tag:blogger.com,1999:blog-9222823941653971224.post4671941196472289901..comments2024-03-28T04:24:14.785-07:00Comments on Technicalinfo.net Blog: Pentest Evolution: Malware Under ControlGunter Ollmannhttp://www.blogger.com/profile/00872922499284887206noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9222823941653971224.post-46932775447169998852009-07-22T14:17:19.946-07:002009-07-22T14:17:19.946-07:00Different organizations tend to use (and mix) diff...Different organizations tend to use (and mix) different terminologies for pentesting. "Full scope" pentest is used by some boutique security consultancies, while the term "Security Assessment" is often used in Europe to encompass chained exploitation of systems that US markets would typify as pentesting - but also includes full breadth vulnerability assessment and patch auditing.<br /><br />Regardless, what I'm really talking about are the specilization of skills within the pentesting domain and the demands for focused security consulting offerings around those skills. Specialized pentesting offerings traditionally begin with domain expertiese within a team of experts/consultants. Once that's become "established" and a market for those services has proven to exist (and be profitable over a longer term), you typically see specialized tools enter (often authored by the initial seed of pentest experts). That is an established model - just look at vulnerability scanners (such as Internet Security Systems scanner and Nesus - harking back to 1994), reverse engineering tools focused on bug-hunting (e.g. IDA Pro evolution), Web application scanners (AppScan, etc), and automated exploit packs like MetaSploit, Impact and Canvas extend those "pentesting" capabilities.<br /><br />You could argue that tools such as MetaSploit have "malware" capabilities - and to a limited degree they do. <br /><br />However, modern malware - both the agents in use and the techniques used to deliver them successfully - are a much more sophisticated beast requiring a different scope of expertise. Weapons grade "Malware" can be tamed by experts, and some of those experts can (and do) use it as part of a network-based pentest today - as a sideline. However, dedicated consulting offerings around the malware aspects haven't evolved to mainstream yet.<br /><br />There is of course a fear to be overcome. "Malware" involkes quite a bit of shock and awe amongst corporate security teams - but then again so did chaining exploits to hack the backend database and sniff its network for passwords... this can be overcome. Extablishment of formalized consulting offerings (by malware experts) with exhaustive methodologies (that the customer can review and become comfortable with) are underway today - buy several boutique pentesting companies that led the way in "black-box" compiled application reverse eningeering. Hence the idea of the impending fork to mainstream offerings.<br /><br />With regards to the "prove it" mentality going away - I would dispute that. Mainstream automated tools (i.e. in the Web/OS/Network vulnerability assessment market) go out of their way to "prove it" with every check they do - for reproducable results and false-positive elimination. Again, as specializations mature in to standalone pentest offerings, their methodologies become well established and more rigorous - that then make it much easier to build automated (commercial) tools that can conduct the pentesting activities on behalf of a semi-trained expert (or monkey as the 'real' experts would argue).<br /><br />I'm inclined to argue that "malware" assessment/pentesing (or whatever flavor of security naming convention a particular global market uses) requires a seperation of pentesting skills with new levels of expertise - and that a commercial market for focused consulting offerings in that area are coming - rather than an ad hoc tweak to an existing network pentest methodology.Gunter Ollmannhttps://www.blogger.com/profile/00872922499284887206noreply@blogger.comtag:blogger.com,1999:blog-9222823941653971224.post-17897521761483467602009-07-20T12:16:17.849-07:002009-07-20T12:16:17.849-07:00There's a fork coming, but it's not the on...There's a fork coming, but it's not the one you've described. The "prove it" mentality is going away, and companies will demand more rigor in pentesting in terms of completeness and depth. For example, there's a world of difference between finding a few random XSS holes and verifying that the entire application properly uses context-sensitive output escaping to eliminate XSS forever.jwilliamshttps://www.blogger.com/profile/16837701522866491602noreply@blogger.comtag:blogger.com,1999:blog-9222823941653971224.post-58421585788523402172009-07-20T09:52:12.522-07:002009-07-20T09:52:12.522-07:00I agree that this could be a potential avenue for ...I agree that this could be a potential avenue for growth in the near future. I think the real shame is that as companies begin to have these "prove it" mentalities, the company suffers. With each specialization comes less people who are able to demostrate these types of attacks, thus, the consultants can charge more for their services.<br /><br />It is dissapointing that the IT departement won't just fix the problem, instead of "installing" a work around.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9222823941653971224.post-51004471876491567632009-07-20T06:08:28.680-07:002009-07-20T06:08:28.680-07:00I would call it less of a "malware" pent...I would call it less of a "malware" pentest and more of a "full scope" pentest using custom tools. <br /><br />result is the same, is network monitoring, system integrity monitoring, patching, etc being properly performed and can you actually catch and/or remove someone in your network.<br /><br />its time to stop making pentesters only look at 1% of a network with a limited scope and calling that secure.CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.com