In the world of offensive cyber security, there are almost unlimited ways you can approach a penetration test, whether internal, external, or wireless. However, it can be difficult for you to conduct thorough, repeatable penetration tests due to the sheer volume of important aspects to hit on when conducting the test.
Because of this, multiple penetration testing frameworks have emerged to help you work through the various tests they might be tasked with. In this article, we will discuss the various penetration testing frameworks you might benefit from during your next pentest.
- Why Use a Penetration Testing Methodology?
- Open Web Application Security Project (OWASP) Testing Guide
- Penetration Testing Execution Standard (PTES)
- NIST Special Publication 800-115
- ISSAF Penetration Testing Framework
- CREST Penetration Testing Methodology
- MITREβs Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
- OSSTMM Open-Source Security Testing Methodology Manual
- Conclusion
- Frequently Asked Questions
Why Use a Penetration Testing Methodology?
Due to the wide variety of penetration tests and technologies targeted, it can be exceptionally difficult to provide a consistent product as an offensive security practitioner. As an offensive security practitioner, a penetration testing methodology allows you to standardize your test(s) into repeatable, consistent approaches. However, not all penetration testing methodologies are focused on the same types of tests, so letβs break down the top testing frameworks.
Open Web Application Security Project (OWASP) Testing Guide
Who Designed This Methodology
The Open Web Application Security Project (OWASP) Foundation is a nonprofit, community-driven organization that tracks and publishes the most up-to-date web application security risks, vulnerabilities, and penetration testing methodologies.
What Is This Methodβs Purpose
The OWASP testing guide focuses primarily on web applications and their related technologies. It provides web application testers with a step-by-step guide on targeting vulnerabilities across many avenues.
What Are the Steps
The OWASP testing guideβs overarching steps include the following:
- Information Gathering
- Configuration and Deployment Management Testing
- Identity Management Testing
- Authentication Testing
- Authorization Testing
- Session Management Testing
- Input Validation Testing
- Testing for Error Handling
- Testing for Weak Cryptography
- Business Logic Testing
- Client-side Testing
- API Testing
- Reporting
When Should I Use This Methodology
OWASP is considered the golden standard for any and all types of web application penetration tests. Organizations can benefit from following the OWASP guide during a web applicationβs development lifecycle to ensure security is baked into the application's configurations.
What Makes This Methodology Worth Knowing
The comprehensive approach to web application testing gives the OWASP guide a significant advantage over other penetration testing methodologies when a test focuses on web applications. This is especially useful when ensuring that your web applications are safe for your customers and clients and for auditing and security assessments.
Additionally, OWASP offers additional projects and guides for the community. The OWASP Top 10 is the OWASP Foundationβs annually updated list of the top 10 security vulnerabilities currently affecting the web application landscape. OWASP also maintains projects like SAMM, guidelines for secure coding, OWASP Mobile Application Security (a testing guide for mobile apps), and OWASP Zed Application Proxy (an open-source web application scanner).
Penetration Testing Execution Standard (PTES)
Who Designed This Methodology
Penetration Testing Execution Standard (PTES) is an open-source framework to standardize penetration tests. PTES is community-driven by industry-leading security practitioners, giving it a wide range of applicability to different testing projects.
What Is This Methodβs Purpose
PTESβs main purpose is to give testers a systematic process to identify and test security vulnerabilities and how to mitigate those risks appropriately.
What Are the Steps
PTES has seven primary phases within its framework:
- Pre-engagement interactions
- Information Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
When Should I Use This Methodology
PTES can be used for internal, external, and wireless penetration testing within an environment. Its focus on information gathering and threat modeling can allow an organization to customize its penetration tests to address its specific infrastructure, which can provide highly beneficial results.
What Makes This Methodology Worth Knowing
The structured and comprehensive approach to penetration testing helps you cover all necessary aspects of their assessment. PTES also provides a systematic methodology that can provide standardization amongst tests should your organization establish penetration testing as a regular security measure.
NIST Special Publication 800-115
Who Designed This Methodology
The National Institute of Standards and Technology (NIST) is a U.S. government agency that promotes technology standards and guidelines from offensive and defensive perspectives. NIST Special Publication 800-115 is one guideline covering proper penetration testing from engagement setup to post-testing activity.
What Is This Methodβs Purpose
NIST Special Publication 800-115 guides testers through a comprehensive and thorough security assessment of an organizationβs environment. It outlines testing methodologies and different techniques to test security controls.
What Are the Steps
Its steps include:
- Planning and Preparation
- Execution of Tests
- Analysis and Reporting
- Risk-Based Approach
- Integration with Risk Management
When Should I Use This Methodology
NIST SP 800-115 can particularly benefit your organization when the goal of a security test aims to satisfy compliance or regulatory requirements. Often formal audits refer to NIST when evaluating an organization, and utilizing SP 800-115 can proactively address any issues that might arise during an audit.
What Makes This Methodology Worth Knowing
NIST SP 800-115 is widely recognized in the cyber security industry and by international governments as a good baseline for security best practices. Being familiar with these guidelines and even testing against them can provide a solid foundation for your organization's security posture.
ISSAF Penetration Testing Framework
Who Designed This Methodology
The ISSAF Penetration Testing Framework was spearheaded by the OISSG organization. Although it is no longer directly supported or maintained, it offers a valid overarching approach to penetration testing.
What Is This Methodβs Purpose
The ISSAF framework aims to provide testers with a thorough methodology for identifying vulnerabilities, testing them, and cleaning up any artifacts left post-test.
What Are the Steps
ISSAF breaks down its penetration steps into three distinct phases, each with a certain list of steps. These include:
Phase 1: Planning and Preparation
- Communication with stakeholders and testing team(s)
- Identify scope and methodology
- Agreement on testing use cases and escalation paths.
Phase 2: Assessment
- Information Gathering
- Network Mapping
- Vulnerability Identification
- Penetration
- Initial Access and Privilege Escalation
- Post-Exploitation
- Covering of Tracks
Phase 3: Reporting, Clean-Up, and Artifact Destruction
- Report Writing
- Removal of Penetration Testing Toolkits
- Deletion of Post-Exploitation Artifacts (Files/Directories)
When Should I Use This Methodology
Along with other penetration testing frameworks, ISSAF can be used to assess the security of your organization's environment. However, ISSAF is particularly useful after significant changes to existing systems as it emphasizes cleaning up artifacts left behind to ensure systems are still safe to remain up and running during and after the assessment.
ISSAF also offers a unique layout of penetration tests by breaking down the steps into a phased approach; this could be easier to follow the guide if you enjoy that type of breakdown.
What Makes This Methodology Worth Knowing
ISSAFβs identification of different testing layers to be addressed during a penetration test can provide you with a well-structured approach throughout the assessment. It can also help ensure networks remain secure even after a robust penetration test.
CREST Penetration Testing Methodology
Who Designed This Methodology
The CREST group designed the CREST Penetration Testing Methodology (CPTM); CREST stands for the Council of Registered Ethical Security Testers. This nonprofit, international organization provides training and guidance for penetration testing, both internal and external.
What Is This Methodβs Purpose
CPTM was designed to provide a standard and comprehensive approach to penetration tests, particularly for CREST Registered Penetration Testers. It can guide you through thorough assessments of both networks and applications.
What Are the Steps
CRESTβs penetration testing methodology includes the following steps:
- Pre-engagement
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post-Exploitation
- Reporting
- Review
When Should I Use This Methodology
CPTM can provide solid penetration testing guidance for internal, external, and wireless tests, which do not get much focus within other penetration testing methodologies.
What Makes This Methodology Worth Knowing
CREST is a well-known security organization, especially in the international space, which gives it a wide breadth of influence within the cyber security space. Testing your organizationβs environment against the CREST standard can provide a solid foundation against future security audits.
MITREβs Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
Who Designed This Methodology
The MITRE Corporation has provided the ethical hacking world abundant support for years, and its Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework is arguably the most famous. MITRE ATT&CK breaks down current and previous offensive security attacks all the way from reconnaissance to post-exploitation.
What Is This Methodβs Purpose
MITRE ATT&CK was designed to provide a comprehensive and structured model for understanding adversarial tactics and techniques. Additionally, it allows for accurate categorization of different attacks to better understand attack kill chains.
What Are the Steps
The MITRE ATT&CK framework is unique as it doesnβt follow laid-out steps like other methodologies. Instead, it functions more as a matrix of information that covers a vast number of stages that a cyber attack might go through when impacting an organization.
When Should I Use This Methodology
You can utilize MITRE ATT&CK as a reference point during each attack phase of a penetration test. The ability to reference specific attack techniques, employ unfamiliar tactics, or explore additional attack options allows you to conduct truly comprehensive assessments.
What Makes This Methodology Worth Knowing
MITRE ATT&CK can provide penetration testers, especially red teamers, with extremely detailed knowledge of different attack types. This can allow penetration testers to test against more niche techniques that might be overlooked during other testing types. Its relatively new MITRE D3FEND framework also provides guidance to the blue side of the cyber world.
OSSTMM Open-Source Security Testing Methodology Manual
Who Designed This Methodology
The OSSTMM Open-Source Security Testing Methodology Manual was developed by the Institute for Security and Open Methodologies (ISECOM). OSSTMM was developed to be holistic, quantitative, transparent, and educational.
What Is This Methodβs Purpose
Although OSSTMM provides guidance to conduct structured and standardized security assessments, OSSTMM focuses on producing workable metrics post-test. This can give you a great jump-off point to provide your organization with meaningful post-test reports and recommendations.
What Are the Steps
OSSTMM has a framework of:
- Pre-Engagement
- Intelligence Gathering
- Threat profiling
- Vulnerability Analysis
- Exploitation
- Post-Exploitation
- Analysis and Reporting
When Should I Use This Methodology
You can use OSSTMM as guidance to conduct a structured, complete penetration test. Additionally, OSSTMM can be especially beneficial when the goal of the test is to provide detailed findings report(s) for your organization to conduct thorough post-test activity.
What Makes This Methodology Worth Knowing
The emphasis on ethics, measurements, and metrics gives you a solid foundation of trust between your testing team and your organizational stakeholders. This can be particularly important should your team be external/third-party based. OSSTMM also has guidance on physical security and can greatly benefit engagements that involve that type of activity.
Conclusion
Following a penetration testing methodology provides you with a form of standardization that is incredibly important to continue practicing offensive techniques within your organization. A methodology can also keep you from missing critical tests or areas due to the many different activities involved in a penetration test.
Method | Benefits |
---|---|
OWASP Testing Guide |
|
PTES |
|
NIST 800-115 |
|
ISSAF |
|
CREST |
|
MITRE |
|
OSSTMM |
|
No matter which methodology works best for your organization, a penetration testing methodology can provide a solid foundation for any tester. If you want to learn more about penetration testing, please consider the following!