What are the best practices and standards for penetration testing and forensics in your industry or sector?

When we talk about forensics, the scope becomes very specific, especially if it is linked to an incident case or a specific investigation, being different from the pentest which has a defined scope, but which can be comprehensive depending on the test model adopted by the professional. . However, both need to have objectives and a clear and defined scope, mainly so that resources are well used and directed.

In my experience as a cybersecurity professional, defining the scope and objectives of penetration testing and forensics projects is crucial for their success. For instance, when tasked with conducting a penetration test for a financial institution, clearly delineating the scope to include specific banking applications, network segments, and compliance requirements helped streamline the testing process and ensure that all critical assets were thoroughly assessed. Additionally, aligning the objectives with regulatory mandates and industry best practices facilitated the identification and prioritization of vulnerabilities, enabling the organization to enhance its security posture effectively.

Avant de commencer, établissez les limites et les objectifs du test d'intrusion ou de l'analyse criminelle. Cela permet de concentrer les efforts sur les zones pertinentes et de garantir que toutes les parties prenantes sont alignées sur les attentes.

Customize the scope and objectives of penetration testing or forensics to fit organizational needs and industry regulations. Define target systems, assets, and desired outcomes clearly for effective engagement.

Before starting a penetration test or forensic investigation, clearly define the scope (target systems, networks, data, users) and objectives (specific vulnerabilities, threats, or evidence to find). This ensures effective and ethical planning, execution, and reporting.

Based on different scope and category of penetration testing, different type of frameworks and guidelines should be considered. - In web and application penetration testing, OWASP Top 10 and CWE Top 25 Most Dangerous Software Weaknesses should be considered. - In network penetration testing and red teaming, MITRE ATT&CK matrix and Cyber Kill Chain framework should be used to cover all necessary tactics and techniques according to the scope of project. - In API penetration testing, OWASP API Security Risks framework should be used as the baseline to test critical API vulnerabilities. - And in mobile penetration testing, OWASP Mobile Application Security Testing guide should be applied.

Frameworks such as NIST, OWASP et al are the fundamentals here. They are the mechanics guide to ensuring a foundational level of execution. I was fortunate to write the foundations to the ACPO Good Practice guide and publish it with the Met Police and others years ago. We brought together industry experts to summarise much of what I will highlight below. I would advocate to build your own guides with your peers that bring together your collective thinking, knowledge & experience. Sit down with them and create workflow around the frameworks. A knowledge base can help greatly and use this to then point to bodies of work, reference guides & how-to's for particular areas. Keep these alive and work on them. Use media. Share what you learn.

For penetration testing, follow frameworks like NIST SP 800-115, PTES, and OWASP Testing Guide to ensure standardized, thorough evaluations. For forensics, adhere to NIST SP 800-86, the ACPO Good Practice Guide, and the SANS Forensic Analysis Process for reliable and accepted investigative procedures.

Respectez les normes et les cadres tels que l’OWASP pour les tests d'intrusion des applications web ou le NIST pour la criminalistique. Ces directives assurent que vos pratiques sont conformes aux meilleures pratiques de l'industrie et aux exigences réglementaires.

Adhering to best practices, highlighted in NIST 800-86, is crucial in forensic processes, ensuring data integrity. NIST 800-86 provides detailed guidance, including artifact identification and event reconstruction. ACPO focuses on digital forensics, offering tailored practices widely used by law enforcement in the UK, contributing to a standardized approach. Similarly, SANS outlines a comprehensive forensic investigation process, ensuring a systematic examination of digital evidence for identifying malicious activities and informing decision-making in security incidents.

Selecting the right tools and techniques is paramount in achieving accurate and actionable results in penetration testing and forensics endeavors. For example, during a recent penetration testing engagement for a healthcare provider, leveraging tools such as Nmap and Nessus enabled us to identify vulnerabilities in the network infrastructure, while specialized techniques like social engineering assessments uncovered potential weaknesses in employee awareness and training. Similarly, in forensic investigations, employing robust tools like FTK and Autopsy facilitated the acquisition and analysis of digital evidence, ultimately aiding in uncovering the root cause of security incidents and supporting legal proceedings.

Employez des outils de test et de criminalistique réputés pour leur efficacité et leur fiabilité. Utilisez des techniques de test standardisées, comme les tests de pénétration manuels et automatisés, pour identifier les vulnérabilités et les preuves.

Penetration testing uses tools like nmap, Metasploit, and Burp Suite to identify and exploit vulnerabilities in systems. Forensics uses tools like FTK, EnCase, and Autopsy to collect and analyze digital evidence from systems. Each set of tools and techniques is specialized for their respective tasks—exploitation versus evidence preservation and analysis.

All tools have nuances above and beyond their basic usage. Knowledge of these subtle applications of how to use such tools can be so valuable. So not only should we share and collaborate in our tools suite (a validated list / "safe" repo), we should share syntax, models and methods of how to use them / the techniques we know to yield results. The tacit knowledge that sits in the industry above and beyond what is easy to find in the forums is so valuable. We should leverage it more to create consistency in our teams and their approaches. Its so much fun when you find a new way of using a tool, a new syntax or a way that eases your path into great results (& wish you had known for years before)! The right tool for the right job is a must!

Having an arsenal of forensic tools is important, especially tools that you trust and that are used in the market and by authorities, so the risk of them harming an investigation is lower if they are used correctly. Furthermore, pentest tools should be a form of assistance and not the result itself, so evaluate the tools and use the one that brings the most efficient result.

Take courses, certifications, practice in CTFs mainly with forensic content and attend lectures and workshops at specialized events on the subject. And look for articles, mainly DOI from universities, that contain interesting techniques mainly for forensic investigation.

To stay current in penetration testing and forensics, regularly engage in courses, certifications, and webinars. Keep up with industry trends through blogs, books, and journals. Adhere to ethical and professional standards to ensure your skills remain relevant and effective.

In a recent penetration testing project for a technology firm, presenting findings in a structured report format, supplemented with clear explanations and visual aids, enabled stakeholders to grasp the severity and implications of identified vulnerabilities. Moreover, tailoring recommendations to align with business objectives and risk tolerance helped prioritize remediation efforts and allocate resources effectively. By facilitating constructive dialogue and collaboration, we were able to empower decision-makers to make informed choices and strengthen the organization's overall security posture.

To communicate findings and recommendations effectively, tailor your report to the audience's needs, using clear and concise language. Use appropriate formats like executive summaries for high-level overviews, technical reports for detailed findings, and remediation plans or affidavits for actionable steps. Ensure evidence supports your conclusions and recommendations.

Create accurate reports that contain relevant data on how the investigation was carried out. And for a pen test, it is also essential that the PoCs are very detailed so that the client understands what the execution process was like, especially to take prevention and remediation actions.

One aspect worth considering is the importance of continuous improvement and knowledge sharing in the field of penetration testing and forensics. Embracing a culture of learning and professional development can significantly enhance the effectiveness and efficiency of security testing initiatives. For instance, organizing regular debrief sessions and knowledge-sharing workshops enables team members to reflect on past experiences, discuss emerging trends, and exchange best practices. Additionally, fostering collaboration with industry peers through participation in conferences, forums, and online communities facilitates the exchange of insights and lessons learned, ultimately contributing to collective growth and advancement in the field.