I have already mentioned in this blog post that there’s always standard stuff you have to do in a pentest. Finding all the standard security issues is important for the completeness of the pentest and should never be neglected. You will look rather stupid if you find the remote root exploit that can only be triggered at full moon sending your TCP packets backwards, but your customer gets 0wn3d by a simple SQL Injection in his homepage two days later.
But on the bright side, a good pentest also lives from the creativity and outside-the-box thinking of the pentesters. We all know that finding the moonshine 0day is where the fun is, right? So never underestimate the importance of being creative either. The bad guys get surprisingly inventive when there’s enough money in it, and so should you (I’m talking about the getting creative part, not the illegal money making).
The only problem is, being creative is hard sometimes. There are times where you just don’t have any good ideas on how to approach something from a different angle, where you are stuck in a certain mindset. One advice when this happens is: Search for the standard issues in the time you can’t wrap your mind around other things. There’s always no-brainer stuff that has to be done. Another thing you can do is to start documenting everything you already found. You have to do it anyway, so start collecting all your notes and logs (you have detailed notes and logs about what you’ve already done, haven’t you?) and document the details.
The above will help you when you temporarily run out of ideas what to do next, but won’t solve the problem if you’ve already covered the standard things and your documentation is nicely done and you still have no idea how to proceed. This is where you should remember the greatest resource of all: your colleagues and fellow pentesters. It implies of course that you’re not working alone (e.g. as a freelancer). Talk things through with them. Get new ideas about your problem. It’s amazing how much it helps to just give somebody a detailed description about what you’re trying to do. Many times, you get new ideas while still talking. Your colleagues may also have deeper insights into some areas than you. IT (security) is such a complex field, nobody can master it all, everyone’s specialised in one way or the other.
At RedTeam, we wanted to leverage the benefits of teamwork from the beginning, so for us the consequence is: We always work in a team of (at least) three pentesters. You normally can’t hire only one of us. This of course doesn’t mean that we’re just tripling the cost of every pentest. The team will naturally work faster and therefore needs less days than a single pentester. As far as I see it, our day-to-day work proves us right. We’ve really made positive experiences with working in a team, I can think of numerous occasions where I would’ve been stuck if it weren’t for one of the other’s saying: “Have you already tried to…”.
Post a Comment