Types of assessments
The CompTIA PenTest+ certification objectives reference some key terms in regard to the different types of assessments that can be performed. The following are some common types of pentest assessments:- Goals-based/objectives-based: This type of assessment is focused on a specific purpose. For example, you may have installed a new server or piece of software and want to test that specific asset for security flaws. Some examples of goals for goal-based assessments is the company may want to assess the security of only the wireless network, or maybe only perform social engineering attacks to test the effectiveness of the security education program with the employees. Another common goal may be simply to test the security of a public website or web application.
- Compliance-based: A compliance-based assessment is an assessment that is driven by standards and regulations. With compliance-based assessments, you must follow a standard assessment methodology, such as the National Institute of Standards and Technology’s (NIST’s) SP800-15 series of guidelines, or the PCI DSS from the PCI Security Standards Council.
- Red team/blue team: The term red team refers to the internal team of professionals performing a penetration test acting as hackers. With a red team test, you are not as focused on reporting and remediation steps after the fact; you are more focused on trying to bypass security controls and determining how your security team will respond to the attack. The security team responsible for defending against attacks is known as the blue team.
Pentest strategies
You can follow several different strategies when performing a penetration test. You can go with a black box text, a white box test, or a gray box test:- Black box: In a black box penetration test, the testers are given zero information about the environment and the targets. The goal of the black box test is to treat the pentesters as if they are hackers — they have to discover the environment before they can attack the environment. In a black box test, you would not share Internet Protocol (IP) address information, network infrastructure details, or public services on the internet, such as websites, domain name system (DNS), or file transfer protocol (FTP) servers. It is up to the penetration testers to discover all assets and then try to exploit those assets.
- White box: In a white box penetration test, the testers are given all of the details of your network environment, including server configurations and the services they run, a network diagram showing different network segments and applications, and IP address information.
- Gray box: In a gray box penetration test, a limited amount of information is given to the penetration testers, such as the IP ranges being used by the company or addresses of your public internet servers. With this information, the pentesters will discover what services are running on each system and then try to exploit those systems.
For the PenTest+ certification exam, remember the different pentest strategies. Black box is when no details about the target are given, white box is when all known information about the targets is given to testers, and gray box testing is when limited information such as IP addresses or server names are given to keep the pentest focused on those targets.
Threat actors and threat models
The purpose of penetration testing is to simulate attacks that could occur in real life. A big part of information security — and something all security professionals should be aware of — is who you are protecting against. Who would attack your network or website?Capabilities and intent
Before we look at the types of hackers and threat models, it is important to understand the different levels of hacking capabilities for each type of hacker, or threat actor, and the different reasons of intent for hacking.The capabilities of a hacker will vary depending on the type of threat actor the hacker is and the types of attacks being performed. Some attacks are basic in nature, so you may find that all types of hackers can perform these attacks, while more sophisticated attacks are performed by hackers with more detailed knowledge of the underlining technologies being hacked, their vulnerabilities, and how to exploit those vulnerabilities.
A hacker may be motivated to hack for many reasons, such as for financial gain (for example, hacking into bank accounts or selling sensitive data that was obtained in the hack) or for the fame or notoriety that is earned by hacking into a big-name company. A hacker may also be motivated by a personal cause or a group cause, as is the case with terrorists or activists.
Threat actor
A threat actor is a person or entity that causes the threat against your assets. When it comes to hacking, you should be aware of some common threat actors:- Script kiddies: A script kiddie is a person who does not necessarily have much background on how attacks work, they simply run some automated tools to try to exploit systems. Their intent is typically for the challenge, and also bragging rights.
- Hacktivist: A hacktivist is a person who hacks for a cause, such as for political purposes or for social change. The capabilities of the hacktivist can range from basic to advanced hacking knowledge such as is the case with the infamous hacking group called “Anonymous.”
- Insider threat: Insider threats are threats from inside your organization or inside your network. These can be very serious threats of malicious destruction from a disgruntled employee or even innocent mistakes made by other employees.
- APT: An Advanced Persistent Threat (APT) is an advanced hacking process such as one found in a nation-state–sponsored group or person that gains unauthorized access to a network for political or economic reasons. The attack typically happens to gain unauthorized access for a long period of time, such as many months, by planting malicious software on the system that will monitor activity, collect sensitive data, or damage the system. APT also includes advanced hacks on financial institutions, defense contractors, and software companies, such as Twitter or Facebook, which would contain a wealth of sensitive information the hacker would like to collect.
Adversary tier
Threat actors are typically identified in an adversary tier that ranks the threat actors by their capabilities and the damage they can perform. The threat actors discussed earlier are ranked based on their threat level and capabilities, as follows (1=low, 4=high):- Script kiddie
- Insider threat
- Hacktivist
- APT
The adversary tier