A vital aspect of cybersecurity is to hire a penetration tester. These ‘white hat’ hackers search for weaknesses in cybersecurity. If they find a way in, the hole can be patched before the bad guys discover it.
Many businesses are in the dark about pen-testing. Who are these guys? How do they work? Is there a standard approach? And what does a pen-test really tell you?
The first thing to know is that pen-testers use a set of pretty standard tools. Anyone can learn to use them.
“There’s Metasploit, an exploit framework used to exploit vulnerabilities and deliver payloads,” says Christian Espinosa, managing director of cybersecurity consultancy Cerberus Sentinel. “Burp Suite is used for web application hacking. Wifite is used for WiFi hacking, sqlmap is used to probe and attack SQL databases, and Nmap is used for network discovery of open ports, services. Hashcat is used to crack passwords.”
Overall there are around two dozen mainstream tools for pen-testing. They are freely available. There’s no need to rummage around the dark web. Most are open source and cost nothing. Metasploit, for example, is downloadable from GitHub.
There are even operating systems designed for the job. Louise Barber, senior consultant at risk management consultancy Turnkey Consulting, says: “Testers will try to use the same tools as real-life criminals where they are legally able to do so. Platforms such as Kali Linux are pre-built with lots of such tools, including Nmap and Metasploit, as well as tools such as Wireshark, Netcat, and Burp Suite for full end-to-end testing of applications, and analysing network traffic.”
These standard tools are augmented by the pen-tester’s homebrew scripts. Liam Follin, senior service development consultant at Pentest People, for example, wrote the Athena script which provides visibility into whether the passwords of users associated with a domain have been leaked online. It’s a fast-moving trade, so the top pen-testers improvise like this.
Again, many of these tools are shared with the community on GitHub.
Social attacks
Software tools are only phase one. Pen-testers will also use information gleaned from internet searches, and even visits to the office of the target, to gain an edge.
“According to Proofpoint’s 2019 report The Human Factor, 99% of cyber attacks use social engineering techniques to trick users into installing malware,” says Leon Teale, senior penetration tester at IT Governance. “The most common form of social engineering attack is phishing. Phishing attacks exploit human error to harvest credentials or spread malware, usually via infected email attachments or links to malicious websites.”
There is a long list of techniques, says Teale. He cites clever methods such as offering free giveaways that turn out to be an infected device. There’s tailgating, when a hacker physically follows the target into a restricted area while claiming to have mislaid their security pass. And then there’s water-holing, which infects websites that a target group is known to frequent, as happened in 2017’s NotPetya infection. Believed to be a politically motivated attack against Ukraine, NotPetya infected a Ukrainian government website and then spread through the country’s infrastructure.
How pen-testers learn the job
The image of pen-testers conjures up maverick hackers, working in a basement surrounded by screens. In fact, many learn by simply going on courses. One former Pen Tester of the Year was a roadie in his previous job, until he got bored stacking boxes for touring musicians. So he took the cyber exams, and became an ethical hacker at KPMG.
“There are a number of training and certifications available,” explains Jonathan Wood, CEO of C2 Cyber, “But the most prestigious is the Offensive Cyber Security Professional (OCSP), a 24-hour exam which requires you to identify various vulnerabilities and break into a network. It’s offered by the organisation Offensive Security and is intended for cyber-security professionals who want to step into the world of professional penetration testing.”
He adds: “But as malicious hackers get smarter, it’s critical for ethical hackers to be on top of the latest vulnerabilities and threats to keep one step ahead. The only way to achieve this is self-studying.”
A popular place to learn is Hack the Box, founded by Haris Pylarinos in 2017, now with 670,000 active users. It offers tuition for cyber experts of all standards, and runs Capture the Flag competitions – in which teams of hackers solve a series of challenges such as hacking websites, forensic examinations, and blockchain tasks. Challenges like this keep pen-testing teams sharp, and give students of the art a way to test their skill levels.
How good are pen-testers?
And, finally, there’s the question of whether the pen-testers always succeed. The truth is there are almost no systems without some sort of weakness. Nate Drier, managing principal consultant at Secureworks, puts it this way: “Good teams have a very high level of success in penetration testing, but usually have to deal with time and scoping restraints that the real bad guys don’t abide by.” He says well-funded hackers, such as nation states, can take weeks or months to achieve their goal: “The real bad guys often have a lot of patience when it comes to achieving their ultimate compromise or payday.”
The best policy is not merely to employ pen-testers but to work with cyber consultants to flesh out a policy when disaster strikes. For example, 22 heads of IT from NHS bodies in Cheshire and Merseyside ran a drill run by consultancy Gemserv, after the WannaCry ransomware attack that affected 34% of NHS trusts. “After WannaCry, we swore that we would work more closely together, under the tagline, ‘We are only as strong as our weakest link’,” says Paul Charnley, lead for the NHS project. The exercise looked at security, and the ability to restore compromised databases. “I want to do this every six months, certainly every year, and I think every ICS [integrated care system] should be planning to do the same,” says Charnley.
It’s a strong point. Pen-testers are extremely good at discovering vulnerabilities. What an organisation does with that information is the next big question.