Penetration Testing Frameworks

Penetration tests are a vital component of a vulnerability management program. Vulnerability management can be confused with vulnerability scans, which, while necessary to an entire risk program, are not the same as penetration tests.

Why penetration testing? According to Verizon’s 2022 Data Breach Investigations Report (DBIR), 80% of data breaches for the current report are due to External actors. This isn’t much of a change from Verizon’s 2008 report, when it was 73%. Pentesters are necessary to an organization’s security to provide this kind of external attack tactic, but with the confidence that the protectors and defenders, not criminals, are doing the testing.

Penetration testing involves numerous tasks involving different stages. Frameworks provide penetration testers a structure to follow, keeping the details and activities from becoming chaos. It’s like the quote “Time is what keeps one thing after another from becoming everything at once.” Frameworks keep one task after another from turning into every task at one time. The pentester may have a terrific capacity for memorization, but there are so many things to do and remember that one missed detail can ruin the test.

Frameworks also provide a ready reference to customers. When a pentester says, “I use X framework,” or “My methodology is based on Y framework,” then the customer can easily check online to verify details of what’s being performed. A transparent reference provides a higher level of trust and confidence between the vendor and client.

We’ll cover some of the most widely known frameworks and end with the importance of customized ones.

We’ll start with 2 historical frameworks. While outdated they are still in the wild because they have great information.

Historical Pentesting Frameworks

• The Information Systems Security Assessment Framework (ISSAF) is no longer maintained, and therefore outdated (if you go to oissg.org or search on whois.com/whois, you’ll see the domain is for sale). But the 845-page PDF, dated May 2006 (hard to find, but free) is a wealth of information, being a compendium of terms, processes, concepts, and tools.
• Th Penetration Testing Framework is a site with a ton of technical information, even for non-pentesters. You’ll find it at http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html. Your browser may give a warning to Proceed with Caution. This is an HTTP, not HTTPS, site, but is worth a visit.

Penetration Testing Frameworks

• The Open Source Security Testing Methodology Manual (OSSTMM) created by ISECOM (Institute for Security and Open Methodologies). The OSSTMM doesn’t focus so much on tools so much as on testing controls to meet regulatory requirements. You’ll find it here: https://www.isecom.org/research.html
• The Open Web Application Security Project (OWASP) provides the OWASP Testing Guide (OTG) (https://owasp.org/www-project-web-security-testing-guide/stable/)  and focuses on web application security testing throughout the software development life cycle (SDLC). Because of the focus on web apps, it doesn’t delve into networks or non-web servers, but for those testing web applications it’s an invaluable framework.
• The National Institute of Standards and Technology (NIST) created a cybersecurity framework (https://www.nist.gov/cyberframework) to help organizations of all sizes and industries improve security by providing guidance on implementing activities appropriate to a company’s individual risks.
  • Part of this framework is a penetration testing guide, special Publication 800-115, Technical Guide to Information Security Testing and Assessment 800-115 and can be found here: https://csrc.nist.gov/publications/detail/sp/800-115/final
  • The Penetration Testing Execution Standard (PTES) provides a high-level view of pentesting tasks and stages. The presentation of steps and guidelines, without giving specific steps, gives great flexibility in creating one’s own methodology. You’ll find it here: http://www.pentest-standard.org/index.php/Main_Page
  • The CISO Times has a PDF download of the PTES 1.1 here: https://drive.google.com/file/d/1thItoYnfgNuAhY7rOxiaKBvUQWHyqNO_/view
• Honorable Mention:
  • The MITRE ATT&CK Framework is sort of a reverse pentesting framework because it points out the criminal attacker’s method. Knowing this can help organizations better defend themselves from cyber attacks. https://attack.mitre.org/

Framework Customization

With these, and many more, pentesting methodologies, what do you choose? Which is right? Each of these has pros and cons depending on what one tests. For example, if one wants to test the wi-fi security of its wireless endpoints, OWASP would not be a good fit. And it’s likely that implementing the NIST framework would be overwhelming and cost-prohibitive to a small-medium business (SMB) that simply wants a few servers, a handful of workstations, and the firewall tested once a year.

To better accommodate individual corporate needs, and providing better focus, experienced pentesters will develop their own framework or methodology to best suit the needs of their customers and market.

Cybersecurity Crusaders has developed our own methodology based on the PTES framework. This personalized methodology is DAER.

Because DAER is based on PTES, it has a solid foundation in an industry-wide accepted methodology, and through experience has been adapted to better fit customer needs. You can think of it like buying a house. The house is new and good but remains just a structure with potential until the buyer proceeds to make the house a home by changing what needs to changed to fit the buyer’s needs. Pentest frameworks are much that way – they all provide a great starting point, but the pentester is the one who has to “live” in the framework, and needs to adapt, combine, and mesh other aspects to fit properly.

DAER consists of 4 stages:

1. Discover
2. Analyze
3. Exploit
4. Report

DISCOVER

During the Discover phase, we identify target systems, network ranges, ports and services, and vulnerabilities in running services and configurations by using a series of reconnaissance exercises. The objective of this stage is to identify your organization’s critical assets.

ANALYZE

During the Analyze stage, findings from the Exploit stage are analyzed from a business perspective to effectively translate the vulnerabilities into business risks.

EXPLOIT

During the Exploit phase, techniques used by criminal hackers are simulated in a controlled manner to verify the identified vulnerabilities and assess the extent of their effects.

REPORT

To ensure the success of the entire exercise, comprehensive reports are presented and submitted to the management during the final Report stage. Additionally, a compliance report, a risk assessment report along with a strategic risk treatment plan shall also be developed specifically for your organization.

The DAER methodology provides a common, understandable, and repeatable framework for both the customer and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.

Cybersecurity Crusaders’ pentesters have years of professional experience in uncovering areas of weakness and with the goal of simulating real-world style attacks. We will assess your IT infrastructure by performing security assessments of your controls and components, including human, physical, wireless and data networks.

The findings are compiled into a management-focused report and presenting recommendations that align with your business goals.

Contact us for a free consultation to see how Cybersecurity Crusaders can help you improve your corporate security.