Pentest strategy
You can follow several different strategies when performing a penetration test. You can go with an unknown-environment test, a known-environment test, or a partially known-environment test.
Unknown-environment: This test was formerly known as a black box test. In an unknown-environment penetration test, the penetration testers are given zero information about the environment and the targets. The goal of the unknown-environment test is to treat the pentesters as if they are hackers — they have to discover the environment before they can attack the environment. In an unknown-environment test, you would not share Internet Protocol (IP) address information, network infrastructure details, or public services on the Internet such as web sites, domain name system (DNS), or file transfer protocol (FTP) servers. It is up to the penetration testers to discover all assets and then try to exploit those assets.
Known-environment: This test was formerly known as a white box test. In a known-environment penetration test, the penetration testers are given all of the details of your network environment, including server configurations and the services they run, a network diagram showing different network segments and applications, and IP address information.
Partially known-environment: This test was formerly known as a gray box test. In a partially known-environment penetration test, a limited amount of information is given to the penetration testers, such as the IP ranges used by the company or addresses of your public Internet servers. With this information, the pentesters will discover what services are running on each system and then try to exploit those systems.
Threat actors and threat models
The purpose of penetration testing is to simulate attacks that could occur in real life. A big part of information security — and something all security professionals should be aware of — is who are you protecting against? Who would attack your network or website?
Capabilities and intent
Before we look at the types of hackers and threat models, it is important to understand the different levels of hacking capabilities for each type of hacker, or threat actor, and the different reasons or intent for hacking.
The capabilities of a hacker will vary depending on the type of threat actor the hacker is and the types of attacks being performed. Some attacks are basic in nature, so you may find that all types of hackers can perform these attacks, while more sophisticated attacks are performed by hackers with more detailed knowledge of the underlining technologies being hacked, their vulnerabilities, and how to exploit those vulnerabilities.
A hacker may be motivated to hack for many reasons, such as for financial gain (for example, hacking into bank accounts or selling sensitive data obtained in the hack) or for the fame or notoriety earned by hacking into a big-name company. A hacker may also be motivated by a personal cause or a group cause, as is the case with terrorists or activists.
Threat actor
A threat actor is a person or entity that causes the threat against your assets. When it comes to hacking, you should be aware of some common threat actors:
Script kiddies: A script kiddie is a person who does not necessarily have much background on how attacks work; they simply run some automated tools to try to exploit systems. Their intent is typically for the challenge, and also bragging rights.
Hacktivist: A hacktivist is a person who hacks for a cause, such as for political purposes or for social change. The capabilities of the hacktivist can range from basic to advanced hacking knowledge, such as is the case with the infamous hacking group called “Anonymous.”
Insider threat: Insider threats are threats from inside your organization or inside your network. These can be very serious threats of malicious destruction from a disgruntled employee or even innocent mistakes made by other employees.
APT: An Advanced Persistent Threat (APT) is an advanced hacking process such as one found in a nation-state–sponsored group or person that gains unauthorized access to a network for political or economic reasons. The attack typically happens to gain unauthorized access for a long period of time, such as many months, by planting malicious software on the system that will monitor activity, collect sensitive data, or damage the system. APT also includes advanced hacks on financial institutions, defense contractors, and software companies such as Twitter or Facebook, which would contain a wealth of sensitive information the hacker would like to collect.
Adversary tier
Threat actors are typically identified in an adversary tier that ranks the threat actors by their capabilities and the damage they can perform. The threat actors discussed earlier are ranked based on their threat level and capabilities as follows (1=low, 4=high):
1 Script kiddie
2 Insider threat
3 Hacktivist
4 APT
Figure 1-1 summarizes the adversary tier with script kiddies at the bottom of the skillset and APT at the top.
Threat modeling
Penetration testing typically involves an exercise known as threat modeling. Threat modeling refers to the act of documenting company assets and then defining the types of attacks or threats against those assets. The threats are then assigned a likelihood (the chances the attack will happen) and impact (how serious the result of the attack if successful) so that the threats can be prioritized. Based on the priority of the threats, security professionals put security controls in place to prevent those threats from occurring or to minimize the impact.
Graphic designed and created by Brendon Clarke.
FIGURE 1-1: The adversary tier.
Looking at CompTIA’s Penetration Testing Phases
The CompTIA penetration testing process involves four major phases:
1 Planning and scoping
2 Information gathering and vulnerability identification
3 Attacks and exploits
4 Reporting and communication
Over the course of this book, I go into detail about each of these penetration testing phases. Here, I provide a high-level overview of each one.