Penetration Testing Frameworks

Penetration Testing Frameworks

Penetration tests are a vital component of a vulnerability management program. Vulnerability management can be confused with vulnerability scans, which, while necessary to an entire risk program, are not the same as penetration tests.

Why penetration testing? According to Verizon’s 2022 Data Breach Investigations Report (DBIR), 80% of data breaches for the current report are due to External actors. This isn’t much of a change from Verizon’s 2008 report, when it was 73%. Pentesters are necessary to an organization’s security to provide this kind of external attack tactic, but with the confidence that the protectors and defenders, not criminals, are doing the testing.

Penetration testing involves numerous tasks involving different stages. Frameworks provide penetration testers a structure to follow, keeping the details and activities from becoming chaos. It’s like the quote “Time is what keeps one thing after another from becoming everything at once.” Frameworks keep one task after another from turning into every task at one time. The pentester may have a terrific capacity for memorization, but there are so many things to do and remember that one missed detail can ruin the test.

Frameworks also provide a ready reference to customers. When a pentester says, “I use X framework,” or “My methodology is based on Y framework,” then the customer can easily check online to verify details of what’s being performed. A transparent reference provides a higher level of trust and confidence between the vendor and client.

We’ll cover some of the most widely known frameworks and end with the importance of customized ones.

We’ll start with 2 historical frameworks. While outdated they are still in the wild because they have great information.

Historical Pentesting Frameworks

  • The Information Systems Security Assessment Framework (ISSAF) is no longer maintained, and therefore outdated (if you go to oissg.org or search on whois.com/whois, you’ll see the domain is for sale). But the 845-page PDF, dated May 2006 (hard to find, but free) is a wealth of information, being a compendium of terms, processes, concepts, and tools.
  • Th Penetration Testing Framework is a site with a ton of technical information, even for non-pentesters. You’ll find it at http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html. Your browser may give a warning to Proceed with Caution. This is an HTTP, not HTTPS, site, but is worth a visit.

Penetration Testing Frameworks

Image by Gerd Altmann from Pixabay
  • The Open Source Security Testing Methodology Manual (OSSTMM) created by ISECOM (Institute for Security and Open Methodologies). The OSSTMM doesn’t focus so much on tools so much as on testing controls to meet regulatory requirements. You’ll find it here: https://www.isecom.org/research.html
  • The Open Web Application Security Project (OWASP) provides the OWASP Testing Guide (OTG) (https://owasp.org/www-project-web-security-testing-guide/stable/)  and focuses on web application security testing throughout the software development life cycle (SDLC). Because of the focus on web apps, it doesn’t delve into networks or non-web servers, but for those testing web applications it’s an invaluable framework.
  • The National Institute of Standards and Technology (NIST) created a cybersecurity framework (https://www.nist.gov/cyberframework) to help organizations of all sizes and industries improve security by providing guidance on implementing activities appropriate to a company’s individual risks.
    • The Penetration Testing Execution Standard (PTES) provides a high-level view of pentesting tasks and stages. The presentation of steps and guidelines, without giving specific steps, gives great flexibility in creating one’s own methodology. You’ll find it here: http://www.pentest-standard.org/index.php/Main_Page
  • Honorable Mention:
    • The MITRE ATT&CK Framework is sort of a reverse pentesting framework because it points out the criminal attacker’s method. Knowing this can help organizations better defend themselves from cyber attacks. https://attack.mitre.org/

Framework Customization

Image by Gerd Altmann from Pixabay

With these, and many more, pentesting methodologies, what do you choose? Which is right? Each of these has pros and cons depending on what one tests. For example, if one wants to test the wi-fi security of its wireless endpoints, OWASP would not be a good fit. And it’s likely that implementing the NIST framework would be overwhelming and cost-prohibitive to a small-medium business (SMB) that simply wants a few servers, a handful of workstations, and the firewall tested once a year.

To better accommodate individual corporate needs, and providing better focus, experienced pentesters will develop their own framework or methodology to best suit the needs of their customers and market.

Cybersecurity Crusaders has developed our own methodology based on the PTES framework. This personalized methodology is DAER.

Because DAER is based on PTES, it has a solid foundation in an industry-wide accepted methodology, and through experience has been adapted to better fit customer needs. You can think of it like buying a house. The house is new and good but remains just a structure with potential until the buyer proceeds to make the house a home by changing what needs to changed to fit the buyer’s needs. Pentest frameworks are much that way – they all provide a great starting point, but the pentester is the one who has to “live” in the framework, and needs to adapt, combine, and mesh other aspects to fit properly.

DAER consists of 4 stages:

  1. Discover
  2. Analyze
  3. Exploit
  4. Report

DISCOVER

During the Discover phase, we identify target systems, network ranges, ports and services, and vulnerabilities in running services and configurations by using a series of reconnaissance exercises. The objective of this stage is to identify your organization’s critical assets.

ANALYZE

During the Analyze stage, findings from the Exploit stage are analyzed from a business perspective to effectively translate the vulnerabilities into business risks.

EXPLOIT

During the Exploit phase, techniques used by criminal hackers are simulated in a controlled manner to verify the identified vulnerabilities and assess the extent of their effects.

REPORT

To ensure the success of the entire exercise, comprehensive reports are presented and submitted to the management during the final Report stage. Additionally, a compliance report, a risk assessment report along with a strategic risk treatment plan shall also be developed specifically for your organization.

The DAER methodology provides a common, understandable, and repeatable framework for both the customer and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.

Cybersecurity Crusaders’ pentesters have years of professional experience in uncovering areas of weakness and with the goal of simulating real-world style attacks. We will assess your IT infrastructure by performing security assessments of your controls and components, including human, physical, wireless and data networks.

The findings are compiled into a management-focused report and presenting recommendations that align with your business goals.

Contact us for a free consultation to see how Cybersecurity Crusaders can help you improve your corporate security.

Penetration Testing and MSPs

Penetration Testing and MSPs

(source: pablo.buffer.com)

Managed Service Providers

MSPs provide invaluable services to companies with minimal or no IT staff. When prospects sign on as customers, they’re expecting the experts to be ready at a moment’s notice to fix any issues based on their contract. One request that arises is the infrequent, perhaps semi-annual, request for pentesting. Perhaps the client looking to assure their customers of an advantage in the marketplace. Maybe the client is going to acquire another business and needs to verify that business’s security. Or they have a pending sale that will more than offset the cost of a pentest. Possibly, they’re looking at getting SOC 2, or some other certification, or even entering the regulatory landscape for something like HIPAA or PCI DSS.

Another inherent demand is the foundational premise that an MSP implicitly – if not explicitly in contract – makes the MSP itself responsible for securing the client’s networks and computer. Clients may focus on adding technology while reducing administration, but they may not understand that each technology opens up more attack vectors. With the increased demand for ensuring a client’s security, above and beyond providing managed services, what can an MSP provide that would create a competitive advantage against other MSPs?

Improving Client Security

For MSPs, the focus is on IT services, and adding on internal security staff will be expensive, perhaps more than is worth any benefit. Moving from being an MSP to being an MSSP may prove too much of a resource burden.

One popular and necessary information security service is a vulnerability assessment. Vuln tests and assessments are essential for an org’s security posture and could be provided by an MSP, but the assessment is not necessarily a reflection of a company’s true security stance because it’s missing manual intervention and probing of systems. Additionally, a client can potentially perform vuln testing at will, using less expensive tools, less than what an MSP can provide. Internal pentesting by a company is beneficial, but it’s not considered vendor neutral. Internal penetration testing is good for bolstering confidence in your security, but only if it’s an addition to third-party testing.

Turning One-Off Purchasers into Customers

(source: pablo.buffer.com)

MSPs may have many break/fix clients who only interact with them when IT problems strike. What if more of those break/fix clients could not only see the benefit of managed services, but also be shown the advantage of better securing their infrastructure? What if the MSP could prove to customers that they have improved security because of the managed services?

Third-party penetration testing could turn break/fix clients into customers. Break/fix vendors send a professional IT technician to a customer’s location to analyze and determine system issues, then provide on-prem remedies. Businesses are charged for those services rendered, and the services don’t carry contracts or subscriptions with ongoing fees built in. If those one-off clients could be provided a fuller service by an MSP, it can prove to be a competitive advantage for both the MSP and the irregular customer.

The third-party penetration testing model helps keep tests consistent because a client’s internal pentesters might tailor the methodology around what they think should be tested based on the knowledge of any recent updates or changes (not counting the possibility of a conflict of interest). Third-party testers will have a more objective view of testing, not making assumptions as to what should be tested. Third-party testing also avoids conflicts of interest. They are paid to be disinterested and impartial, so working with a provider without them being on your payroll leads to increased trust.

As an MSP, adding third-party pentesting to your repertoire can help customers create a better total security program. While you may implore your customers to implement X, they may decide against it (whether due to cost, lack of time, no interest, etc.). An independent penetration test might well bring up not only verified reasons for implementing X but could also uncover other vulnerabilities that can be solved by you as the MSP. This data will be beneficial both to the customer in their security program and to you, the MSP, as a provider of new and necessary services.

Offering pentesting services can assist an MSP if a current client needs to move from on-prem to a hosted platform. After such a major move, clients will want to ensure that their security posture has remained as effective as before, if not improved. They may also want a third-party baseline scan before moving to the cloud.

Third-party pentesting provides added insight into a customer’s network security because it performs exploitation and post-exploitation to demonstrate the impact of attacks such as numerous attempts at privilege escalation and lateral movement. Even if a pentest does not uncover blatant vulnerabilities (e.g., XSS, SQLi), this objectivity opens up other areas where the customer may be vulnerable. As an example: what if a pentester can uncover a wiki or support site that contains a login that isn’t validated, which can then lead to creating an account that allows that account to pull organizational data, however minimal (e.g., ticket number and details, names, and email addresses)? A third-party penetration testing firm can provide a wealth of actionable knowledge for both the client and the MSP.

Leveraging Teamwork

Hiring third-party testers relieves the resource burden on an MSP. Professional pentesters as on-prem staff can be expensive – not only is initial certification pricey, but ongoing training is expensive. Outsourcing this can be for the same reasons that your customers rely on you – reduction of expenses. While you may be able to afford some staff with certain certifications, your clients – for reasons such as regulations or internal policies – may require certain certifications that you don’t have. Your personnel may have OSCP or CEH, but what if DoD clients require Pentest+, or other clients require GPEN? Hiring third-party pentesters can greatly increase offerings by selecting testers who are both expert and certified according to the needs of your clientele.

It may be too expensive to move to being an MSSP, so adding penetration testing services might be the right move.

Cybersecurity Crusaders’ penetration testers have years of professional experience in uncovering areas of weakness and with the goal of simulating real-world style attacks. The findings are compiled into a management-focused report and presenting recommendations that align with your business goals.

The D.A.E.R. penetration testing methodology provides a common, understandable, and repeatable framework for both the customer and the pentester assigned to their project, assuring that findings and reports are delivered in a consistent and coherent manner to all parties involved.

Contact us for a free consultation.