PNguyen posted on December 12, 2011 06:52
In this blog, I wanted to look back at the evolution of security from the early 90’s to today and address the changes that have occurred with penetration testing. There have been significant advances in automating some of the more routine aspects of a penetration test that would normally have been executed using a nice custom script written in Perl or Python by a tester on the fly. Today, we’ve evolved to the point of having “automated penetration testing” platforms such as the Metasploit project pioneered by HD Moore, now a part of Rapid7’s NeXpose solution. So what’s the net effect?
Back in the early 2000’s, the quality of a penetration test lay solely in the hands of the tester and his/her ability and access to exploits and resources that weren’t always publicly available. Some of that was harnessed through the open source nature of Metasploit and served as one of the first instances of a solution that could reduce the tester’s learning curve.
In the same vein, I don’t believe in just using tools to make things easier without understanding the underlying concepts and the basics of exploitation. In the hands of the right tester, tools like Metasploit become invaluable in conducting more efficient penetration tests and yielding a greater return on those engagements. This is especially true for time-boxed penetration tests that were limited to 5 or 10 days where exploitation results were a pure function of time and the variable of the tester’s knowledge and capabilities.
Our penetration team here at KCG, is comprised of people who understand how things “work under the hood” – instead of just being able to hit the button on the GUI. In our opinion, the fundamental skill behind penetration testing is “logical extrapolation”.
Logical extrapolation serves as the foundation for a tester to leverage his/her knowledge of basic concepts and principles (e.g. TCP/IP protocols, HTTP protocols, application architectures) and to extrapolate the exploitation path based on the responses one might see during a pen test. It seems simple but the age of tools and automation has led to a heavy dependence on a tool’s capabilities and limitations. Logical extrapolation can only be effective if the proper knowledge underpins the exercise of extrapolating the points to get to your end-state of exploitation (sometimes a lot of patience too).
The greatest return from a penetration test can only be achieved by marrying the right tool sets with the right testers, who leverage their knowledge of basic concepts and principles to evaluate results.