Let's back up. In my opinion there are a few key items that separate a 'pentest' from a vulnerability assessment (with validation):
- Pentests are focused. VAs need to cover every system
- Pentests have a critical human element
- Pentests should be flexible (eww what's that? poke...)
- Pentests should have the least amount of concessions/constraints as operationally, financially and timely as possible. Should be event based unlike VAs, which are continuos, open info sharing, etc.
With that in mind, let's dissect the DnD model (condensed as best I could)
The Catalyst
There are 4 main components (well 3 and the DM). We're first going to head down the 'Catalyst' path. The catalyst in gaming is that event that sets our hero/es off to their destiny. This could be an attack on a town, someone being kidnapped, or waking up in a jail cell, not knowing how you got there or who you are (this is going to happen quite a bit this week in LV)
Ugh, Pwn'd Again |
A system breach, a regulatory requirement, or a concerned CISO could all be catalysts that take us down the penetration testing path. Whatever the case, our heroes, erm, testers just can't go storm the castle jumping on turtles. This is especially true if our main objective is to train as well as assess. Unlike actually gaming, where there is a steady progression towards the end boss, in penetration testing you can just arrive at the loot with few hops. This is equivalent the existing backdoor, the warp zone, the cheat code.
Sometimes, It's This Easy |
Let's forget that though. Here we'll assume a simple progression towards an end goal, where information/access/credentials helps you in the next quest.
Red Line = Main Path |
The Campaign
All penetration tests should simulate some sort of campaign. Campaigns vs. driveby attacks or skiddies, usually have a more formulated end goal/objective and involve more thought (stealth) in the actions taken. Your vulnerability assessments and network monitoring should take care of the drivebys/skiddies.
Once the main goal is established it's time to adventure! Your adventure could be broken up into multiple, chained quests (defeat the orc to get a sword that kills the dragon that drops the key that opens the dungeon to kill the boss for phat lewtz!!!) Most quests will have an adversary or challenge that may include individual encounters (like how you keep defeating bowser but he gets away). You get the idea.
When you pentesterize this:
Campaign -> Quest Example (Can Loop Back Around) |
Plowing through the red line without the blue line context is how we conduct our testing and training today (for the most part). Tomorrow we'll start the walk through this process in depth and start to document our scenario more thoroughly. (as long as I don't get a migraine =P)