While there are different types of pentests, with every pen test consisting of four main phases— planning, pre-attack, attack, and post-attack— few realize the extent of work that goes into the pre-attack phase. Just as even the best-built house will crumble without a solid foundation, penetration testers must do their due diligence in the beginning to sell successful exploits.
Some penetration testing companies focus all of their attention on the attack and post-attack phases, spending very little time in planning and pre-attack of the assessment. As a result, these testers may overlook certain vulnerabilities they could have uncovered if they had more thoroughly prepared.
Mitnick Security Consulting knows that a proper pre-attack chapter is the foundation needed for any successful compromise, which is why it’s a crucial component of our pentesting framework.
Here's a look into our heavy pre-attack-focused approach to pentesting:
Thorough Scoping & Engagement Calls
Understanding the scope of a pen test is a crucial part of executing the assessment successfully and arguably one of the most important parts of a penetration test framework. Unfortunately, clients aren't always able to precisely articulate what they are looking for.
In this scenario, a one-on-one scoping call between the client and the penetration testers is necessary to hash out the details— yet not all pentesters will take the extra time to get through. Additionally, engagement calls may be conducted as needed throughout the test to ensure that both parties have all of the knowledge needed to perform the tasks required of them with minimal impact on business operations.
Here at Mitnick Security, we personally speak with the client and help them understand the process and determine a proper scope for the assessment. Our unique and personal approach during the scoping and engagement calls has enabled the team of pentesters to understand what is truly important to the client and develop a personalized approach for the assessment.
Extensive OSINT Research
Open-source intelligence, commonly referred to as OSINT, refers to collecting, gathering, and analyzing publicly accessible data. Because real-world attacks commonly use information gathered on public sources— including social media, company websites, press releases, and more against a target— this research is a necessary part of any pentest framework.
The pentester must scour the web for all information that will be useful in carrying out their attack. Information types such as vendor information disclosed on company websites, physical maps of the locations, images of physical company access badges to enter a secured location, and company email addresses are incredibly beneficial for an attacker to know.
When performing a physical pentest, the assessor can use information gathered on public sources to craft a badge that looks identical to those that the employees use. In many cases, simply looking like you belong is enough to get you in the front door.
By locating the email addresses and titles of employees within the target organization, a pentester can create a targeted spear-phishing or whaling attack as a way to gain an initial foothold into the organization's infrastructure.
The key to any successful attack is gaining trust and building a relationship with the target. An experienced social engineer is aware of this, and therefore, any knowledgeable pentesting partner must do the same.
Before sending a malicious link to gain access to the network, social engineers have at least two or three interactions with a user in the organization to build a rapport. During these interactions, social engineers use seven tactics to gain the trust of users. Once the user has a relationship with the attack or assessor, they can then drop the bait for the unsuspecting user to take. If an attacker doesn’t take the proper time or tactics to gain the target's trust, this could be a huge gap in the pentesting framework and require more strategic nurturing with a new set of targets.
Discrete Digging Once Hacked
Once a pen tester gains an initial foothold in the network, their job doesn't end there. Depending on the engagement scope, the assessment team will have various objectives they are trying to achieve. For example, a company that maintains a lot of intellectual property (IP) may request that the penetration testing company try to obtain access to and view that data— since its leak could have an impact on the company's bottom line.
The assessment team needs to perform discrete digging and information gathering to locate that information. Otherwise, the engagement would be jeopardized if the presence of the group is detected.
The ATT&CK framework, developed by Mitre, outlines a knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. The framework found that there are ten high-level tactics within the three post-exploit phases (control, execute, and maintain) that adversaries try to achieve once they get into a network.
The ten high-level tactics include:
- Privilege Escalation
- Defense Evasion
- Credential Access
- Lateral Movement
- Command and Control
The Mitnick team bases its post-exploitation techniques on these tactics to ensure that an in-depth review and simulated attack are performed.
A comprehensive pre-attack means a successful pentesting attack.
At Mitnick Security, we've developed a tested and proven pentesting framework. It’s earned us a 100% track record in penetrating the security of any system, using a combination of technical exploits and social engineering.