Penetration Testing Methodology: Emulating Realistic Attacks by a Malicious Actor

< Back to Blog Home

Penetration Testing Methodology

The foundation of VerSprite’s penetration testing methodology is based on emulating realistic cyber-attacks by a malicious actor through the use of a threat modeling methodology PASTA (Process for Attack Simulation and Threat Analysis).

PASTA consists of a seven-stage process for simulating attacks and analyzing threats to the organization and application in scope with the objective of minimizing risk and associated impact to the business.

VerSprite Penetration testing incorporates the methodology and aims at solving the probability variable in a risk analysis of realistic attack patterns. Targeting exposed corporate network endpoints, hosted infrastructure, supporting platforms, or pivoting off third-party solutions – pen testing emulates current and advanced attack patterns in both black box and gray box scenarios.

VerSprite’s OffSec team also supports the following global standards as a part of Application Security testing:

• The penetration testing standard (PTES)
• OWASP’s Application Security Verification Standard
• NIST’s Standard Publication around Security Testing

Application Threat Modeling

This risk-based threat modeling approach goes beyond traditional threat modeling by enabling a company to make security decisions driven by business objectives.

This posture to both application and network security that VerSprite takes by assessing the operational impact and the threats to the business before evaluating the security of the applications, services, and infrastructure in scope helps not only to understand the vulnerabilities but remediate them in a business rationalized manner.

Thus, each penetration test exercise begins by modeling the threat to understand attacker motivation and possible targets. Then, we identify likely attacks that can cross technologies, people, and processes, and assess the strength of the countermeasures to resist attacks. This allows for decisions on mitigation of vulnerabilities to be made based on the operational risk to the business.

As a result of this very first phase for every engagement, VerSprite will have acquired at least the following information to then walk through the corresponding methodology, selected based on the type of engagement:

• Business objectives for the application/service/infrastructure in scope;
• Business use cases that are the most critical/sensitive;
• Abuse cases that are the most critical/sensitive for the business;
• Possible Threat Actors targeting the application/service/infrastructure in scope;
• Principal Threat Motives;
• Type of targeted information and assets in scope;

This approach allows VerSprite to understand security from both a business and attacker perspective in order to model and simulate realistic attacks during the engagement, pressure test the security posture being targeted, and provide key insights and recommendations that align security with business.

VerSprite’s methodology during client engagements is commensurate to the type of security effort that is provided and the objectives for the exercise.  As seasoned security professionals, the team recognizes the effectiveness of industry frameworks and standards that exist across an array of security disciplines, but at the same time understands that there are no one-size-fits-all solutions.

As a result, VerSprite successfully employs the use of both in-house developed, as well as renowned and well-regarded methodologies as part of the consulting engagements in order to align the client deliverables and security services to an industry acceptable level of security management.

Applying PASTA to Penetration Testing

The use of PASTA and VerSprite’s Threat Modeling methodology will guide the ensuing penetration test exercise, which can be performed in different ways depending on the approach to take and how much information is to be shared during the testing. The best way to see this is as follows:

• Blackbox Application Penetration Testing takes a DAST (Dynamic Application Security Testing) approach and assumes no prior information is provided about the target. With this type of approach, VerSprite’s team of experts attempts to simulate an attack by a threat actor that would have little to no insight into the environment or application architecture.
• Whitebox Application Penetration Testing takes a SAST (Static Application Security Testing) approach where the source code of the application is provided for its review. Depending on the size of the application, this can be time-consuming, but if performed along with an application threat model, this could be the way to go if you are looking to find as many issues as possible and understand if secure development best practices are being followed. If a test environment is available during the exercise, every finding can be validated dynamically to provide a better Proof of Concept that shows the real impact of exploiting the vulnerability
• Greybox Application Penetration Testing takes a DAST approach, and credentials are provided to perform authenticated testing. Additional documentation can be shared around the environment and architecture of the application to help in understanding its inner working and how the different components work together. If the source code of the application is also provided in order to support the testing, the Application Pentest takes a mixed approach between dynamic and static analysis instead. This Greybox approach allows for combining the convenience of DAST with the depth of analysis provided by SAST, which not only saves time during dynamic testing but also enables the possibility of going deeper in the review of critical functions to the business.

Regardless of the type of engagement, VerSprite takes a completely manual approach to testing; automated testing is only an option for a breadth of coverage or when necessary to complement certain tests.

This guarantees a more in-depth understanding of the target which, in the end, provides better quality results in terms of findings while eliminating false positives and providing real Proof of Concepts for each of the issues found. Interested in learning more? Contact us here.