Changing Social-Engineering an Industry The Penetration Testing Execution Standard (PTES) Dave Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K
Before we start Open discussion Shouldn t be me driving this presentation Community collaboration Community driven
History PTES started officially at ShmooCon 2010 however it was an idea we ve all had for years. Penetration Testing is a fundamental principle in security. Something that is required to mature and advance a security program. Something that s tangible.
The Goal Fix Security. Define penetration testing.
Not all is wrong Security is actually going better than expected for such a young industry. We have people dedicated to security, this room is filled with people passionate about security. As an immature industry, we have our share of problems.
Penetration Testing Who has had a penetration test? Everyones hands should have been raised by now But who here has really had a penetration test?
Lets share our thoughts on a pentest Let s go around the room and share thoughts on what is a penetration test. Not a trick question, everyone is right on this.
A pentest to me The ability to identify exposures within the organization that represents a true breach simulation and the ability to hinder the companies ability to generate revenue. The baseline analysis of how well the overall security program is functioning and to test the effectiveness of controls. Only true testament to what exposures exist and how to prioritize via risk management on what to remediate.
That s just me Others may view it as a way to become compliant with regulations and standards. Others may view it as a way to tactically fix all vulnerabilities found. Others may view it as a way to test controls. Other may view it as a vulnerability scan with validation.
But that s just it Going around the room, we may have heard some similar ideas of what a pentest is, but were they all the same? Are they the same in the industry?
Welcome to PTES PTES was designed to take industry leaders, people in the field, people just starting off. Listen, learn, and come up with something that identifies what a penetration test is. What is was designed to be, what it should have always been.
I m selling this to you.. I am selling this to you. You are the only way PTES will be successful. Through adoption. Think about an industry that s united in its views on how to tackle security issues, fix them. Instead of..
GRC
APT
DLP
CIA
MSB
MSB
ISO
Things that don t work.
They can work The concepts are strong and noble. But they lack the fundamental principles of why we re here. This is my personal opinion and mine only, but we have made an over-convoluted process of all of these terms.. Just for $$
Let s go around and discuss how we are doing in security and what s worked and what hasn t.
PTES Basics Penetration tests are the only tangible aspects in identifying and prioritizing true risks to the company. Foundational building block to a security program. Each company is different, and thus each penetration test must be different.
Methodologies
PTES-G Basics Technical guidelines on how to conduct a penetration test. This is more of the living document of the standard. Always needs work and always needs help. Contribute to what you re an expert in.
The Standard Draft form and undergoing a lot of work and additions. Sections have been completed. Industry is adding a ton of more things to make it solid. Already being discussed to be integrated into multiple regulatory requirements.
What this means A clear standard of what a penetration test is and the language that should be used. Ways for you as an organization or company to sell or procure pentesting services. To truly get to the root cause of a security program versus skimming the surface.
What this means (cont) Raises the bar for penetration testers and the dime a dozen ones out there. Hopefully throws out the cheapest bidder (big hope). Establishes criteria and expectations we have to abide by. Changes an industry to where we focus on fixing problems veruss convoluted terms.
Lets walk through the standard Phased approach Repeatable Methodical Still keeps true to the hacker mentality
Levels of Effort Not every company (99 percent aren t) is ready for a crazy pentest. Varying levels (something we re building into PTES) based on maturity model. Different levels of attackers, right now, noone needs an 0day.
Pre-Engagement Interaction This is probably one of the most important elements. Focus on understanding the purpose of the penetration test. What the struggles are of the company and what they need. Ability to gauge the penetration testers and outline what efforts will be performed.
Intelligence Gathering Learn about the company. Understand the company. How does it tick? Gather as much information as possible.
Threat Modeling Learning our best way to attack the organization.. Is it SE? Web app? Physical? Hugs? Finding the most successful, most impactful, and best route into the company.
Vulnerability Analysis After the threat modeling phase, identifying the best vulnerable way to penetrate the infrastructure or company. Identify what exposures exist through manual attack vectors and exploit the best method that will be most impactful to the company. Learn the overall company and attempt to circumvent controls without actually penetrating at this point.
Exploitation Precision hit. Targeted. Well thought out. Aimed at impacting the most damage.
Post-Exploitation This is where it really counts. Impact the company s ability to generate revenue (see a theme?!) Learn, understand, be careful spend time.
Reporting Take everything you ve learned and build something tangible. Don t focus on GRC, BIA, CIA, BCP..focus on the companies overall security program and ways on improving. Get to the root cause, focus less on tactical findings.
Think differently I urge you to think differently, to think outside of what you re taught. Throw away the vendor and consulting lingo, bring in common sense. We re trying it and doing it This will, can, and has worked.
Adoption It s you. Don t hire someone if they don t adopt PTES. Learn PTES and what you should be asking. Consulting companies: Offer this as an offering. Do something!