The first step in penetration testing (if executed legally) is determining what should be tested – aka scope of the assessment. Defining scope is arguably one of the most important components of a penetration test, yet it is also one of the most overlooked, determining the scope requires a solid and clear understanding of the following.
- Assessment requirements (compliance, business needs).
- Systems, networks and services that should be tested, also clarifying when those should be tested.
- Access to what information is allowed/denied.
- Allowed techniques and tools.
- Rules of engagement.
- Reporting requirements.
- How the pentester’s time will be spent.
Neglecting to complete pre-engagement activities has the potential to introduce problems like scope creep, unsatisfied customers or legal troubles.
As mentioned above, it’s important to understand the assessment’s requirements, since this is a very broad requirement we can narrow the assessment types in 3 big categories.
Goal-based assessments : Conducted for specific reasons, for example to test a service before entering the production.
Red-team assessments : Is designed to meet the needs of complex organizations handling a variety of sensitive assets through technical, physical, or process-based means. This type of assessment has a more holistic approach and is more targeted than a normal penetration test. Red teams attempt to act like an attacker.
Compliance-based assessments : Target a specific compliance objective, guidance, standard or any specific requirement.
White, Black or Gray?
Once the type of assessment is known one of the first things to decide is how much knowledge testers will have about the environment.
White box testing
White box aka “crystal box”, “full knowledge tests”, “glass box”, involves sharing full network, underlying technology, configurations, IPs and system information with the tester, including network maps and credentials. While this approach allows effective testing of systems since testers spend minimal time identifying targets and trying to find a way in, it does not provide an accurate view of what an external attacker would see.
Grey box testing
Grey box a.k.a translucent box test, only limited information is shared with the tester. This type of testing provides some information about the environment to the pen tester without giving full access, credentials or config details. Grey box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause. Grey box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter.
Black box testing
Black box, sometimes called “zero knowledge” test is intended to replicate the approach a real life threat actor would take in order to gain access to the systems. Pentesters are provides with no information or access in the environment so they must gather information and discover vulnerabilities to gain initial access. This approach might be more time consuming but it can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organization.