From a0d9e704fd3784080b5b2257fb0fa91ea0b1915f Mon Sep 17 00:00:00 2001 From: Digenaldo Neto Date: Thu, 1 Feb 2024 21:57:00 -0300 Subject: [PATCH 1/2] docs: Add penetration testing methodologies --- methodology/README.md | 57 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/methodology/README.md b/methodology/README.md index 7064491..34541d2 100644 --- a/methodology/README.md +++ b/methodology/README.md @@ -1 +1,56 @@ -# TBD +# Penetration Testing Methodologies + +Ensuring a comprehensive approach to penetration testing is essential for effective cybersecurity. The following guidelines outline our strategy and methodologies for achieving consistent and reliable results, adhering to established standards in the field. + +## Overview + +Penetration testing involves a systematic and organized strategy to evaluate the security posture of networks and systems. This approach mitigates the risk of haphazard results and provides a structured framework for addressing potential vulnerabilities. + +## Methodologies and Standards + +Understanding and implementing major documented methodologies and standards are crucial elements of our approach. This empowers us to formulate strategies that leverage established practices, enhancing accountability and defensibility in our results. + +### Testing Environments + +Penetration testing methodologies often categorize tests based on the level of information provided to the tester. Common testing environments include: + +**1. Unknown-Environment Test:** + - Limited information provided (e.g., domain names and IP addresses). + - Mimics an external attacker's perspective, starting with minimal knowledge. + - Enhances realism by withholding information from network support personnel. + +**2. Known-Environment Test:** + - Tester possesses significant information about the organization and its infrastructure. + - Includes network diagrams, IP addresses, configurations, user credentials, and source code if applicable. + - Aims to identify security vulnerabilities within a broader scope. + +**3. Partially Known Environment Test:** + - A hybrid approach between unknown- and known-environment tests. + - Testers may be provided credentials but not full documentation of the network infrastructure. + - Allows testing from an external attacker's perspective while retaining some internal insights. + +### Common Penetration Testing Methodologies + +Several widely recognized methodologies and standards guide our penetration testing efforts: + +**1. [MITRE ATT&CK Framework](https://attack.mitre.org/):** + - Details adversary tactics, techniques, and procedures (TTPs). + - Utilized by offensive security professionals and incident responders. + +**2. [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/):** + - Comprehensive guide focused on web application testing. + - Covers high-level phases and specific testing methods for various vulnerabilities. + +**3. [NIST SP 800-115](https://csrc.nist.gov/publications/detail/sp/800-115/final):** + - Guidelines from the National Institute of Standards and Technology for planning and conducting information security testing. + +**4. [Open Source Security Testing Methodology Manual (OSSTMM)](https://www.isecom.org/):** + - Document by the Institute for Security and Open Methodologies (ISECOM) outlining repeatable and consistent security testing. + +**5. [Penetration Testing Execution Standard (PTES)](http://www.pentest-standard.org/):** + - Involves seven distinct phases, including pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. + +**6. Information Systems Security Assessment Framework (ISSAF):** + - Covers various phases, including information gathering, network mapping, vulnerability identification, penetration, gaining access, privilege escalation, enumerating further, compromising remote users/sites, maintaining access, and covering tracks. + +Understanding and implementing these methodologies ensures a robust and effective approach to penetration testing, enhancing the security posture of the systems and networks under evaluation. \ No newline at end of file From 0a222faa90df6051d9b3528dcd3452c7916d4be5 Mon Sep 17 00:00:00 2001 From: Omar Santos Date: Fri, 2 Feb 2024 18:52:42 -0500 Subject: [PATCH 2/2] Update README.md Suggesting some of the edits based on my previous comments --- methodology/README.md | 49 +++++++++++++++++++------------------------ 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/methodology/README.md b/methodology/README.md index 34541d2..efeb07f 100644 --- a/methodology/README.md +++ b/methodology/README.md @@ -4,12 +4,33 @@ Ensuring a comprehensive approach to penetration testing is essential for effect ## Overview -Penetration testing involves a systematic and organized strategy to evaluate the security posture of networks and systems. This approach mitigates the risk of haphazard results and provides a structured framework for addressing potential vulnerabilities. +Ethical hacking (including penetration testing, red teaming, and bug bounty hunting) involves a systematic and organized strategy to evaluate the security posture of networks and systems. This approach mitigates the risk of haphazard results and provides a structured framework for addressing potential vulnerabilities. ## Methodologies and Standards Understanding and implementing major documented methodologies and standards are crucial elements of our approach. This empowers us to formulate strategies that leverage established practices, enhancing accountability and defensibility in our results. +### Common Penetration Testing Methodologies + +Several widely recognized methodologies and standards guide our penetration testing efforts: + +**1. [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/):** + - Comprehensive guide focused on web application testing. + - Covers high-level phases and specific testing methods for various vulnerabilities. + +**2. [NIST SP 800-115](https://csrc.nist.gov/publications/detail/sp/800-115/final):** + - Guidelines from the National Institute of Standards and Technology for planning and conducting information security testing. + +**3. [Open Source Security Testing Methodology Manual (OSSTMM)](https://www.isecom.org/):** + - Document by the Institute for Security and Open Methodologies (ISECOM) outlining repeatable and consistent security testing. + +**4. [Penetration Testing Execution Standard (PTES)](http://www.pentest-standard.org/):** + - Involves seven distinct phases, including pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. + +**Note**: [MITRE ATT&CK Framework](https://attack.mitre.org/) is not a penetration testing methodology; rather, it is a comprehensive matrix and knowledge base of adversary tactics and techniques observed from real-world attacks. Despite this distinction, it provides significant value to ethical hackers, including penetration testers, red teamers, and bug bounty hunters. By leveraging the detailed insights into adversary behaviors and strategies documented within MITRE ATT&CK, you can better understand potential attack vectors, refine your testing strategies, and anticipate the tactics that adversaries may use. This, in turn, enables pentesters and ethical hackers to identify vulnerabilities more effectively, enhance their defensive strategies, and ultimately strengthen the security posture of the organizations they protect. + +Understanding and implementing these methodologies ensures a robust and effective approach to penetration testing, enhancing the security posture of the systems and networks under evaluation. + ### Testing Environments Penetration testing methodologies often categorize tests based on the level of information provided to the tester. Common testing environments include: @@ -28,29 +49,3 @@ Penetration testing methodologies often categorize tests based on the level of i - A hybrid approach between unknown- and known-environment tests. - Testers may be provided credentials but not full documentation of the network infrastructure. - Allows testing from an external attacker's perspective while retaining some internal insights. - -### Common Penetration Testing Methodologies - -Several widely recognized methodologies and standards guide our penetration testing efforts: - -**1. [MITRE ATT&CK Framework](https://attack.mitre.org/):** - - Details adversary tactics, techniques, and procedures (TTPs). - - Utilized by offensive security professionals and incident responders. - -**2. [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/):** - - Comprehensive guide focused on web application testing. - - Covers high-level phases and specific testing methods for various vulnerabilities. - -**3. [NIST SP 800-115](https://csrc.nist.gov/publications/detail/sp/800-115/final):** - - Guidelines from the National Institute of Standards and Technology for planning and conducting information security testing. - -**4. [Open Source Security Testing Methodology Manual (OSSTMM)](https://www.isecom.org/):** - - Document by the Institute for Security and Open Methodologies (ISECOM) outlining repeatable and consistent security testing. - -**5. [Penetration Testing Execution Standard (PTES)](http://www.pentest-standard.org/):** - - Involves seven distinct phases, including pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. - -**6. Information Systems Security Assessment Framework (ISSAF):** - - Covers various phases, including information gathering, network mapping, vulnerability identification, penetration, gaining access, privilege escalation, enumerating further, compromising remote users/sites, maintaining access, and covering tracks. - -Understanding and implementing these methodologies ensures a robust and effective approach to penetration testing, enhancing the security posture of the systems and networks under evaluation. \ No newline at end of file