Despite the tireless efforts of the security industry to attempt to automate the penetration testing (pen testing) process there is as yet no usable method to match the intuition and experience of a malicious attacker. These tests provide valuable insight that cannot be provided by only conducting a risk assessment or by automated means. To keep the manual process of penetration testing consistent, and repeatable, there have been a number of testing frameworks developed that have become standard practice.
Common Penetration Testing Frameworks
One of the most commonly used risk assessment frameworks is the NIST SP 800-15. In section 5.2, penetration testing, as a form of vulnerability assessment, is discussed. Besides the obvious advantages that penetration testing brings to the vulnerability verification aspect of a risk assessment, NIST points out several other key information penetration testing provides that helps the overall assessment:
- How well the system tolerates real world style attack patterns.
- The likely level of sophistication an attacker needs to successfully compromise the system.
- Additional countermeasures that could mitigate threats against the system.
- Defenders’ ability to detect attacks and respond appropriately.
All of these outcomes, along with many more, are very useful to ensure that the risk assessment’s conclusions are as complete as possible.
Whether a penetration test is being performed as part of a large risk assessment or not, the tests are usually based on one of the following common frameworks:
- NIST SP 800-115
- Open Source Security Testing Methodology Manual (OSSTMM)
- Open Web Application Security Project (OWASP)
- Penetration Testing Execution Standard (PTES)
There is a common thread that runs through all of these frameworks, which is their inherent rigidity. These were designed in such a way that each step is performed one after the other. Often the steps include the following:
This method certainly works and it is capable, when wielded by a skilled hacker, of not only validating the vulnerabilities that have been identified so far, but also leading to the discovery of vulnerabilities that were not found during the automated scanning and through other parts of the overall risk assessment.
Unfortunately, these structured methodologies have the potential to introduce weaknesses into the testing process. For example, methodologies rarely consider why a penetration test is being performed or which data is critical to the subject of the test. Sticking to a rigid methodology hinders the “creativity” of pen testers, especially in exploiting the network, and does not allow for specificity in the processes.
Finally, these methodologies do not reflect the contemporary behavior of real world attackers; when they change tactics we must as well. It is not necessary, or desirable, to completely do away with formal methodologies. Instead, these inherent limitations are addressed by integrating the methodologies called for (based on client and regulatory needs) into a framework that views the network from the perspective of a modern attacker.
The Cyber Kill Chain
The current pen test frameworks that exist are sufficient in testing security controls and validating vulnerabilities. However, the goal of a pen test should be to replicate a real world malicious actor, discover how they may attempt to gain access to the network, and find what information they are interested in exfiltrating.
The best solution to this conundrum is to integrate a different model. The one that is best suited is the “Cyber Kill Chain”. The “kill chain” was introduced in 2009 by Mike Cloppert as a way to describe the steps an adversary takes when attacking a network. One of the key differences is the flow of the steps. In all of the “classic” frameworks the steps generally occur in a linear fashion, one after another. In reality, and in the kill chain model, things do not happen in such an orderly fashion. Attackers use any means that are necessary in the order they are required and do not follow the target’s schedules and rules.
Kill chains are metamodels of an attacker’s behavior. Since the kill chain approach is a metamodel we can incorporate any regulatory, commercial, or proprietary pen testing methodology. However, unlike the other methodologies, the kill chain ensures a strategic-level focus on how an attacker actually approaches a network.
Our Penetration Testing Approach
CynergisTek has recently begun to enhance our pen testing approach to allow all of our pen tests to use the kill chain model along with any framework the client, or industry regulations, requires, and there are several new pen test and social engineering offerings that we are developing. Keep your eye on our blog, because this is just the first of several posts that will lay out the enhancements and additions to our current penetration testing options.