Effective Penetration Testing Methods and Frameworks

Despite the tireless efforts of the security industry to attempt to automate the penetration testing (pen testing) process there is as yet no usable method to match the intuition and experience of a malicious attacker. These tests provide valuable insight that cannot be provided by only conducting a risk assessment or by automated means. To keep the manual process of penetration testing consistent, and repeatable, there have been a number of testing frameworks developed that have become standard practice.

Common Penetration Testing Frameworks

One of the most commonly used risk assessment frameworks is the NIST SP 800-15. In section 5.2, penetration testing, as a form of vulnerability assessment, is discussed. Besides the obvious advantages that penetration testing brings to the vulnerability verification aspect of a risk assessment, NIST points out several other key information penetration testing provides that helps the overall assessment:

  • How well the system tolerates real world style attack patterns.
  • The likely level of sophistication an attacker needs to successfully compromise the system.
  • Additional countermeasures that could mitigate threats against the system.
  • Defenders’ ability to detect attacks and respond appropriately.

All of these outcomes, along with many more, are very useful to ensure that the risk assessment’s conclusions are as complete as possible.

Whether a penetration test is being performed as part of a large risk assessment or not, the tests are usually based on one of the following common frameworks:

Why Change?

There is a common thread that runs through all of these frameworks, which is their inherent rigidity. These were designed in such a way that each step is performed one after the other. Often the steps include the following:

  1. Planning
  2. Reconnaissance
  3. Discovery
  4. Exploit
  5. Report

This method certainly works and it is capable, when wielded by a skilled hacker, of not only validating the vulnerabilities that have been identified so far, but also leading to the discovery of vulnerabilities that were not found during the automated scanning and through other parts of the overall risk assessment.

Unfortunately, these structured methodologies have the potential to introduce weaknesses into the testing process. For example, methodologies rarely consider why a penetration test is being performed or which data is critical to the subject of the test. Sticking to a rigid methodology hinders the “creativity” of pen testers, especially in exploiting the network, and does not allow for specificity in the processes.

Finally, these methodologies do not reflect the contemporary behavior of real world attackers; when they change tactics we must as well. It is not necessary, or desirable, to completely do away with formal methodologies. Instead, these inherent limitations are addressed by integrating the methodologies called for (based on client and regulatory needs) into a framework that views the network from the perspective of a modern attacker.

The Cyber Kill Chain

The current pen test frameworks that exist are sufficient in testing security controls and validating vulnerabilities. However, the goal of a pen test should be to replicate a real world malicious actor, discover how they may attempt to gain access to the network, and find what information they are interested in exfiltrating.

The best solution to this conundrum is to integrate a different model. The one that is best suited is the “Cyber Kill Chain”. The “kill chain” was introduced in 2009 by Mike Cloppert as a way to describe the steps an adversary takes when attacking a network. One of the key differences is the flow of the steps. In all of the “classic” frameworks the steps generally occur in a linear fashion, one after another. In reality, and in the kill chain model, things do not happen in such an orderly fashion. Attackers use any means that are necessary in the order they are required and do not follow the target’s schedules and rules.

Kill chains are metamodels of an attacker’s behavior. Since the kill chain approach is a metamodel we can incorporate any regulatory, commercial, or proprietary pen testing methodology. However, unlike the other methodologies, the kill chain ensures a strategic-level focus on how an attacker actually approaches a network.

Our Penetration Testing Approach

CynergisTek has recently begun to enhance our pen testing approach to allow all of our pen tests to use the kill chain model along with any framework the client, or industry regulations, requires, and there are several new pen test and social engineering offerings that we are developing. Keep your eye on our blog, because this is just the first of several posts that will lay out the enhancements and additions to our current penetration testing options.

June 10th, 2016|

About the Author:

John Nye is Vice President of Cybersecurity Strategy for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications. Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).