Legal Hacking - Methodology

Methodology

Given the fact that there is no standard legal hack it is difficult to specify the exact approach that is followed during the test. On a high level the test process consists of three steps:

Preparation of the test
Actual test
Reporting of result

Preparation of the test

In this step the different aspects of the test should be specified. Also one or more key persons in the customer organization should be informed of the test to stop undesired escalation of intrusion response. Probably a confidentiality agreement is signed by the legal hack team and last but not least there should be a written assignment by the customer in which the test team is allowed to perform the legal hack. As most testing activities are illegal, otherwise this last document is very important.

Actual Test

As already stated there is no standard legal hack and in practice every test will be different. However most legal hacks will consist of the following phases:

Foot printing in which information is gathered on the target organization through Web sites and mail servers, public records and databases (Address and Name Registrars, DNS, Whois, EDGAR, etc.);
Scanning during which the team test which systems are actually present and can be reached. In this phase the team also tries to establish the operating system the system is running and the services that are active on the system.
Enumeration in which the penetration team actively tries to obtain user names, network share information and application version information of running services;
Vulnerability mapping in which the test team maps the profile of the environment to publicly known vulnerabilities;
Exploitation in which the test team will attempt to gain privileged access to a target system by exploiting the identified vulnerabilities.
Privilege escalation in which vulnerabilities or other weaknesses are used to increase the privileges on a system we have obtained access to;
Expanding influence in which the obtained access and privileges are used to expand influence to other systems.

In a full-knowledge test the foot printing phase will be replaced by a study of the documentation that is provided by the customer. This documentation should consist of network diagrams, IP addresses, phone numbers, version numbers and configuration details.

Reporting of result

In this step the output of different tools and manual tests is further analyzed, the findings are reported and common causes are identified. Recommendations are given and optionally the results can be presented to the management of the organization or to the responsible IT system managers. Presentation of the results of a legal hack can be a great tool to increase IT security awareness.

It is important to keep in mind that risk is defined as the probability that a threat becomes reality multiplied by the impact of the threat. To estimate the impact of a threat it is advised that the test team consult the system or information owner to discuss the effect of a breach of confidentiality, integrity or availability of the asset.

Given the risk the findings can be prioritized and appropriate control measures can be recommended to mitigate the risk. It should be clear that the intention should not be to make systems a 100% secure: First this is impossible but second this is much too expensive. Sometimes the owner of an asset can even prefer to take the risk instead of spending money on extra control measures.

previous next