PenTest+ Module 4 - Frameworks

Pen-Test Frameworks

Basically the guidebooks or sets of rules that help define how to conduct penetration tests from start to finish

MITRE ATT&CK

Developed to improve understanding of threat behaviors and better the defenses

Globally accessible, open-source knowledge base that catalogs cybercriminal tactics, techniques, and procedures (The ATT stand for Adversarial Tactics Techniques, and the CK stands for Common Knowledge) based on real-world attacks

Categories include:

• Initial Access

• Execution

• Persistence

• Privilege Escalation

• Defense Evasion

Open Web Application Security Project (OWASP)

A go-to resource in cybersecurity focusing on web application security

OWASP Top 10: Top 10 most critical web application vulnerabilities each year

• Broken Access Control

• Cryptographic Failures

• Injection

• Insecure Design

• Security Misconfiguration

• Vulnerable and Outdated Componenets

• Identification and Authentication Failures

• Software and Data Integrity Failures

• Security Logging and Monitoring Failures

• Server-Side Request Forgery

Broken Access Control

Occurs when restrictions on what authenticated users are allowed to do are not properly enforced

Cryptographic Failures

Used to be labeled as Sensitive Data Exposure, it includes failures related to managing sensitive data securely

Injection Flaws

Include SQL, NoSQL, Command Injection, etc. Occur when untrusted data is sent to an interpreter as part of a command or query

Mobile Application Security Verification Standard (MASVS)

This standard helps set baseline security standards to protect mobile applications

MASVS breaks down these requirements into control groups, each labeled as MASVS-XXXXX

MASVS-Storage

Focuses on the secure storage of sensitive data, like personal details, user credentials, and financial information

MASVS-CRYPTO

Centers on cryptographic measures to protect sensitive data

MASVS-AUTH

This control ensures mobile apps implement strong mechanisms to verify user identities and grant appropriate access rights

MASVS-NETWORK

Addresses the security of network communications between the mobile app and remote endpoints

MASVS-PLATFORM

Focuses on how securely the app interacts with the underlying mobile platform and other apps on the same device

MASVS-CODE

Deals with the secure development and maintenance of the app’s code

MASVS-RESLIENCE

About the app’s ability to withstand and respond to reverse engineering and tampering efforts

MASVS-PRIVACY

Emphasizes implementing privacy controls that align with privacy laws and regulations

Mobile Application Security Testing Guide (MASTG)

Provides a detailed testing framework

MAS Checklist

Offers a practical format for assessing security features

Penetration Testing Execution Standard (PTES)

A framework used to conduct thorough and effective penetration tests

Pre-engagement Interactions

Involves the first communication and the reasons for conducting a penetration test

Information Gathering

Essential for laying the groundwork for an effective penetration test

Footprinting

Involves passive and active techniques, maps out the target’s external and internal network environments

Threat Modeling

Involves understanding both the business assets and processes that need protection and the threats and their capabilities

Vulnerability Analysis

Involves using both active and passive testing techniques to identify security weaknesses in the organization’s IT infrastructure

Exploitation

This phase involves actively exploiting the identified vulnerabilities

Post-Exploitation

This follows a successful exploitation where the tester has gained some level of access

• Persistence

• Privesc

• Exfiltration

Reporting

Involves compiling a detailed report of all activities conducting during the test, the vulnerabilities exploited, the systems accessed, and the potential impact on the organization

CREST Defensible Penetration Test (CDPT) Guidelines

Establish a standard for conducting penetration tests with a clear, structured approach

Council of Registered Ethical Security Testers (CREST)

An organization of security companies that sets rigorous standards for cybersecurity services

Executive Summary

Clarifies common terms and sets the stage for a unified understanding of penetration testing across the industry

Background

Discusses the evolution and variability of penetration testing practices

Commercially Defensible Assurance Activity

Emphasizes the legal and commercial defensibility of penetration tests

How this Specification Should be Used

Ensures that penetration testing practices are compliant and effective

Benefits of CREST Accreditation

Outlines the advantages of choosing CREST-accredited companies

Suitability Skilled and Competent Individuals

Highlights the qualifications and ethical standards required of professionals conducting these tests

Importance of Defining Goals & Objectives

Emphasizes the necessity of having clear goals and objectives for penetration testing

Question of Scope

Highlights the importance of properly defining the scope of a penetration test

Reporting Framework

Details the expectations for comprehensive reporting on the test findings

Open-Source Security Testing Methodology Manual (OSSTMM)

Developed by the ISECOM, it is open-sourced which means anyone can submit recommendations for potential entry into the manual

Main goal has been to provide a scientific method for accurately assessing Operational Security (OpSec)

STRIDE

A security model developed by a team at Microsoft, this framework is very useful in the realms of software development and cybersecurity

Spoofing

Involves an attacker assuming the identity of another user (or just generally the act of pretending to be someone or something else) to gain unauthorized access to information, systems, or networks

Tampering

Malicious modification or alteration of data

Repudiation

Involves performing actions on a system that cannot be traced back to an individual user

Digital Signatures

Provide a reliable method for proving the origin and integrity of data, which counter repudiation claims (Good for non-repudiation)

Information Disclosure

Involves unauthorized access to confidential information, whether the data is at rest or in transit

Role-Based Access Control

Ensures that only users with the necessary permissions can access certain data

Denial-of-Service Attacks

Designed to interrupt the normal functioning of a website, service, or network by overwhelming the system with a flood of requests, making them unavailable to legitimate users

Elevation of Privileges

Occurs when a user with limited permissions is able to exploit a weakness or oversight in a system to gain higher-level permissions

Purdue Model for Industrial Control System (ICS) Security

Protect operational technology (OT) environments, help define network segmentation in industrial settings to isolate and protect OT systems from potential cyber threats

Level 5 (External/Vendor Support/Cloud Access)

Part of the Enterprise Security Zone, it features strong IT controls that focus on risk reduction and managing interactions with external vendors and cloud services

Level 4 (Business Logistics Systems/Enterprise IT Level)

Also has strong IT controls, it covers corporate IT operations, including enterprise resource planning systems

Level 3.5 (Demilitarized Zone [DMZ])

This buffer zone hosts security measures like firewalls and proxies to control the exchange of data between IT and OT systems, preventing potential threats from spreading

Level 3 (Manufacturing Operations Systems Zone)

Hosts operations management systems such as Manufacturing Execution Systems

Level 2 (Control Systems Zone)

Includes devices like Supervisory Control and Data Acquisition (SCADA) systems, which monitor and control physical processes

Level 1 (Intelligence Devices Zone)

Includes Programmable Logic Controllers (PLCs) that manage operations based on real-time data from sensors in the Physical Process Zone

Level 0 (Physical Process Zone)

Where the actual manufacturing processes occur, includes sensors and actuators that directly interact with the manufacturing operations

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

A framework designed to spotlight and manage organizational risks

3 phases, 8 processes

Build Enterprise-Wide Security Requirements

Organizations develop asset-based threat profiles, identifying and cataloging a range of assets from physical devices to intangible elements

• Process One: Identify Enterprise Knowledge

• Process Two: Identify Operational Area Knowledge

• Process Three: Identify Staff Knowledge

• Process Four: Establish Security Requirements

Identify Infrastructure Vulnerabilities

Conducts a detailed evaluation of the infrastructure supporting these assets to uncover any existing vulnerabilities that could be exploited

• Process Five: Map High-Priority Information Assets to Information Infrastructure

• Process Six: Perform Infrastructure Vulnerability Evaluation

Determine Security Risk Management

Focuses on creating a customized security plan to address identified risks

• Process Seven: Conduct Multi-Dimensional Risk Analysis

• Process Eight: Develop Protection Strategy

DREAD

A risk assessment model used to quantify, prioritize, and compare the level of risk from various security threats

• D - Damage Potential

• R - Reproducibility

• E - Exploitability

• A - Affected Users

• D - Discoverability

All rated on a scale from 1 to 10 and added up

DREAD Critical (40 - 50)

Vulnerability must be addressed immediately

DREAD High (25-39)

Indicating a severe vulnerability that should be considered for review and resolution soon

DREAD Medium (11-24)

Representing a moderate risk that should be reviewed after more severe risks

DREAD Low (1-10)

Posing a minimal risk to infrastructure and data

Damage Potential

Evaluates the extent of damage that a successful exploitation of the vulnerability could cause

Reproducibility

This measures how easily a threat can be replicated by an attacker

Exploitability

This assesses the level of effort and resources required to exploit the vulnerability

Affected Users

Quantifies the segment of the user base that would be impacted if the vulnerability were exploited

Discoverability

Refers to how easy it is for the potential attacker to discover the vulnerability