By Konstantinos Karagiannis, Practice Technical Lead, Ethical Hacking, BT Advise Assure
Proof and evidence: these are the key ingredients of a good pen test report. You can’t give a client a write-up that says that a vulnerability is present without including the requisite screenshots, computer text captures, and pilfered data examples.
Pen tests or ethical hacks are supposed to reveal existing, exploitable vulnerabilities. Yet part of our client base is requesting something extra and very different as of late: a Threat Based Test (TBT). When performing a TBT in tandem with a hack, we add an appendix to the report that doesn’t contain the aforementioned types of evidence. Rather, with TBT we’re peering into the future.
Unlike our typical deliverables, the output of a TBT is an examination of the types of threats that may affect an application or system in the coming months or years. Executing a TBT involves gathering documentation from developers and creating data flow diagrams and attack trees, which help us visualize all the ways data is handled by a system or application.
We examine the types of users, their roles, and their abuse potential which is related to their level of access. We then apply our proprietary methodology to clearly document why we believe certain theoretical attacks are likely to become real risks soon.
For example, if data is handled weakly on some quasi-hidden internal function, we may be able to predict scenarios where this flaw could become accessible by a real-world user and exploited. Sometimes a likely future configuration change or feature would open the floodgates to attackers, and only a TBT could predict this.
Normally during an ethical hack there are numerous things we look for that are necessary, but not particularly exciting. Eureka moments where we uncover a transcendent attack are rare and therefore savored on the job. A TBT tends to be more creative, letting us focus on exciting, possibly newsworthy attacks throughout the process. TBTs explore major categories of threats such as those represented by STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege). Very few things we look for on a TBT feel like compliance checks. The STRIDE elements help us reveal attacks that combine categories, like stealing money from an account and then hiding the fact that it was you.
It’s not all theoretical and futurist musing, though. TBT results are fed back into pen testing. The extra deep dive knowledge of our target lets us get more creative with our hands-on approach, often leading us to findings we don’t typically see. The synergy between pen testing and TBTs is hard to quantify.
Who’s asking for these forward-thinking tests? Financial clients, mostly, as they are seeking to automate the search for low hanging fruit and maximize the use of ethical hackers to find the eureka items. But financial clients are trendsetters in security. We expect more companies to catch on to the potency of TBTs soon.
We’re polishing our digital crystal balls (TBT methodologies) in anticipation.
