Introduction to Penetration Testing – Part 1

Tram Ho

I. Introduction

In this series, I will introduce you to the basic concepts, goals and exploitation steps in Penetration Testing.

To start learning about Pentest, we need to define some terms to use throughout the rest of the series. Besides, we will distinguish between Pentest, Red team, Vulns Assessment and Security Audit.

II. Vulns, Threat, Exploit, Risk

1. Vulnerability

Definition: Vulnerability (abbreviated as Vulns) refers to a weakness in Software, Hardware, or possibly humans, through which provides an attacker with an entrance, to infiltrate computers, networks and access unauthorized access to the organization’s resources.

Some Vulnerability can be mentioned as:

  • Buffer overflow vulnerability
  • Improper configuration
  • Flaws in structure and design
  • Lack of system check features
  • Weak, easy to guess, default password

2. Threat

Definition: Threat is any potential danger to information or systems. A threat can be someone, or something, that will, through a particular vulnerability, endanger an organization or an individual. Objects that take advantage of vulnerabilities to cause harm are called Agents.

Agent can be used to refer to an individual, or a group of people, who has the potential to become a threat. A hacker’s unauthorized access to the network, a data retrieval process that violates a security policy, a storm, or perhaps the unintentional mistake of an employee, reveals all of your confidential information. organize, or damage data files.

Individuals or groups that are likely to be Agents are classified as follows:

  • Malware: Malware, Worm, Trojan or Login Bomb, etc…
  • Crime or organized crime: The targets of criminals are usually bank accounts, credit cards or intellectual property that can be converted into money. Criminals often use insiders to help them achieve their goals.
  • Human
    • Unintentional : Accident, carelessness
    • Intentional: Insider, Contractor, maintenance worker, or security guard is in a disgruntled mood towards the organization
  • Nature: Floods, fires, lightning strikes, meteors, earthquakes.

3. Exploit

Definition: Exploit is a piece of code or technique that can take advantage of the above vulnerabilities

A few examples of Exploit:

  • Publicly available code to exploit buffer overflows
  • Uploading a web shell to a web server
  • Abuse of entry points for code execution
  • Using a falsely secured executable for privilege escalation

There are many different ways to exploit vulnerabilities. In reality, a vulnerability can be exploited in different ways depending on the end goal it wants to achieve.

4. Risk

Definition: Risk is the possibility of loss or damage. Risk is closely related to vulnerability, threat, and damage.

In the image below, Risk is the intersection of Threats, Vulns and Exploit.

Usually Risk is calculated by the formula: Risk = Likelihood * impact. In there:

  • Impact is usually a predefined value and is easily calculated on a case-by-case basis
  • Likelihood is often more difficult to calculate.

In addition, qualitative risk can be assessed through the risk matrix:

Many times, the value of Risk is assessed by experts on the basis of the knowledge and experience of the individual or the evaluation team. Balancing risk is the primary goal of security teams. For a Pentester, often the most important (and sometimes the most difficult) goal is to estimate the risk of the problem they’ve found to the organization.

Ways to reduce risk:

  • Prevent threats from accessing the system
  • Delete sensitive data from the system
  • Use web application firewall, IPS, etc. to prevent exploits.
  • Patch the holes

III. Pentest, Red team, Vulns Assessment, Security Audit

There is a set of terms that are sometimes used interchangeably, and this can lead to a lot of confusion. These terms relate to the day-to-day tasks security professionals perform:

  • Penetration Testing
  • Red Teaming
  • Vulnerability Assessment
  • Security Audit

Although these terms are often used interchangeably, there are differences that we should be aware of.

1. Penetration Testing

Penetration testing is a proactive method of assessing the security of a network or information system by simulating attacks from a hacker (Để ngăn chặn các tội phạm, bạn phải nghĩ như tội phạm) .

Actively analyze design weaknesses, technical flaws and vulnerabilities. A non-intrusive test is not called Penetration Testing. Sometimes the target asks for penetration, but then doesn’t allow deeper mining, these tests are more like Vulns Assessment.

Usually there are two types of tests:

  • Blackbox: Simulate an attack from someone with no knowledge of the system
  • Whitebox: Simulate an attack from someone with information/knowledge about the system.

The results are sent as a whole in a report so that the user can check the operation, management and engineering.

Chúng ta sẽ đi tìm hiểu kỹ hơn về Pentest trong phần 2 của series này.

2. Red team

Red team is designed to test the ability to detect and respond to cyberattacks.

  • The goal of the Red team is to test the Blue team (defensive team).
  • Use real-world tactics, techniques, and procedures (referred to as TTPs)
  • Focus on vulnerabilities that can help them achieve their goals (Pentest often aims to find as many holes as possible)
  • Mining in silence and persistence is important for the Red team
  • Simple to understand:
    • Penetration Testing focuses on the defense system
    • Red team focuses on defenders

Purple team

Purple team is a cross-functional team that is a combination of red team and blue team that allows for better collaboration

  • Exploit slow and purposefully similar to Red Team, then measure ability to prevent, detect and respond similar to Blue team.
  • Purple team’s implementation is summarized as ACE:
    • Automation: Test automation of workflow detection and notification
    • Coverage: Detectable environment range
    • Effectiveness: Check the effectiveness of detection: false positive rate, detection rate, confounding problem, confusion.
  • Includes stats to find problems and improve defenses
  • Read more at: redsiege.com/purple

Illustrate the relationship between Red team, Purple team and Blue team

3. Security Audit

Definition: Audit is understood as an examination based on a strict set of standards

  • Almost always done with a detailed checklist
  • Although Checklists are also created for Pentest and Security Assessment, they are usually not as detailed and rigorous as Audit’s.

4. Vulnerability Assessment

Definition: Vulnerability Assessment is the identification, quantification, and ranking of Vulnerability (Do Not Exploit)

Distinguish Penetration Testing and Vulnerability Assessment

Summary:

  • Pentest focuses on hacking or stealing data. The focus is on gaining access to the target environment by exploiting discovered vulnerabilities.
  • Vulnerability Assessment focuses on finding security holes, often not involving actual exploitation of the vulnerability.

Thus, Penetration Testing focuses on depth, with the goal of taking over the system and stealing data, while Vulnerability Assessment focuses on breadth, regarding the process of finding security vulnerabilities. The assessment also often includes a review of policies and procedures, which are not usually included in Pentest.

Share the news now

Source : Viblo