What do a really Pentest Jobs Look Like In Practice?

Pentester in Practice Main Logo

What Do a Really Pentest Jobs Look Like In Practice?

Disclaimer

This article reflects the personal experience and opinion of its authors and is written with the aim of encouraging the community to discuss.

We will try to pay attention to what we consider the problem of the modern Russian market of information security services.

Introduction

For the readers to understand the context, we decided to start from the background. The article is written by a friend of mine an information security analyst and a penetration testing specialist.

  • Working with customers, we are systematically confronted with a lack of understanding of the essence of our services. Often this misunderstanding is caused by the fact that it was transferred to the customer from the company that provided these services. Once, during the internal Pentest, increasing privileges and eliminating the means of protection on the office machine provided by the customer aroused bewilderment among the chief of the information security service.

pentest photo

Later in the discussion, it became clear that before that, under the name “Pentest”, the customer was sold scanning the internal network with the help of “nmap” with the parameter “–script vuln”. Naturally, once again the customer expected the pentester’s of this behavior and was genuinely surprised when they began to seize his domain controller.

Sometimes it happens that when carrying out the work a separate stage is allocated to control the elimination of vulnerabilities identified in the previous study. And it also happens that for this the customer provides a report on this very previous study. Looking at such a report, sometimes marvel at the resourcefulness of colleagues in the market.

  • Automated vulnerability scanning is sometimes sold as a most pent, though as an analysis of security. In such circumstances, it is not surprising that you hear from customers something like “Hack us, so it was beautiful.” At some point we realized that we are far from the first to notice this:

Leave the reader to think about the question – why there is no clear understanding of the services ordered and their result? Because of the incompetence of the participants in the info-service market? Or do they intentionally drive customers by the nose, selling simpler services under the guise of complex and expensive ones?

Since neither of the two options pleases us, we felt a desire to share our vision and formed a small CheatSheet for services in the field of practical information security.

CheatSheet

Types of jobs

Let’s look at five different works:

  • Penetration Testing
  • Red Team Assessment
  • Security Analysis
  • Vulnerability Scanning
  • Operational Safety Audit

All the information concerning the above works, for convenience, we divided into two levels:

  • Basic (basically the body of the article)
  • Advanced (for those who want to learn more)

The “Basic Level” considers the following key points:

  • Goal
  • Focus
  • Level of maturity IB
  • Results

The “Advanced Level” covers the following key points:

  • Examples of tasks
  • Methods for achieving the goal
  • Work plan
  • Completion Criteria

Penetration testing

Goal:
Determine whether the current level of security of an infrastructure can withstand an attempted intrusion of a potential attacker with a specific purpose.

Achievement of the task. However, the issue of completeness of detected vulnerabilities is not worth it, but all the vulnerabilities involved in the vectors of attack are reflected.

Focus: The depth of investigation is more important than the width.

Level of security: Medium to high.

Results: The fact and/or the probability of hacking (penetration) and obtaining information by an attacker.

Extended information:

Examples of tasks:

  • Get unauthorized access to information about customers, their funds, and other data.
  • Penetrate from the office segment in the “combat”, where the working servers are located.
  • Disrupt the availability of a particular service.
  • Get access to the file system with certain rights.
  • Compromise software source code from the version control system.

Methods of achieving the goal: All available methods and means that satisfy the constraints imposed by the customer (including social engineering, brute force attacks, etc.). Researchers are looking for the shortest and cheapest way to achieve goals.

Completion Criteria: The project ends either when the goal is reached, or after the project has expired (if many vectors are considered).

Work plan:

  1. Get preliminary information about the object (all available sources of information are used).
  2. Create a network map, identify types and versions of devices, operating systems, services, applications for response to external influences.
  3. Identify the vulnerabilities of network services, services, and applications (including a basic analysis of Web applications with the detection of vulnerabilities that contribute to the achievement of the goal).
  4. Analyze the vulnerability of internal and external resources.
  5. Prepare suitable attack scenarios. Conduct attacks related to social engineering and/or denial-of-service attacks (as agreed).
  6. Perform a Pentest.

Red Teaming

Goal:
Determine/measure how well your organization can detect and resist a real attack. In this case, the issue of completeness of detected vulnerabilities is not worth it. Only vulnerabilities are of interest, the exploitation of which will help to compromise your organization.

  • Increase the organization’s readiness to resist Advanced Persistent Threat.
  • Get a more realistic understanding of the risk to your organization.

Focus: It is more important to simulate malicious actions similar to Advanced Persistent Threat.

Level of security: High.

Results: Confirming the ability of the organization’s information security services to counteract a real attack.

Extended information:

Examples of tasks:

  • As it is possible to penetrate imperceptibly into the perimeter of the organization and gain access to confidential information by any possible means.
  • Identify physical, hardware, software vulnerabilities, as well as vulnerabilities to social impact from real intruders.

Methods to achieve the goal: All available methods and tools aimed at a multi-component and comprehensive attack against software, equipment, people, and objects.

Completion Criteria: The project ends either at the request of the Customer or after the time for the project.

Work plan:

  1. The work plan depends entirely on the Customer’s business processes.
  2. It includes plans for testing for penetration, socio-technical research and testing of physical security (offices, warehouses, etc.).

Security analysis

Goal:
Find all known and potential vulnerabilities and shortcomings that can lead to a violation of confidentiality, integrity, and accessibility of information.

Formulate recommendations for improving the level of security.

Focus: The width of the research is more important than the depth.

Level of security: From low to medium.

Results: The fullest list of detected vulnerabilities and shortcomings.

Extended information:

Examples of tasks: Conduct a comprehensive analysis of any IT resources: software and hardware complexes, web applications, RBS, mobile applications, etc.

Methods for achieving the goal: Black/white / gray box studies, source code analysis, analysis of structure, functions, technologies used, confirmation of detected vulnerabilities.

Completion Criteria: The project ends with the completion of checks for the presence of vulnerabilities of all types in all declared subsystems.

Work plan:

  1. Define a method that is useful for analyzing security.
  2. Build threat and offender models, if necessary.
  3. Perform instrumental and manual checks for specific types of vulnerabilities (truncation of false positives and detection of vulnerabilities that are not detected by automated tools).
  4. Investigate vulnerabilities to confirm their availability and ability to operate.
  5. Operate a number of the most critical vulnerabilities (as agreed).

Vulnerability Scanner

Goal:
Find and evaluate all known vulnerabilities in the organization’s information systems.

Regularly maintain and update the information security state of the organization.

Focus: The width of the research is more important than the depth.

Level of security: From low to medium.

Results: The fullest list of detected known vulnerabilities.

Extended information:

Examples of tasks:

  • Scan the external network perimeter of the organization for vulnerable services.
  • Explore changes in open ports for services on the external network perimeter of the organization.
  • Scan the inner perimeter for vulnerable services.
  • Analysis of the presence of known vulnerabilities in Web application components.

Methods of achieving the goal:

  • Automated carrying out of checks according to the chosen tool.
  • Processing by researchers and/or analysts of results of automated checks and exclusion of false positives

Completion Criteria: The project ends with the completion of all checks provided for by the automated tool.

Work plan:

  1. Identify the tools that are appropriate for automated scanning.
  2. Carry out instrumental checks
  3. Conduct a manual analysis of the results of the audit (exclusion of false positives)

Operational Safety Audit

Purpose: To check whether the information system (or its components) and processes meet the requirements, best practices or recommendations of regulatory acts, standards, and documentation of equipment manufacturers and software.

Focus: The amount of requirements and recommendations is important.

Level of security: Low to high.

Results: Conclusion on compliance with requirements / recommendations.

Extended information:

Examples of tasks:

  • Check the conformity of the information system of the SRT BR of IBS.
  • To check the compliance of the information system.
  • Check the web servers for compliance with the recommendations of the CIS.

Methods of achieving the goal: Manual or automated testing in accordance with the chosen methodology.

Completion Criteria: The project ends with the completion of all audits provided by the methodology.

Work plan:

  1. Adapt the methodology to the object of study.
  2. Make a list of checks
  3. Carry out manual and/or automated checks

Conclusion:

We hope that you have found all of your answers or at least got some clue what is Pentest and how it works.