1. Process

Penetration Testing Overview

Penetration Test: Authorized targeted, attack on infrastructure

Pentests

Red Team Assessment: May be scenario based: Focuses on leveraging vulns for certain goals

Risk Management: Evaluate, mitigate, risks that could be damaging Reduce risk: Implementing appropriate controls, policies, measures Inherent risk: Level of risk present even with appropriate controls Vulnerability Assessments: Term for penetration tests

Automated tools Nessus, Qualys, OpenVAS:

• Automated: Can't adapt: Manual testing has to also be done

• Data Protection Act: Keep info private

Methods

External

External-facing hosts, obtain and gain access to data, internal network

• Done with a VPN/VPS to avoid ISP blocking

Internal

Within corporate network: Assumed breach scenario

Types of Testing

Blackbox

Essential info: Only like IP's, domains given

Greybox

Given additional info: Specific URLs, hostnames, subnets

Whitebox

Everything disclosed: Internal view of everything, prepared attacks

Red Teaming

Combined with others: Can include physical, social engineering

Purple Teaming

Combined with others: Working with defenders

Kinds

webapp, mobile, API, thick, network, cloud, source code, physical, employee, IOT, server, policies, firewalls, IDS/IPS, hosts

Laws/Regulations

USA

CFAA

Computer Fraud/Abuse Act Federal: Criminal to access computer w/out auth

Hacking, id theft, malware

Criticism:

• Provisions too far-reaching: Could criminalize research

• Definitions can present on things without intent

DMCA

Digital Millennium Copyright Act: Prohibits circumventing measures to protect copyrights

• digital locks, encryption, authentication, firmware, digital content

ECPA

Electronic Comms Privacy Act: Interception of electronic comms, includes internet

• Unlawful to intercept, access, monitor, store comms without consent

• No using intercepted comms as evidence in court

• Responsibilities for SP's, they can't divulge contents of comms

• Protects privacy, ensures individuals aren't subjected to illegal interception

HIPAA

Health Insurance Portability/Accountability Act Governs use/disclosure of PHI

• Encryption, data access, sharing records

• Research conducted policies, procedures, gov must approve

• Mindful of possible data breaches, ensure PHI is secure

COPPA

Children's Online Privacy Protection Act Collection of PII of children under 13

Precautionary Measures

Remember

• Written consent? Owner, auth representative

• Stay in scope of consent obtained: Follow limitations

• Take measures to prevent damage

• Don't access, use, disclose, personal data, info obtained during test without permission

• Don't intercept electronic comms without consent

• Don't conduct testing on networks covered by HIPAA without authorization

Process

1. Deterministic: Each state is causally dependent on, determined by previous states

2. Stochastic: One state follows from other states only with a certain probability

3. Pentesting: Successive steps performed by tester to find path to predefined objective

Stages

1. Pre-Engagement: Educating, adjusting contract: Strictly defined, recorded

   • Conference, arrangements: NDA, Goals, Scope, Time Est., RoE

2. Info Gathering

3. Vuln Assessment: Analyze results

4. Exploitation: Using results to test attacks

5. Post-Exploitation: Privesc/hunt for sensitive data: Demonstrate impact

6. Lateral Movement: Within internal network to access additional hosts

7. PoC: Documents, screenshots, steps, write-up

8. Post-Engagement: Clean up, documentation, report, modify report if needed

Pre-Engagement

Questions asked, contracts made: Clients tell us what they want

3 components: Scoping questionnaire, Pre-engagement meeting, Kick-off meeting

NDA: Non-Disclosure Agreement: must be signed by all parties

Types of NDA's

Unilateral

Only 1 party maintains confidentiality: Other can share info with 3rd parties

Bilateral

Both parties obligated to keep info confidential: Most common

Multilateral

Confidentiality by more than 2 parties: All parties responsible/involved sign

• Who is permitted to contract us? CEO, CTO, CISO, CSO, CRO, CIO

Computer Misuse Act Documents

Document

1. NDA: After initial contact

2. Scoping Questionnaire: Before pre-engagement

3. Scoping Document: During pre-engagement

4. SoW: Scope of Work: During pre-engagement

5. Roe: Before kick-off

6. Contracts Agreement (physical): Before kick-off

7. Reports: During/After test

Scoping Questionnaire

Should clearly explain services: May ask to choose one/more:

1. External, Internal Vuln Assessment, Pentest

2. Wireless, Webapp, app, physical, SE, RT: Allow client to be specific

3. Critical pieces of info:

   • How many hosts, IPs/CIDR ranges, domains/subdomains, SSIDs

   • How many web/mobile apps? How many roles (standard, admin)?

   • Phishing: How many users targeted? Will client provide a list, or we gather it?

4. Physical: How many locations? If multiple sites, geographically dispersed?

5. RT: Objective? Any activities out of scope?

6. Separate AD Assessment?

7. Bypass NAC: Network Access Controls?

8. Black box, grey box, white box?

9. Non-evasive, hybrid-evasive (quiet-to-louder), fully evasive?

Scoping Document: Based on questionnaire info

Pre-Engagement Meeting

Discuss essential components with customer

Pentest Proposal/Scope of Work (SOW): Info we gather, with data from questionnaire Contract

Checklist: NDA: Signed pre-kick-off, goals, scope, pentest type, methodologies, locations, time

Evasive Testing: Passing traffic, systems in infra

Risks: Inform about risks involved in tests and possible consequences

Scope Limitations: What's off limits and when

Information Handling: HIPAA, PCI, HITRUST, FISMA/NIST

Contractor's Agreement

Physical: Additional agreement: Different laws apply

• Intro, contractor, purpose, goal, pentesters, contact info, physical addresses, building name

• floors, physical room id, physical components, timeline, notarization, permission

Info Type/Regulation

1. CC info - PCI (Payment Card Industry)

2. Electronic PHI - HIPAA

3. Private Banking Info - GLBA

4. Gov info - FISMA

Frameworks

1. NIST: National Institute of Standards/Tech

2. ISO: International Org for Standardization

3. GDPR

4. FedRAMP: Federal Risk/Auth Management Program

5. AICPA: American Institute of Certified Public Accountants

6. CIS Controls: Center for Internet Security Controls

7. PCI-DSS: Payment Card Industry Data Security Standard

8. COBIT: Control Objectives for info/tech

9. ITAR: International Traffic in Arms Regulations

10. NERC CIP Standards: NERC Critical Infrastructure Protection

Lateral Movement

Test how far we can move in the network: What vulns we can find from internal

Pivoting

Some techniques allow us to use an exploited host as a proxy