with such threats. Threat intelligence can be obtained by threat-intel vendors, which gather customised information relating to an organisation from open and closed forums and sites over the web, but also from sources located in the deep web.
The main goal a normal penetration test tries to achieve is discovering the vulnerabilities and weaknesses within operational and technical components in order to rectify them before a malicious attacker can compromise them. Usually a normal penetration testing service can include running a set of standard tools to test for a series of known vulnerabilities.
As the complexity and the sophistication of cyber attacks is increasing, they are also becoming more focused, targeting specific industries, and their assets.
Some of the existing penetration testing services, though well documented and understood, do not provide enough assurance against more sophisticated attacks on some critical information assets; hence, there arises a need for threat intelligence-based penetration testing.
Threat intelligence-led penetration testing engagements are usually planned and executed together with the client by making use of either the client’s threat-based intelligence or that provided by independent third parties. The threat intelligence component within the penetration test will review a variety of known threat actors, and will try to identify those which are more likely to try to achieve their goals by targeting the organisation. This not only requires knowledge about the threats gathered via the threat intelligence feeds but also those from a detailed review of the business’s activities and processes.
Once the threats that are most likely to be utilised by attackers are identified, the intelligence information from the feeds can also identify different attack vectors that can be used to attack the organisation. The same attack vectors and intelligence information is then used by the penetration testing team to simulate an attack on the organisation. The goal of threat intelligence-based penetration testing is not to find as many vulnerabilities as possible, but to assess how effectively the target organisation is able to detect and respond to simulated attacks.
Advantages of threat intelligence-led penetration testing
So, is the threat-based penetration test better than the normal penetration test? Often penetration tests and threat intelligence-led penetration tests are carried out by the same service provider, using different methods and techniques for different assessments. One is not necessarily better or more advantageous than the other. Each assessment is helpful in certain situations based on the predefined objectives.
It is very important to know the different aims of each type of assessment. A penetration test is mainly used to discover as many vulnerabilities as possible. However, a threat intelligence-based penetration test mainly aims to mimic relevant threats and the threat actors’ approach in attacking the organisation while allowing the organisation to assess its incident response processes. Threat intelligence assessments are usually employed as a distinct and defined assessment tool to secure organisations, alongside penetration testing and vulnerability assessments.
There are certainly advantages to the threat intelligence-based penetration tests:
• A much stealthier methodology is employed wherein the organisation targeted is based on profiling done on various threat actors and the vectors they employ.
• It is a very good opportunity to test the real-time incident response capabilities and processes of the organisation.
• It helps in identifying physical, hardware, software and human vulnerabilities.
• It effectively evaluates the robustness of various security controls that are protecting the infrastructure.1
• It helps in developing a more relevant and complete security programme for the organisation.
Although it seems to parallel the activities of real cyber attackers, penetration testing serves, in fact, to alert organisational asset owners to the real dangers present in their systems. It is also imperative for them to know how to use the results of a penetration test to embed best security practices within an organisation. When a certain weakness is identified within an IT system or an application, an effort should be made from the organisation’s IT team to analyse:
• What attack vectors led to the exploit?
• What path was taken by the penetration testers to exploit it?
• What holes within other assets helped in the successful exploitation?
• What other IT systems that were not part of the scope of testing could also be exploited?
The answers to the above questions provide very good insight into the processes that need to be reviewed within the organisation. This type of analysis nearly always reveals various holes within the processes that were probably never analysed before the penetration test was conducted.
Just planning a penetration test and fixing the vulnerabilities identified should not be the only achievement of a penetration test – it should never be considered as purely a checkbox exercise to meet certain compliance requirements. Using the penetration test outcomes to fix holes within the various IT and operational processes that the organisation employs goes a long way to improving and optimising the security programme within the organisation.
Outcome-led penetration testing helps organisations that have a clear understanding of what they expect or what the objectives of a penetration test are in focusing their resources and penetration testing activities particularly on those outcomes. Scope creep is commonly seen within these types of penetration tests where there is a difference between what is expected and the outcome of the test. Effective communication, scope definition and experience in penetration testing can help avoid outcome creep.
Intelligence-led penetration testing is being increasingly adopted by bigger enterprises and recently by even small- and medium-scale enterprises. This type of test increases the boundaries of a classic or conventional penetration by closely mimicking and adopting similar tactics and strategies to those of the threat actors who are persistently targeting critical assets. Intelligence-led penetration testing has huge benefits to an organisation but also comes with an additional cost because of the amount of resources required. This type of penetration testing is a stealthier form of testing where various threat profiles are created and the test is carried out along those attack vectors. This type of test is usually a simulated attack where the effectiveness of security monitoring capabilities may also be evaluated.
SANS Institute (2005) Secure Coding: Practical Steps to Defend Your Web Apps. Available at: https://software-security.sans.org/resources/paper/reading-room/threat-modeling-process-ensure-application-security