CompTIA Pentest+ PT0-002 – Section 2: Planning an Engagement Part 3

8. PenTest Methodologies (OBJ 1.2)

Every penetration test should follow a specific methodology. Now, a methodology is defined as “a system of methods used in a particular area of study or activity.” In terms of penetration testing, it refers to the systematic approach that a penetration tester is going to use before, during, and after a test, assessment or engagement. Now, notice, I used three different terms here to talk about a penetration test. This is the term “test,” “assessment,” and “engagement.” All three of these are often used interchangeably, both on the exam and in the industry, and you’re going to notice, I use all three interchangeably throughout this course as well. A methodology is simply a structured approach to penetration testing, with each step working to serve a unique purpose as you try to identify and exploit various vulnerabilities on a given system. There are many different penetration testing methodologies available, but the one this course is built around is the CompTIA penetration testing process, which includes four major steps, or phases, that occurred during an engagement.

First, we have planning and scoping. Second, we have information gathering and vulnerability scanning. Third, we have attack and exploit. And fourth, we have reporting and communicating. In fact, you may have noticed that these four steps match up perfectly with the first four domains of the PenTest+ exam. The fifth domain, tools and code analysis, doesn’t fit cleanly into a single phase though because we’re going to use different tools and code during all of the phases of a penetration test. Now, there are many other methodologies that a penetration tester can utilize when they’re conducting their own assessments and many have more steps since they’re dividing up portions of the four phases that we just covered. For example, EC Council presents an eight-step model in their Certified Ethical Hacker, or CEH Certification program.
This involve permission, reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, covering your tracks and installing backdoors, and, of course, reporting. Even though the EC Council methodology might seem to be more in-depth, both methodologies are fairly equivalent. For example, the permission phase from CEH parallels the planning and scoping stage from PenTest+. The reconnaissance, scanning and enumeration steps are going to be combined from CEH into the information gathering and vulnerability identification inside of PenTest+, whereas your attack and exploit phase inside PenTest+ is actually broken down into several steps in CEH, including gaining access, escalation of privileges, maintaining access, covering your tracks, and installing backdoors. Finally, the reporting and communication phase that we have in PenTest+ is covered under reporting inside of CEH. As you can see, these similar methodologies only really differ by the amount of specification by combining or splitting apart different steps. For this reason, the PenTest+ methodology does tend to be a little bit easier to learn and implement in the real world because it is only four steps.

Now, regardless of whether you follow the CompTIA four-step process or the CEH eight-step process, it’s important to remember that this is essentially the same steps that are being taken by a threat actor or unauthorized hacker when they attempt to break into your systems. The only real difference is that that threat actor doesn’t ask for permission during the planning and scoping and they don’t bother to report or communicate to you about the exploits that they’re able to achieve against your given vulnerabilities. Now, CompTIA and CEH are not the only two methodologies that are out there though. For example, the National Institute of Standards and Technology, known as NIST, has their own methodology that’s published in the NIST Special Publication 800-115, known as the “Technical Guide to Information Security Testing and Assessment.” This publication provides a recommended methodology for conducting penetration tests utilizing a four-phase approach of plan, discover, attack, and report.

And this methodology seems to be what CompTIA designed their methodology upon because it clearly matches up to the four steps of the PenTest+ methodology. The NIST methodology is the industry standard used throughout the entire United States, especially in the federal government and the department of defense for all their internal assessments. Now, sometimes when you’re conducting an engagement, you’re going to be asked to do what is known as adversary emulation. Adversary emulation is a specialized type of penetration test where you’re trying to mimic the tactics, techniques, and procedures of a real-world threat actor in your penetration test. For example, maybe you’re conducting a penetration test against a company that’s going to be expanding their operations into a new market and they’re worried that a nation state advanced persistent threat might want to hack their networks. In this case, they may want to train their cybersecurity analysts on what that type of attack is going to look like by having you conduct a penetration test using the techniques associated with a specific threat actor.
If you ever find yourself in this situation, you should definitely check out the MITRE ATT&CK Framework when you research a specific threat actor. Now, unlike the methodologies we discussed earlier in this lesson, the MITRE ATT&CK Framework is a knowledge base that’s maintained by The MITRE Corporation for the listing and explaining of common adversary tactics and techniques that are observed in the real world. The word “ATT&CK” in the name of the framework is actually an acronym and it stands for Adversarial Tactics, Techniques, and Common Knowledge. If you would like to explore the ATT&CK framework, you can visit attack.mitre.org.

This is a free and open-source website that contains a matrix model that’s going to give you different columns for each type or category of attack that could occur. Basically, it’s going to map out each threat actor’s methodologies that’s going to be used during different types of attacks. For example, there is columns for defensive evasion, credentialed access, discovery, lateral movement, and execution. Underneath each of these categories is a tactic or technique that could be used by an attacker to accomplish that particular goal. When you visit attack.mitre.org you’re going to see the ATT&CK Navigator where you’re going to select different tactics or techniques and they’ll be highlighted with different colors. Here you could see one example for APT28 that’s already been mapped out by the MITRE team. APT 28 is an advanced persistent threat that has been identified as being a Russian cyber espionage group likely associated with the Russian military intelligence agency, known as the GRU.

You’ll also hear this APT called “Fancy Bear.” Using the ATT&CK Navigator, you can quickly see that APT28, or Fancy Bear, uses 10 common reconnaissance techniques, including vulnerability scanning, credential harvesting, and phishing for information. They’re also known for using spear phishing with attachments and links and exploiting public-facing web applications. This attack matrix is a great way to visualize the different types of techniques that are used by a particular adversary and it shows all the different capabilities and capacities that they’re going to use in their attacks. By learning what an adversary does and mimicking your penetration test to those techniques, you can provide exceptional levels of training to cyber defense personnel at your target organization during your engagements. Now, another use case for this tool is on the defensive side if you’re responding to an incident response.

By going through and mapping out the attack using the attack matrix and then comparing it to determine which adversary is likely exploiting your network, you can identify who may be causing you all that pain. Another variation of the MITRE ATT&CK Framework is called the ATT&CK for Industrial Control Systems, or ICS. This MITRE ATT&CK for ICS framework describes a set of tactics and techniques specific to industrial control systems and lists the elements described in the ATT&CK for ICS knowledge base as another matrix. It works just like the regular ATT&CK matrix, except this one is focused on techniques that are used only for ICS devices.

9. PenTest Standards (OBJ 1.2)

There are numerous resources, standards and guidelines that are available for you to use when planning your penetration tests. This includes the Open Web Application Security Project known as OWASP. The Open Source Security Testing Methodology Manual, known as OSSTMM. The Information System Security Assessment Framework, known as ISSAF. And the Penetration Testing Execution Standard, known as PTES. First, we have the Open Web Application Security Project known as OWASP. The Open Web Application Security Project is a nonprofit foundation that works to improve the security of software. The foundation provides community-led software projects, education and training, and it’s also become the source for developers and professionals who want to secure the web. OWASP has created the framework for testing during each phase of the software development process.

As a way to increase the awareness of web security across the industry. One way they do this is by providing the OWASP web security testing guide. This testing guide is a comprehensive guide to testing the security of web applications and web services, that was created by the collaborative efforts of cybersecurity professionals and dedicated volunteers. This guide provides a framework of best practices that are used by penetration testers and organizations all over the world. And it can be found for free at OWASP.org. But probably the top thing that OWASP is known for is its top 10 list. The OWASP top 10 is a standard awareness document for developers and web application security experts. It represents a broad consensus about the most critical security risks to web applications and provides information on how to prevent them.

For example, the top 10 for 2021 has broken access control, cryptographic failures, injections, insecure design, security, misconfigurations, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures and server-side request forgery as its top 10. Now for each of these, you can read a description of the vulnerability, how to prevent it, example attack scenarios complete with code, links to relevant common weakness enumeration or CWE numbers and a list of references for how to test for those during an engagement. Second, we have the Open-Source Security Testing Methodology Manual known as the OSSTMM. The Open-Source Security Testing Methodology Manual provides a methodology for a thorough security test which they refer to as an OSSTMM audit. This audit is used to create an accurate measurement of security at an operational level inside of an organization.

This is one that is void of any assumptions or anecdotal evidence as well. This methodology is designed to be consistent and repeatable using the same principles that a scientific experiment might. The project is open source, so it allows for any penetration tester to contribute ideas for performing more accurate, actionable and efficient security tests. It’s also free to disseminate and use because it’s not the intellectual property of any single corporation or government. The manual aims to be a straightforward tool for the implementation and documentation of penetration or security tests. The real focus in the OSSTMM is auditing, validation and verification, by using facts and not anyone’s opinion during the engagement. Also, with that being said, the latest version of the OSSTMM as of right now is version three, which was released all the way back in 2010. So keep that in mind because it can be a little bit outdated. Third, we have the Information System Security Assessment Framework known as the ISSAF.

This methodology was created by the open information system security group known as OISSG. The ISSAF is a bit out of date as well but it can still be a useful reference. Now, one of the benefits of the Information System Security Assessment Framework is how it links individual penetration testing steps with the relevant penetration testing tools. The goal of this framework was to provide a comprehensive guide when conducting a penetration test. But, like I said, it is a bit outdated because it was last updated in 2015 and many of its supporting documents haven’t been updated since 2005. To download the ISSAF documentation, you can simply go to Google and enter the term ISSAF and you’re going to find their source forge repository with all the files compressed as an archive for easy downloading. Included in that is about 35 to 40 files, and each one is focused on a different area of penetration testing, such as routers, storage area networks, SQL injections, physical security and many more.

It can be a good starting point or reference if you want to build your own methodology as well, but overall it is outdated. And so only bringing up because it is listed on your exam objectives. Fourth, we have the Penetration Testing Execution Standard known as PTES. Now the Penetration Testing Execution Standard was developed to cover everything related to a penetration test, from the initial communication and the reasoning behind that test, all the way through intelligence gathering and threat modeling phases, where the testers are working behind the scenes in order to get a better understand of the tested organization, and then into the vulnerability research, exploitation and post exploitation phases, where the technical security expertise of the testers comes to play and combines with the business understanding of that engagement. And finally, into the reporting phase, which captures the entire process in a manner that makes sense to the customer and provides them the value from it.

Now, the Penetration Testing Execution Standard was designed around seven main sections. Pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post exploitation and reporting. The goal of the Penetration Testing Execution Standard was to create a new standard that provided both businesses and security service providers with a common language and scope when you’re performing a penetration test. Now, the Penetration Testing Execution Standard was first drafted all the way back in 2009. And honestly, it appears to be another good idea project that has since been abandoned or at least relegated to the we’ll work on it someday pile by its founders. Like ISSAF and OSSTMM, I’m really covering it here for the sake of completeness, because it is listed by name in the exam objectives by CompTIA. Now, when it comes to high quality, well maintain and up to date resources, I personally like to stick with OWASP or the Open Web Application Security Project, because they’re constantly updating their materials and their website. Now that being said, remember, OWASP specializes in web application security. So it is not useful if you’re looking at traditional infrastructure or endpoints during your penetration test. For those, you’re going to have to rely on something like OSSTMM, ISSAF or PTES.

• Category: Uncategorized