Every day, clients contact us with similar questions and concerns about our overall strategy during a penetration test and how testing is completed. The role of an attacker can take various forms (e.g., external, internal), which may add further confusion to understanding the role of a penetration tester and how they conduct their testing engagements.
Common examples of frequently asked questions include:
- Why is it recommended to provide and use credentials from the client when testing an application?
- Does the penetration testing organization need to be whitelisted during the engagement?
- Shouldn’t the testing engagement be focused on replicating an external hacker trying to penetrate all defenses to get an accurate evaluation of our implemented security?
- Isn’t it cheating to get any type of insider knowledge about the network or application before the test?
To help clarify the topic of security testing, it is easier to divide the categories of penetration testing into the three main types: black-box, grey-box, and white-box penetration testing. These three types differ on the level of knowledge and access that is granted to the security consultant (i.e. penetration tester) when the engagement begins. A black-box penetration test begins with a low level of knowledge and access to the target, while white-box is granted the highest level of knowledge and access. Choosing the right type for your organization can greatly influence the outcome of the testing process.
Black-Box Penetration Testing
In a black-box engagement, the consultant does not have access to any internal information and is not granted internal access to the client’s applications or network. It is the job of the consultant to perform all reconnaissance to obtain the sensitive knowledge needed to proceed, which places them in a role as close to the typical attacker as possible. This type of testing is the most realistic, but also requires a great deal of time and has the greatest potential to overlook a vulnerability that exists within the internal part of network or application. A real-life attacker does not have any time constraints and can take months to develop an attack plan waiting for the right opportunity.
In addition, there are many defensive tools that exist within networks to help prevent an existing vulnerability from being exploited. Even new web browsers have settings that can circumvent an attack, but the weakness in an application may still exist, and all that is required to exploit the vulnerability is a variation of setting or a connection from a different browser version. Just because a configuration prevents the vulnerability from being found or exploited does not necessarily mean the vulnerability does not exist or is actually being mitigated; it only means that some outside force is buffering the result. This can result in a very dangerous outcome and a false sense of security that may be exploited at a later time by someone who has more time to explore this attack surface more greatly.
Grey-Box Penetration Testing
An engagement that allows a higher level of access and increased internal knowledge falls into the category of gray-box testing. Comparatively, a black-box tester begins the engagement from a strict external viewpoint attempting to get in, while the gray-box tester has already been granted some internal access and knowledge that may come in the form of lower-level credentials, application logic flow charts, or network infrastructure maps. Gray-box testing can simulate an attacker that has already penetrated the perimeter and has some form of internal access to the network.
By providing some form of background to the security consultants undertaking the assessment, it helps to create a more efficient and streamlined approach. This saves on the time (and money) spent on the reconnaissance phase, allowing the consultants to focus their efforts on exploiting potential vulnerabilities in higher-risk systems rather than attempting to discover where these systems may be found.
White-Box Penetration Testing
The final category of testing is called white-box testing, which allows the security consultant to have complete open access to applications and systems. This allows consultants to view source code and be granted high-level privilege accounts to the network. The purpose of white-box testing is to identify potential weaknesses in various areas such as logical vulnerabilities, potential security exposures, security misconfigurations, poorly written development code, and lack-of-defensive measures. This type of assessment is more comprehensive, as both internal and external vulnerabilities are evaluated from a “behind the scenes” point of view that is not available to typical attackers.
Combining the knowledge of experienced security consultants with a proven systematic track record of implementing tools to perform both dynamic analysis (e.g. fuzzing) and static analysis (e.g. code review) provides an inclusive testing methodology to help identify all potential components that may be areas of concern.
Which approach is right for your organization?
In conclusion, the purpose of a penetration test is for the security consultant to make your network, system, or application more secure. This can be accomplished by the consultant and the client working together to identify the best approach that fits your organization’s needs while getting the most value out of the engagement. All three testing methods are defined by the degree of time, efficiency, and exposure the client is prepared to grant the consultant. Black-box is the most realistic testing method, but may require sacrificing time and efficiency on less important attack exposure areas resulting in the probability that high-risk internal vulnerabilities may be overlooked.
Gray-box penetration testing is the most effective and allow the consultants to focus their attention on more highly-valuable areas within the network, increasing the attack coverage and efficiency. White-box testing is the most comprehensive, but requires a large amount of data and knowledge to be made available to the consultant so they can increase the probability that all internal and external vulnerabilities be identified and mitigated. In the end, all approaches depend on how the attack simulation would benefit the organization the most. Defining the concerns that a client would like to resolve is essential to designing a customized approach that will effectively meet the necessary security requirements.
As a penetration company, our team of highly skilled security consultants customize every engagement by adjusting our focus to fit the client’s needs. We understand that no one client’s architecture or application fits into a predefined box and will require an adaptive testing methodology to develop a solution that works best for your organization. Our consultants are proficient at adapting to our clients’ environments and have familiarity with a variety of tools, techniques, and targets. At Packetlabs, our first priority is to locate and mitigate our clients’ security vulnerabilities before they are potentially exploited by an attacker.