Pentesting 101

What is Pentesting or Offensive Security (Offsec). Most people have heard of the term Pen Testing. Many even envision a shady character hacking in the basement, or a ring of seasoned professionals working to steal your data like APTs (Advanced persistent threats) who can hang out in your network for a long time before unleashing an attack. But let’s focus on ethical hacking and some of the terms to be aware of.

Terms like White Box, Black Box, Gray Box, Red, Blue or Purple teaming are associated terms to be aware of. White, Black and Gray Box describe the testing methods and White Hats, Black Hats or Gray Hats can often represent and describe the individuals performing the testing. Red, Blue and Purple teaming are associated with TTX or table top exercises and refer to Red or attackers/breaker teams, Blue as in defenders/fixer teams or Purple as in combined teams for sharing as the exercise commences.

White Box vs. Black Box vs. Gray Box testing methods simply mean the approach being used for testing. In the case of White Box; testers are starting off with knowing a good bit about whats being tested and usually have internal knowledge of attack vectors, vulnerabilities etc. and use the data to their advantage to expedite things like, testing plans, procedures and attack methods.

Black Box testing means testers are starting from scratch and know very little to nothing about what is being tested. Essentially they need to start from scratch with planning, procedures and attack methods. Recon and enumeration in this approach is more intensive.

Gray Box testing falls somewhere in between White and Black Box testing. Testers have some knowledge about what’s being tested either gained from pre engagement interviews, network and application diagram reviews etc. As with the other two types of testing this feeds into they rap-touch used for planning, procedures and attack methods.

Red, Blue and Purple teaming refers to TTX exercises and can be performed by any company with the expertise or 3rd party organizations can be hired to help. Red teams generally are associated with being the attackers or those trying to break-in or break applications in hopes to gain elevated permissions and or access to areas within applications and/or networks they shouldn’t have.

Blue teams are associated with being the defenders or those trying to fix on the fly what is breaking or being broken into. They rely on many tools and methods to alert, analyze and detect anomalies. Some of these are SIEM’s, Threat Hunting, MDR, XDR, EDR, EndPoint Protection, IDS/IPS etc. But are they limited by the tools? Well that is what TTX exercises are performed. You can have a great IR plan and playbooks but what about the out of the ordinary attacks Red Team members try to exploit. They’re may not be an “Expression”, “Fingerprint”, “Signatures” or what AI can detect.

What about these Purple Teams? Often a Purple Team is essentially a combination of Red and Blue team members sharing and learning off of each other to ensure what is being done is understood through the TTX exercise unlike doing a review at the end of the events this allows for on the fly adaption of attacks and protections and in general creating a more collaborate learning environment.

Let me introduce what I like to call a morphing or evolution of Purple teaming. Perform your TTX exercises as you would normally do with read and blue teams, however, introduce a new single Purple Entity into the mix. A rogue entity that plays off of what each team is doing to plant seeds and direction into the ears of each team to see how they react. This can be by simply knowing something from each side and “injecting” it into the exercise. For example, they tell the red team to perform X attack knowing there is no protection for it from the blue side and then they tell the blue side to look for X type attacks via Threat Hunting one of scenario processes etc. This could introduce new dynamics to the scenario. Caveat being this entity has to be very diverse in they’re knowledge to perform this type of on-the-fly reactive scenarios.

So what about the hats? Think of the old western movies and how the good guys were often depicted with white hats and bad guys with black ones. Its pretty synonymous with those whose performing the Pen Testing or hacking but a HUGE distinction needing to be made. Pen Testers are authorized to perform the testing and are ethical hackers whereas hackers are often doing it for fun or financial gain. So a less used term, Gray Hats comes into play. This may help describe the fine line mentioned earlier. What does this mean?

Often to understand the bad and to be able to implement good (ethical hacking) solutions one must gain knowledge of the darker methods being used and how to combat them. So knowledge must be gained to understand what the Black Hats are doing.

It’s the good we choose to do with what we learn and how we choose to use the knowledge for good that makes ethical hackers or White Hats. So since the lines often blur I like the term Gray Hats. Gray or White Hats don’t use what they know for financial gain outside being paid to do legally and for testing applications for companies they work for.

But I digress a bit but I felt the distinction needed to be made since hacking has both positive and negative connotations and in the context of which I speak of Pen Testing and testing Pen Testers perform are duties to protect the intellectual property of the companies they are paid to help protect.

This all leads to the need for organizations to perform Pen Testing and TTX exercises on a regular schedule. Annually is needed to meet a lot of requirements, however, in my opinion applications need to be tested per release since code can accidentally introduce vulnerabilities or new attack vectors especially if proper DevSecOps operations like code review, UAT and QA testing aren’t performed.