Glen E. Clarke - CompTIA Pentest+ Certification For Dummies

Known-environment: This test was formerly known as a white box test. In a known-environment penetration test, the penetration testers are given all of the details of your network environment, including server configurations and the services they run, a network diagram showing different network segments and applications, and IP address information.

Partially known-environment: This test was formerly known as a gray box test. In a partially known-environment penetration test, a limited amount of information is given to the penetration testers, such as the IP ranges used by the company or addresses of your public Internet servers. With this information, the pentesters will discover what services are running on each system and then try to exploit those systems.

For the PenTest+ certification exam, remember the different pentest strategies. Unknown-environment testing is when no details about the target are given; known-environment testing is when all known information about the targets is given to testers; and partially known-environment testing is when limited information, such as IP addresses or server names, is provided to keep the pentest focused on those targets.

The purpose of penetration testing is to simulate attacks that could occur in real life. A big part of information security — and something all security professionals should be aware of — is who are you protecting against? Who would attack your network or website?

Before we look at the types of hackers and threat models, it is important to understand the different levels of hacking capabilities for each type of hacker, or threat actor, and the different reasons or intent for hacking.

The capabilities of a hacker will vary depending on the type of threat actor the hacker is and the types of attacks being performed. Some attacks are basic in nature, so you may find that all types of hackers can perform these attacks, while more sophisticated attacks are performed by hackers with more detailed knowledge of the underlining technologies being hacked, their vulnerabilities, and how to exploit those vulnerabilities.

A hacker may be motivated to hack for many reasons, such as for financial gain (for example, hacking into bank accounts or selling sensitive data obtained in the hack) or for the fame or notoriety earned by hacking into a big-name company. A hacker may also be motivated by a personal cause or a group cause, as is the case with terrorists or activists.

A threat actor is a person or entity that causes the threat against your assets. When it comes to hacking, you should be aware of some common threat actors:

Script kiddies: A script kiddie is a person who does not necessarily have much background on how attacks work; they simply run some automated tools to try to exploit systems. Their intent is typically for the challenge, and also bragging rights.

Hacktivist: A hacktivist is a person who hacks for a cause, such as for political purposes or for social change. The capabilities of the hacktivist can range from basic to advanced hacking knowledge, such as is the case with the infamous hacking group called “Anonymous.”

Insider threat: Insider threats are threats from inside your organization or inside your network. These can be very serious threats of malicious destruction from a disgruntled employee or even innocent mistakes made by other employees.

APT: An Advanced Persistent Threat (APT) is an advanced hacking process such as one found in a nation-state–sponsored group or person that gains unauthorized access to a network for political or economic reasons. The attack typically happens to gain unauthorized access for a long period of time, such as many months, by planting malicious software on the system that will monitor activity, collect sensitive data, or damage the system. APT also includes advanced hacks on financial institutions, defense contractors, and software companies such as Twitter or Facebook, which would contain a wealth of sensitive information the hacker would like to collect.

Threat actors are typically identified in an adversary tier that ranks the threat actors by their capabilities and the damage they can perform. The threat actors discussed earlier are ranked based on their threat level and capabilities as follows (1=low, 4=high):

1 Script kiddie

2 Insider threat

3 Hacktivist

4 APT

Figure 1-1 summarizes the adversary tier with script kiddies at the bottom of the skillset and APT at the top.

Penetration testing typically involves an exercise known as threat modeling. Threat modeling refers to the act of documenting company assets and then defining the types of attacks or threats against those assets. The threats are then assigned a likelihood (the chances the attack will happen) and impact (how serious the result of the attack if successful) so that the threats can be prioritized. Based on the priority of the threats, security professionals put security controls in place to prevent those threats from occurring or to minimize the impact.

Graphic designed and created by Brendon Clarke.

FIGURE 1-1:The adversary tier.

The CompTIA penetration testing process involves four major phases:

1 Planning and scoping

2 Information gathering and vulnerability identification

3 Attacks and exploits

4 Reporting and communication

Over the course of this book, I go into detail about each of these penetration testing phases. Here, I provide a high-level overview of each one.

The first phase of the penetration testing process is planning and scoping. This phase is important as it is when you identify the goals of the penetration test, the timeframe, and the rules of engagement (the types of attacks you are allowed and not allowed to perform during the pentest).

The planning and scoping phase should start with a pre-engagement meeting that determines the extent of the penetration test, such as whether the testing will include internal and external assets. In this phase, you will also determine what systems need to be tested, the best time for testing, and the types of attacks that are allowed and not allowed.

An important part of the planning and scoping phase is to create a statement of work that specifies exactly what is to be tested and to get written authorization from a person of authority for the business that gives you permission to perform the penetration test. Remember that attacking and exploiting systems without prior authorization is illegal.

For the PenTest+ certification exam, remember to get written authorization from an authorized party such as the company owner or an upper-level manager before moving on to phase two of the penetration testing process.

Chapter 2covers planning and scoping.

The second phase of the penetration testing process is the information gathering and vulnerability identification phase, which is also known in other pentest models as the “reconnaissance phase.” This phase can be broken into two subphases: information gathering as the first subphase, and vulnerability identification as the second subphase.