Hack to the Future
Getting Back to the Basics
Providing offensive security testing and assessment services requires an advanced skill set, regardless of the apparent saturation of providers and potential employees in the marketplace. Organizations that enlist these services — either by hiring full time staff to act as internal teams or engaging consulting companies or service providers — have expectations that the professionals hired will perform offensive security testing and assessment to a high degree of technical proficiency.
If you are leading the efforts to ensure the services you provide (either internally or to customers) are consistently of a high quality and continue to evolve and grow, then read on. What follows are strategies and tips to enhance your capabilities. Oddly enough, it begins by going backwards.
Going “back” and analyzing the basics within your offensive testing team is essential to ensuring a firm foundation. Rely on PlexTrac to take your program into the future by driving your workflows and, ultimately, posture forward with better, faster reporting and enhanced collaboration for your security team.
The Basics Defined
Understanding the methods and mechanics that attackers use to circumvent security controls, or to abuse systems, is “what hiring ‘good’ hackers” is for. However, people often spend so much time dedicating themselves to offensive techniques and tradecraft that the underlying technologies under assessment are lost. I’m not saying that putting efforts into understanding emerging threats and new/novel technologies and exploitation techniques is not valuable. But, even in those efforts, understanding core technologies will make it more likely that you’ll be able to find and understand those flaws.
A key to ensuring your teams are growing and capable is to spend time understanding core technologies and how they work. Then, once you understand the basics, dedicate your time learning how to use systems properly. Examples of core technologies would be DNS, Active Directory (on-prem and Azure), general networking at layer 3 of the OSI model, etc. These are a smattering of examples, and obviously the list is extensive; I’m not saying get a PhD level understanding of all technology in use in modern IT stacks; however, exposing individuals to these technologies experientially and via training or ad-hoc, self paced virtual familiarization sessions can only make them stronger. You can more accurately find flaws with technologies when you know how they’re supposed to work.
For the purpose of this blog, the basics are defined as establishing some technologies by using something like the OSI model OR TCP model, and for each layer of the model filling in technologies used at those layers, and ensuring your staff understands and can technically operate or use those technologies.
Below is a great example of common network models and layers from the OSI model.
Why Does Understanding the Basics of Technology Matter?
Don’t hear me wrong: This is not a blog gatekeeping the offensive security assessment and testing industry to only those who have spent a decade as a Unix Sysadmin. However, it’s logical that if you know how something is supposed to work, you’re also going to be able to spend time thoroughly identifying ways to make it work in unexpected ways. Your program’s tooling, processing, and personnel will all be enhanced by ensuring everyone has a thorough understanding of how core technologies work.
Automation in the testing process is not something to shy away from. Automation — in the form of scripts, programs, and applications — is a valuable tool in a practitioner’s toolbelt. Especially as the scale and complexity of modern technology stacks have evolved, manually crafting packets with Scapy and sending port-knocking attacks to every port on an endpoint is simply not feasible, to assess a large network. Thank goodness tools like NMAP exist that allow users to perform a variety of network mapping techniques, including probe-and-response port and protocol analysis. NMAP and tools like it begin identifying available services on endpoints in an automated manner. However, tools like NMAP or automated vulnerability scanning applications can provide much better results when wielded by a knowledgeable personnel who understand how NMAP or the scanner works under the hood. They’ll get how the tool works by understanding, generally, the protocols that the tool is leveraging to perform an action.
However, if personnel rely too much on tooling — without having the requisite understanding of how to tune the tooling based on environments or the initial output of said tooling — things can be missed, vulnerable hosts left unreported, and the quality of offensive security services provided diminished. Useful tools and automation combined with advanced understanding makes for a winning pair. It’s our jobs as leaders to help manufacture and grow deeper levels of comprehension or expose our personnel to others that can.
With appropriate technology familiarity practitioners can troubleshoot the output of tooling and also tune their configuration to ensure these are a valuable addition to their arsenal, enabling them to achieve excellent results.
When you’ve spent time building IT systems, from infrastructure to applications, you have an appreciation for how things are done and what works. Having an understanding of architecture for networks and systems, again, helps offensive security practitioners to get inside the minds of the admins and system maintainers. This helps not only with technical discovery of flaws, misconfigurations, and possible attack surface, but also contributes to a collaborative and communicative relationship between the offensive security teams and the owners of the systems and services that are undergoing assessment.
An example I often saw when I was a penetration tester was trying to create valid SQL query syntax to abuse a SQL injection flaw identified on a web application. The tester eventually got a complex, long SQL query to work and exploited the vulnerability. When asked how they knew what table names and join clauses to use, the reply was, “Well, I’ve built a lot of applications and databases in my day, so I just took a guess at a few common naming schemes I’d use, and they worked.”
When you spend time encouraging current personnel to learn and understand the flows and workings of important technologies it causes them to evolve, which in turn allows them to better assist you in hiring or engaging with technologists. There’s a saying that goes “it takes experts to hire experts,” and it’s true. If you and your team have focused on building comprehension on fundamental technologies it becomes easier to ensure that the personnel you’re courting to join you have the appropriate skill sets.
Further, when engaging with others, either internal business units or customers, those who have a demonstrable command of the core technologies will be able to articulate service offerings, and understand client and partner needs better.
How You Deal With Vulnerabilities Can Say a Lot
We’ve spoken a lot about automation and tooling and experience. These three components come together to allow you to observe more flaws using more manual methods — or manually yet assisted by automation/tooling. The outputs from offensive security assessments and testing efforts come down to data describing the security posture of systems and data. How you identify those flaws — and you and your team’s ability to identify esoteric flaws or vulnerabilities that an automated solution would not be able to identify — can really mean the difference between a good enough offensive practice and a stellar one.
How you present that data, in an easily to understand, consumable, and actionable format, also goes a long way. You can be the best technical practitioners on Earth, but if the results of your assessment are difficult to interpret or to act upon, then your effort is for naught.
PlexTrac to the Future
PlexTrac is The Premier Pentest Reporting and Collaboration platform. As your team conquers the basics, PlexTrac takes you into the future ensuring your team can work effectively and efficiently and provide the best deliverables to clients and internal stakeholders.
PlexTrac is a force multiplier for offensive security programs. Book a demo to learn how PlexTrac can accelerate your team into the future.
Nick PopovichPlexTrac Hacker in ResidenceNick Popovich’s passion is learning and exploring technology ecosystems, and trying to find ways to utilize systems in unexpected ways. His career has focused on adversarial threat simulation, offensive and defensive security, and advanced technical security assessments. Nick’s mission is to help individuals and organizations involved with defensive security operations to have an opportunity to observe the mechanics and methods of the attackers they’re defending against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of three and a husband to one.