Social-Engineering
Changing an Industry
The Penetration Testing Execution Standard (PTES)
Dave Kennedy (ReL1K)
http://www.secmaniac.com
Before we start
• Open discussion• Shouldn’t be me driving this presentation
• Community collaboration
History
• PTES started officially atShmooCon 2010 however it was an idea we’ve all had for years. • Penetration Testing is a
fundamental principle in security. • Something that is required to
mature and advance a security program. Something that’s
The Goal
Not all is wrong
• Security is actually going better than expected for such a young
industry.
• We have people dedicated to security, this room is filled with
people passionate about security.
Penetration Testing
• Who has had a penetration test?• Everyones hands should have been
raised by now…
• But who here has really had a
Lets share our thoughts on a pentest
Let’s go around the room and share thoughts on “what” is a penetration test.
A pentest to me
…
• The ability to identify exposures within the organization that
represents a true breach simulation and the ability to hinder the companies ability to generate revenue.
• The baseline analysis of how well the overall security program is
functioning and to test the effectiveness of controls.
• Only true testament to what exposures exist and how to prioritize
That’s just me
…
• Others may view it as a way to become compliant with regulations
and standards.
• Others may view it as a way to tactically fix all vulnerabilities found.
• Others may view it as a way to test controls.
But that’s just it
…
• Going around the room, we may have heard some similar ideas of
what a pentest is, but were they all the same?
Welcome to PTES
• PTES was designed to take industry leaders, people in the field,
people just starting off.
• Listen, learn, and come up with something that identifies what a
penetration test is.
I’m selling this to you..
• I am selling this to you. You are the only way PTES will be
successful. Through adoption.
• Think about an industry that’s united in its views on how to tackle
They can work
…
• The concepts are strong and noble. But they lack the fundamental
principles of why we’re here.
• This is my personal opinion and mine only, but we have made an
Let’s go around and discuss how we are doing in
security
…
PTES Basics
• Penetration tests are the only tangible aspects in identifying and
prioritizing true risks to the company.
• Foundational building block to a security program.
• Each company is different, and thus each penetration test must be
PTES-G Basics
• Technical guidelines on how to conduct a penetration test.
• This is more of the “living” document of the standard.
• Always needs work and always needs help. Contribute to what
The Standard
• Draft form and undergoing a lot of work and additions.
• Sections have been completed.
• Industry is adding a ton of more things to make it solid.
• Already being discussed to be integrated into multiple regulatory
What this means
…
• A clear standard of what a penetration test is and the language that
should be used.
• Ways for you as an organization or company to sell or procure
pentesting services.
• To truly get to the root cause of a security program versus
What this means
…
(cont)
• Raises the bar for penetration testers and the dime a dozen ones
out there.
• Hopefully throws out the cheapest bidder (big hope).
• Establishes criteria and expectations we have to abide by.
• Changes an industry to where we focus on fixing problems veruss
Lets walk through the standard
• Phased approach• Repeatable
• Methodical
• Still keeps true to the hacker
Levels of Effort
• Not every company (99 percent aren’t) is ready for a crazy pentest.
• Varying levels (something we’re building into PTES) based on
maturity model.
Pre-Engagement Interaction
• This is probably one of the most important elements.• Focus on understanding the purpose of the penetration test.
• What the struggles are of the company and what they need.
• Ability to gauge the penetration testers and outline what efforts will
Intelligence Gathering
• Learn about the company.• Understand the company.
• How does it tick?
• Gather as much information as
Threat Modeling
• Learning our best way to attack the organization..
• Is it SE? Web app? Physical? Hugs?
• Finding the most successful, most impactful, and best route into the
Vulnerability Analysis
• After the threat modeling phase, identifying the best vulnerable way
to penetrate the infrastructure or company.
• Identify what exposures exist through manual attack vectors and
exploit the best method that will be most impactful to the company. • Learn the overall company and attempt to circumvent controls
Exploitation
• Precision hit.• Targeted.
• Well thought out.
• Aimed at impacting the most
Post-Exploitation
• This is where it really counts.• Impact the company’s ability to generate revenue (see a theme?!)
Reporting
• Take everything you’ve learnedand build something tangible. • Don’t focus on GRC, BIA, CIA,
BCP..focus on the companies overall security program and ways on improving.
• Get to the root cause, focus
Think differently
• I urge you to think differently, to think outside of what you’re taught.
• Throw away the vendor and consulting lingo, bring in common
sense.
• We’re trying it and doing it…
Adoption
• It’s you. Don’t hire someone if they don’t adopt PTES.
• Learn PTES and what you should be asking.
• Consulting companies: Offer this as an offering.