"Mommies hackers" in official work: what do pentesters do

"Pentester" - the word is actually not Russian, borrowed. What comes to mind to people not from IT, I'm afraid to imagine. Therefore, we proudly call ourselves "in Russia" penetration testing specialists. What kind of "penetration" and why should it be tested? In this article I will try to open the veil of secrecy for the uninitiated.

There are big companies that employ respected "uncles". They work programmers who write code and sometimes make mistakes. The causes of errors are trivial: out of stupidity, because of laziness or because of ignorance of the technology, and more often because of the burning bunch of deadlines, which do not allow us to properly think out the logic of the application and cover the code with tests.
')
In a software product, any error is a potential vulnerability. Vulnerability is a potential risk. And the risk is kind of bad, and you can lose money (in general, a lot of things can be lost: customer data, intellectual property, reputation, but all this is calculated in money).

And what do you think? Do the “big uncles” decide not to rush programmers, take them to safe development courses, give them time to perfect the code and give them a foot massage? Of course not. “Big uncles” decide to “accept” these risks (reduce, transfer, insure and many other clever words). In general, the programs are spinning - Laven is muddied. Hackers stole a little, and everything went in the standard stream, but it was for the time being.

Over time, the amount of data began to grow significantly, the arrogance of hackers grew even faster. Harm from hacking began to exceed the permissible limits. Also, users began to realize the value of their “well, very important” personal data, and then the “guys” from politics came up and spun (interception of the first persons, disabling the Iranian nuclear power plant, electoral fraud, freedom of speech, the right to privacy, the right to forget and finally "cyber weapons"!).

All at once understood that information security is not for you “hohra-mukhra”.
Here, the most respected people said that evil hackers would be planted (of which they would reach), but everyone else should be kind of responsible for their activities and for taking the necessary information security measures. They issued instructions, hit them with a hammer, and fled.

An important point for the reader: “business,” of course, can say that your privacy is very important to him, the data will not be passed on to anyone, and every bit of information will be protected by a specially trained person, but in fact few people care. The main motivators for ensuring information security are “grandmas”, or more precisely:

• requirements of regulators (otherwise heavy fines);
• prevent hackers from stealing a lot (can lead to bankruptcy);
• keep the reputation (so that gullible users carry the company money further).

In general, at first, no one strongly strained, developed clever pieces of paper, bought certified equipment, hired certified specialists (or, more precisely, bought pieces of paper to their void-minded people), and everything seemed to be safe at first glance. But as everyone understands, not to get rid of pieces of paper in real life.

Again, the “smart uncles” got together and decided: to defend against an attacker, you need to think like an attacker. Not necessarily yourself, you can formalize this process, hire specially trained people "in jackets", and let them break into themselves, and the output will be a new piece of paper, but already a "technical report"!

So, the “pentester” is simply the one who imitates the work of a real attacker, thereby testing the organization for the possibility of penetration (compromise) and access to information assets (confidential information).

How to test? From where Where to penetrate? What information to get? What are the limitations? - all these are details that are pre-negotiated.

From the outside, it seems that the job is easy and highly paid, plus the market is not saturated with specialists, so there is a trend that many schoolchildren want to become “cool hackers” by sitting at home on the couch and pressing a couple of keys to crack the IT giants. But is everything so simple?

Life experience

Pentester is not just a tester, it is better not to go here from school, without having experience as an employee of a regular company or vendor company.

You have to go through school of life, examples:

• explain to the accountant that the printer is not working, because the wire is not connected to the computer;
• explain to the company's financial director that writing a password on a sticker on a computer is very bad;
• install software with minimum requirements for 4Gb on a computer with 256MB of RAM;
• set up a corporate grid on home routers so that everything flies;
• wait for approval to gain access to a simple information system a couple of months;
• develop a policy of information security for a couple of days by downloading the "fish" from the Internet;
• ask God for the program to compile and, without changing anything in the code, to get success;
• make work faster than planned by 2 times, and get more work instead of the bonus;
• etc.

Otherwise, your entire report without an understanding of the actual practice and individuality of the customer will remain a beautiful piece of paper, and the recommendations will never be implemented.

Finding one “hole” in a company of many thousands is usually not difficult, but without life experience, it will be difficult to fully analyze and hack other systems without understanding:

• How was it built? (qualitatively, or under the substances)
• Why exactly? (laziness, budget, conditions, personnel)
• What could a developer / architect / networker miss?
• Why is no one responsible for hacking the system? (and it happens)
• Why no one wants to eliminate your super-important vulnerability found? (it happens)
• Why critical vulnerability can not be eliminated in a couple of hours? (maybe people just ended the working day and nobody pays for recycling)
• How easy is it to fix a detected vulnerability? (maybe there is support for overdue outsourcing)
• Etc.

Pentester requirements

The requirements for such a specialist, of course, differ from the requirements for an astronaut, it is not necessary to be physically fit here, you can not get up from the sofa for a long time, but there are some nuances.

Here are approximate duties:

• Penetration tests (pentest):
  
  • external and internal penetration testing;
  • web application security analysis;
  • security analysis of wireless networks;
  • penetration testing using sociotechnical engineering methods;
• Perform penetration tests in accordance with the requirements of the PCI DSS standard.
• Development of reports and recommendations for tests.
• Own development and development of the competence of the department in the field of information security.

Sample requirements:

• The presence of higher technical education in the field of information security.
• Knowledge of administration * nix and Windows systems, web-servers.
• Knowledge of network protocols (TCP / IP), security technologies (802.1x), as well as basic network protocol vulnerabilities (arp-spoofing, ntlm-relay).
• Knowledge of the work of web protocols and technologies (http, https, soap, ajax, json, rest ...), as well as basic web vulnerabilities (OWASP Top 10).
• Knowledge of the market for information security products (manufacturers, suppliers, competitors, development trends, demand patterns, needs and expectations of customers).
• Understanding of information security technologies (WAF, VPN, VLAN, IPS / IDS, DLP, DPI, etc.).
• Experience with nmap, sqlmap, dirb, wireshark, burp suite, Metasploit, Responder, Bloodhound.
• Experience with OS Kali Linux.
• Knowledge of OWASP, PCI-DSS methodologies.
• Development experience in Python, PHP, Ruby, bash, Powershell, Java, C, Assembly.
• Understanding the basics of reverse engineering.
• Knowledge of English is not below the Intermediate level.
• Knowledge of Chinese (wait soon).

Plus:

• Experience reverse engineering and malicious code analysis.
• Experience exploitation of binary vulnerabilities.
• Presence of professional certificates of CEH, OSCP, OSCE, etc.
• Participation in professional competitions (CTF, hackathon, olympiads).
• Participation in the programs Bug Bounty.
• Having your CVE.
• Speech at professional conferences.

Push:

The technical genius-social phobia in this case is of no interest to anyone, usually it requires a sociable person who can:

• explain to the customer what he really wants and how it will look like;
• competently state and protect their actions and recommendations in written and oral form;
• in case of success, create a “wow effect”;
• in case of failure, create a “wow effect” (the disadvantages of Pentest are the advantages of information security);
• be stress-resistant (it is hot, especially when hidden works);
• solve tasks in time, even with cross-projects.
• to be trendy (oh, yes, being trendy is the “burden” of all IT professionals):
  • [It is impossible after work to just take it and not think about work].
  • We need to constantly evolve.
  • Read chat messages in a telegram, read foreign blogs, read news, track Twitter, read Habr, watch reports.
  • Learn new tools, track changes in repositories.
  • Attend conferences, speak for yourself, write articles .
  • Train new employees.
  • Get certified
• Do not burn out.

Pentest philosophy

No need to think that Pentest will show all the problems, that the result will be an objective assessment of your IB in the company (product).

Pentest only shows what result a team of specific specialists in the given conditions (time, place, model of an attacker, competences, permitted actions, legislative restrictions, priorities, phase of the moon ) can achieve, imitating the work of an attacker.

Remember: pentesters are not real intruders who can combine theft, hacking, blackmail, bribing employees, forging documents, their influence and other human factors, everything is 100 times consistent, the load is controlled and everything is up to date.

Pentest is also good luck. Today you managed to extract the administrator password from the RAM and went up to the domain administrator for the entire corporate network, and tomorrow it is not there anymore, and only unprivileged (simple) access on some ancient, uninteresting server will be included in the report.

Differences from close directions

In addition to “pentesters”, there are still “redtimers”, “baghunters”, “researchers”, “auditors”, just information security specialists - all this can be one person, and there can be different people who only partially overlap in competencies. But let's try a little “chew” these terms:

"Auditor"

This specialist is provided with all documents, network diagrams, device configurations, on the basis of which conclusions and recommendations are made for the organization in accordance with the best standards and auditor’s experience. Due to the openness of information, it provides the greatest coverage for all IS processes and a holistic view of the entire infrastructure.

The auditor rarely independently checks each setting in an organization, usually the information is provided by the customer himself, sometimes outdated or incorrect.

It is necessary to combine the efforts of auditors and pentesters to check both pieces of paper with business processes and their implementation in practice.

"Researcher"

The pure pentester is not a researcher, he simply does not have time for this. By a researcher, I mean a specialist who can raise a stand, deploy certain software and examine only it up and down for several weeks or even months.

Now imagine, you hire a specialist to test your corporate infrastructure, and he sat all the time and researched the software “to send valentines” installed on the computer of one of the employees. Even if you succeed, his work results are not very interesting.

"Redtimer"

Redtim is a completely different testing philosophy. Suitable for companies with mature information security, which have already conducted audits and pentest, plus all the flaws have been eliminated.

Here it is closest to a real attacker, and the information security service of the organization and its adjacent organizations ( SOC ...) is already under inspection.

Differences from pentest:

• Only a few people know about the work, the rest will react in real time to attacks.
• Works are carried out secretly - you can attack from cloud hosters at night.
• You do not need to cover the tests - you can follow the path of least resistance and find the password on github.com.
• A wider range of exposure - you can apply 0day , fixed in the system.
• The works are carried out for a long period (several months, a year), do not require haste - just here you can afford to research the customer’s infrastructure on the stands raised to minimize the operation of protective equipment.

"Baghanter"

It is incorrect to compare a baghunter with a pentester - this is how warm it is with a soft one, it does not interfere with one another. But for separation, I can say that the pentester is more of a position, the work involves a number of formal tasks under an agreement with the customer according to the stated methodology and with the formation of recommendations.

It is enough for Baghanter to find a hole with anyone (usually from the list on the site) and send proof of the presence of an error (prerequisites, steps).

Once again, no preliminary contracts, no approvals - I just found the vulnerability and sent it to the customer through the site (an example of the site is www.hackerone.com ). You can even see how just Petya did this in organization “A” and repeat it right there in organization “B”. The competition here is high, and "low-hanging fruit" come across less and less. It is better to consider as a kind of additional earnings for pentester.

Specificity of pentest from the integrator company

This section may seem advertising, but you will not get away from the facts.

Each pentest is unique in its own way (although the method may be a template). It is made unique by many factors, but mostly it is people, a team of specialists, whose style will certainly be influenced by the company where they work.

For example, one company is only important pentest itself, its results, they make money only on this. The second company wants to create specific flaws during pentest to sell its defensive solution. The third focuses more on disrupted business processes to raise a whole layer of problems and propose measures to solve them.

Working in the company-integrator , I will tell about the features of our pentest for external customers. The specificity lies in the fact that:

• We are not interested in pentest for the sake of pentest and stretch it for several months.
• Works are carried out in the minimum necessary time, and the results are aimed at identifying the real picture of the customer's information security.
• It is necessary to highlight the problematic business processes of information security through testing key infrastructure points. So, if an outdated operating system was found on 20 out of 20 computers, then what’s the point of showing another 200? Full coverage is often not required, and who can guarantee it at all?
• According to the results of pentest, the company can immediately offer to conduct an audit, build business processes, propose protective measures, implement them, accompany and monitor. In Russia, not many companies can boast of such a set of opportunities. This is convenient when the whole package of services can be provided by one company with extensive experience in such projects.

From an employee’s point of view, an integrator company is a multitude of projects of all types of work with small and very large customers nationwide. This is the presence of business trips both in Russia and abroad. And of course, working side by side in a team with auditors, implementation engineers, support engineers, vendors, etc.

Work days

Imagine that you are already working as a penster. What will your workdays look like?

From Monday to Friday you spend the "external pentest" of the Customer1 for a couple with a colleague. The works are carried out on the basis of personal experience and by international methods, taking into account the specifics of the customer. You run scanners, map, check checklists, chat with a colleague about vulnerabilities found.

At the same time, another team starts calling the customer’s employees, posing as a security service, sending out menacing emails with malicious attachments, someone even scatters flash drives and sticking posters on the customer’s premises.

This is not a competition, there are not always interesting vulnerabilities, not always people report passwords by phone and not always protective tools are set up with a leak, so only a list of the work done can be reported, but you are not worried, because every pentest teaches you something This new and demonstrates interesting human factors.

A couple of times at the customer after fuzzing the input data, the serviceability of the services degrades, and the work is suspended. After adjustments of restrictions they continue. Everything is okay. Write a report.

Then you are distributed to the “internal pentest” of the Customer2 with a business trip to the city N, some of your colleagues get a mobile application testing. Upon arrival, you are escorted to a separate office, provide a workplace. You calmly connect the network cable to the laptop and conduct an “internal pentest”, according to the stated agreement. You may be capturing a domain controller 3 hours after starting work via ms17-010 and other days collecting other vectors. You may be trying to “play” all week with “delegation of Kerberos privileges” on a pair of obtained accounts. Security officers are sure to approach you and ask what they have found. After 15 minutes, you expect the question: “So what? Did you manage to crack something? ”, Although nmap didn’t even“ get warm ”. In any case, you usually have something to surprise security guards, and even with an account from the printer, you can pick up Exchange server backups. Further reports, stories “about the great journey” to colleagues, customer surprise, many recommendations and even more clarifications, but in the end the company really begins to understand that safety is a process and not one-off measures, and you feel good about the work done.

Then they distribute you to the red team, you drive with a colleague in the car, park near the bank. Launch an attack on Wi-Fi using a laptop and a special antenna. You are not a GRU, you do not have a crust, you can really “grab a hat” from unauthorized guards, so the antenna is hidden and you have a legend that you are expecting friends.

But now the wifi-handshake of corporate Wi-Fi has been received, and your colleagues in the office have already downloaded it and logged into the mailbox of the top manager via the Internet. This is a success. Further collection of information, reports, presentations.

Next weekdays, you write scripts to optimize part of your work. Read the news and test new equipment on the stand. In parallel, the old customers send you questions on the works a month ago.

A few hours on Saturday (processing is paid) a load testing is planned at the customer, you “drop” the site 10 minutes after the start, and guess what? Write a report on the results.

Soon there will be an interesting Pentest control system for you and a trip to an information security conference at the expense of the company. You drop a tear of happiness and insert a quote into a new web form.

In conclusion

The topic of pentest is no longer new, they have written a lot about it and in different ways (you can read here and here ),
Corresponding disciplines appear in universities, competitions are organized, various conferences are held, but the personnel “hunger” increases every year. In addition, the maturity of the information security of many companies is growing, there are more and more information security tools, and specialists require high and diverse competence. Each IT specialist (not to mention information security specialists) will benefit from participating in a real Pentest at least once.

And despite the beginnings of automation (an example here ), it is unlikely that something will replace a living, competent person in the next ten years.