The field of penetration testing has grown rapidly since the United States Department of Defense’s Tiger Teams first emerged on the computer scene. With that growth, we’ve seen different skill-sets, approaches and quality levels emerge among penetration-testing professionals.
That has made assessing the level of penetration testing service you either consume or deliver a complex task. But, there are patterns and practices that are noticeably present within the highest level of black-belt penetration testers.
This person, by virtue, takes care of delivering more impact by their act of testing, and not just showing off their level of technical skill. He or she takes care of the most important aspects of pentesting – bringing crucial issues and items to light and giving decision makers the tools they need to choose what to invest in.
As pentests try to mimic a real-world attacker, an appropriate threat actor should be imagined for the situation. In many cases, the penetration test cannot realistically simulate a real threat actor, as these tests are often time-boxed and of course, resources like computing power could cause limitations for the tester.
The following skills provide a huge differentiation for professionals in this field.
Focus on Business Logic and Business Impact
This one is the essential rule – almost needless to say, but crucial to be built upon for the other skills listed below.
Every market has its own business logic pain points (finance isn’t like telecommunications and the latter isn’t like municipalities, for example) and getting into the mind of a hacker is very much knowing the specifics of the sector you are involved in. Through that, vulnerabilities really pop and make sense to the consumer of the test, especially when a simple logic bomb could make the house of cards crumble.
You’ve Got to Show it to Get Management’s Attention (PoC)
Talk costs nothing and speculation is fun, but there’s nothing like the a full-blown display of impact to illustrate all the steps an attacker will take in order to get what they need to get the job done. This is especially true when something can be easily deflected and debated by the IT guy who feels a bit too defensive about the findings on the final report.
Uncovering the Undocumented
Penetration tests needs to be well scoped to be effective and clear in their goal. That said, within those fences, an intuitive and inventive hacker can go deep into the mind of the developer of the application or architect of the system and assume different undocumented functions or even systems. Uncovering those perils within the test’s time-box is challenging, but very fruitful — as this isn’t something that’s in the books, which basically means that many others overlooked it when doing Q&A or integration of security systems.
The Sum of Vulnerabilities
Hunting down those pesky vulnerabilities is time consuming and requires a lot of focus and timing. But when all is said and done – understanding the real impact of these vulnerabilities is sometimes missing, as synthesizing those together may amp-it-up to a death-blow. That skill goes hand-in-hand with (above) focusing on business logic and business impact.
Highly Personalized Toolset
It could be a specially rigged laptop for the mission, a heavily pimped-out virtual machine or a cloud instance with your projects compiled inside – bringing those tools to perfection is an art. Many use a distribution such as Kali Linux to form a baseline. But the real difference is not only how to use those tools – but how you can build upon them to make them a custom arsenal that fits your habits and modus operandi, effectively turning them into an highly-efficient pwning machine.
Custom Payloads and N-days
Tools are not the only thing that get to be modded by the artisanal hacker – payloads do as well. This is especially true since enterprise environments are fully packed with anti-malware and network defenses that could pick-up on out-of-the-box pre-made kits and POC code that is shared on the internet or within commercial frameworks.
Understanding how defense mechanisms work and having the understanding to circumvent them can be game changing at times. In a similar sense, diving into a known vulnerability in a system that doesn’t have an exploit available (or maybe there is only a very sterile POC code available) and extrapolating a working exploit is also valued and useful for leveling-up the surface to be on-par with the alleged threat actor.
Overall, these skills are imperative to make a penetration test the most impactful and meaningful for both parties. By demonstrating these skills, the tester will be successful over his or her own personal technical goals and will be able to shed light onto cardinal issues.
The list was pulled together based on my experiences as a long time penetration tester. I have the upmost respect for the comrades that are taking this art to heart. While there may be other experiences that will differ from this list, these skills can be used as a checklist to effectively become a black-belt pentester.
(Moshe Zioni is the Director of Threat Research at Akamai, and a seasoned penetration tester and bug hunter. Moshe has been researching security since youth, positioned professionally since he turned 18, when he was actually surprised to find a place for his enthusiasm and talent. Moshe has consulted many industry leaders, banks, software vendors, insurance companies, health organizations, governments and telecommunication service providers, both domestic and international.)