In an earlier article, many moons ago (Sorry Jamie !), I stated my opinion that Forensics and Security were opposite sides of the same coin. I’ve felt very strongly that my skills as a Security Consultant have only been strengthened and expanded by the experiences I’ve gained with Forensics, both as part of the Forensic Focus community (again, apologies for my absence) and as part of my MSc (an ongoing epic spanning two Universities and many years).
There is a particular area of Security work that I think mirrors the skill set of Forensics more closely than others – and that is Penetration Testing. PenTest is probably the most bleeding edge, exciting and intellectually challenging thing in the InfoSec field – no matter how much I try, I struggle to get as excited about writing an “Acceptable Use Policy” as I do given free rein to attempt a “capture the flag” task on a corporate network. (That’s not to say that AUPs don’t have their own excitements … nah, I’m kidding, but they are important – like eating your vegetables…) – at the same time though, the same measured and methodical approaches and investigative skills that apply in Forensics, apply in PenTest.
Over the next few articles ( I don’t know how many yet, I’ve not written them – but I’m aiming to get an update to you fortnightly ) I’d like to take you through a high level PenTest methodology, showing you some of the tools and toys that you can play with along the way, at the end of it all, my intent is to run a competition (with a small prize for the winner – something like an iPod Nano perhaps?) of a live machine ( or machines … ) connected to the internet that you can all have a pop at – rules and scoring criteria yet to be determined – and will have to write a short report on. ( Not that report writing will phase a single Forensicator! )
In any case, let’s start with outlining the basic methodology – remember, like Forensics, many parts of a PenTest methodology are iterative, as you learn more in one phase, you may want to return to an earlier phase and see what further advances you can make with your new-found knowledge.
1. Planning & Paperwork
- Getting your tools together
- Getting Authorisation & Correct Paperwork
- Estimating required time / effort
- Building a test lab
2. Discovery – Information Gathering & Analysis
- Passive Information Gathering
- Active Information Gathering
3. Vulnerability Detection
- Automated Tools
- Manual Confirmation
- Automated Tools
- Manual Confirmation / Manual Exploitation
- Obfuscation and Avoiding Detection
5. Reporting and Recommendations
- Writing a report & Presenting relevant findings
We’ll come back to a majority of the first items at the end – when we’ve had a chance to build some knowledge of the tasks involved and the tools that are available to us – also we’ll build a test lab as we go along.
However, right now, I’m going to drum in the law.
IT IS AGAINST THE LAW TO ATTEMPT TO ACCESS THE COMPUTER OR NETWORK OF ANY INDIVIDUAL, ORGANISATION OR GOVERNMENT WITHOUT THEIR EXPRESS KNOWLEDGE AND PERMISSION. FAILURE TO OBTAIN ADEQUATE CLEARANCES COULD LEAD TO FINES, IMPRISONMENT OR EXTRADITION – DEPENDING ON WHICH COUNTRY YOU ARE IN AND WHAT YOU’VE DECIDED TO TEST. DO NOT DO ANYTHING WITHOUT WRITTEN AUTHORISATION FROM SOMEONE WHO YOU HAVE GOOD REASON TO BELIEVE IS CAPABLE OF GRANTING SUCH AUTHORISATION.
Please come back on, or after the 3rd of July for “An Introduction to Penetration Testing – Part 2 – The Discovery Phase”. (By the way, you can subscribe by clicking on the button to my right – and you’ll be updated for the remainder of this introductory course [and be notified when the competition starts] as well as all the other interesting articles and entries on Forensic Focus).
About the Author Si Biles ( @si_biles ) is a consultant for Thinking Security in deepest darkest Oxfordshire, ‘cos he’s a CLAS consultant he spends quite a lot of time doing things for the Government, outside of that he has a particular interest in network security, vulnerability analysis, penetration testing and incident response & forensics. You can read more of his blogging on his own site and occasionally other places such as : BCS Security Blog