Classifying Penetration Tests
Black Box, White Box, and Gray Box
- often see penetration tests referred to as some color or level of opacity
- refers to the level of information the tester is provided with regarding the environment being tested
- unknown environment testing / black box testing
- is when the consultant/attacker has no privileged information about the network and its security systems.
- may only know scope
- requires extensive reconnaissance
- useful for simulating the behavior of an external threat
- is when the consultant/attacker has no privileged information about the network and its security systems.
- known environment testing / white box testing
- is when the consultant/attacker has complete access to information about the network or environment
- useful for simulating the behavior of a privileged insider threat
- includes
- information about the network architecture
- hardware and software configurations
- source code for applications and websites, etc.
- system vulnerabilities
- and users
- allows the tester to be considerably more thorough
- partially known environment testing / gray box testing
- is when the consultant/attacker has some information
- requires partial reconnaissance
- attacker is given some inside information about the environment
- one of the more common types of penetration test
Internal vs. External
2 Interpretations:
- Internal and external might refer to the kinds of access the tester is granted to the environment being tested
- give the testers access to the environment from the internet-facing portions of it only, you might call this an external pentest
- if the testers are on the same network as the environment, either physically or via a virtual private network (VPN) connection, you might call this an internal test
- Internal and external might also indicate what kind of person or team is conducting the penetration test
- External testing might refer to a third-party testing company hired to perform the pentest
- internal testing would likely refer to a penetration testing team working for your organization
Penetration Exercise Types
Offensive and Defensive Penetration Testing
Offensive penetration testing is a proactive and controlled approach to simulate real-world cyberattacks on an organization’s systems, networks, and applications.
- aka red team
- is the “hostile” or attacking team in a penetration test or incident response exercise.
- primary goal is to identify vulnerabilities, weaknesses, and potential attack vectors that malicious actors could exploit
- typically performed by skilled and ethical cybersecurity professionals who mimic potential attackers’ tactics, techniques, and procedures (TTPs)
Defensive penetration testing evaluates an organization’s defensive security measures, detection capabilities, incident response procedures, and overall resilience against cyber threats.
- aka blue teaming
- defensive team in a penetration test or incident response exercise
- aims to assess the effectiveness of existing security controls and identify areas for improvement
Physical Penetration Testing
Physical penetration testing is an assessments of an organization’s physical security practices and controls.
- aka physical security testing
- aims to assess the effectiveness of physical security controls and identify potential entry points or weaknesses that an attacker could exploit
- uses techniques like
- social engineering
- tailgating
- lock picking
- bypassing alarms or surveillance systems
- and exploiting physical vulnerabilities
Integrated Penetration Testing
Integrated penetration testing is a holistic approach that combines different types of penetration testing methodologies and techniques to evaluate an organization’s security operations.
- aims to provide a comprehensive and realistic evaluation of an organization’s security operations
- accurately represent the organization’s security posture and identify potential risks often overlooked when testing in isolated areas
Info
Continuous pentesting focuses on technical vulnerabilities and often configured to leverage automation, especially for CI/CD environments.
- more information: https://informer.io/resources/continuous-penetration-testing