Classification

Hackers are unpredictable. Under normal circumstances, their identity or the number of attackers who are targeting a given company remain unknown. This is why potential clients ask for a penetration test to secure their system. But frequently, the scenario of how the simulated hacker attack should be undertaken remains unclear during the client’s initial enquiry. It is therefore our job to classify the penetration test together with the client.

We must always remember that we take on the role of a hacker when carrying out penetration tests. The role of an attacker may be a recently terminated head of IT who seeks revenge against his former employer, or it may be an unknown attacker who is looking for financial gain. To plan a penetration test, we need to know the initial situation and clarify the following questions:

• Which IT systems or application should be “attacked“?
• Are credentials or information such as API documentation provided for penetration testing?
• Is a test system provided for the penetration test or do we always have to assess the impact of our actions and consult with the client if necessary to avoid disruptions in the production system?
• Should the tests be carried out on site?
• Should sensitive data, such as access codes, be elicited from employees via false pretenses?

To answer all of these questions, the Federal Office for Information Security (BSI) drafted the “A Penetration Testing Model“. This document provides the following illustration for the classification of penetration tests, among other things:

Using these criteria, we can run through the above-mentioned scenario of the fired head of IT, for instance. Unlike a hacker, an IT manager will be familiar with the internal structures and processes of a company, meaning that he will be armed with more information for the attack (white box). This person will also know the applications and systems that he himself was responsible for implementing. Obviously, this gives him a much broader range of attacking options compared to an attacker with no prior ties to the company (full scope). Due to his termination, he will likely act aggressively in order to cause as much damage as possible. He probably won’t care whether his actions will destroy entire systems (aggressive), which means that his actions will probably be discovered sooner or later (obvious approach). But because he was stripped of his access rights as part of his termination, he must resort to accessing the data externally (technique and starting point).

Classify your hacking attack against Dubius Payment Ltd. as described in the above example and explain your choice. The individual classification criteria are described in detail in the BSI document “A Penetration Testing Model“ in Chapter 3.4.