Insights into Offensive Security Testing
A study on the process and challenges faced by security professionals.
― 8 min read
Table of Contents
Offensive Security Tests are used to find weaknesses in software before bad actors can exploit them. These tests are usually conducted by skilled professionals known as penetration testers or ethical hackers. However, there aren’t enough of these experts available, making it hard to test all software for security issues. To help with this, researchers are looking into ways to make the testing process easier and more efficient. To do this, it's important to know how these hackers think and the challenges they face.
This article presents a study of twelve security professionals to understand their work and the problems they encounter. By analyzing their experiences, we aim to provide insights and suggestions that can help improve the efficiency of security tools and identify new areas for further exploration.
The Need for Security Testing
As more devices connect to public networks, the risk of attacks also grows. We wish all software was free from flaws, but that is not the reality. While developing secure software and conducting defensive security tests is important for the long run, immediate action is necessary to identify and fix problems in existing software.
Penetration tests are one practical solution to find and fix security flaws. These tests aim to discover Vulnerabilities before they can be exploited. Yet, there is a notable shortage of skilled security professionals to carry out these tests. Enhancing the efficiency of existing testers through better tools is essential to address this shortage.
Despite existing research, we lack detailed knowledge of how security assessments are conducted and how hackers choose which attacks to perform. Understanding these practices is crucial for creating helpful tools and improving the processes involved in security testing.
Research Questions
To shape the focus of this work, we developed three key research questions. In the methodology section, we explain how we approached our research.
1. What do common security tests look like?
In this article, we describe the different types of security assessments conducted by hackers, the processes involved, and the role automation plays in these tests.
2. How do hackers perform their tasks?
We explore the background and experiences of our participants. The results shed light on their training and the thought processes that guide their work.
3. What tedious or time-consuming areas could be improved?
In this section, we discuss identified areas where efficiency can be enhanced, grouping them based on the needs of researchers and tool developers.
Related Work
Most research has focused on secure software development and defensive testing, while offensive security testing has received less attention. Our work aims to bring understanding to how hackers operate during security assessments.
Previous studies have looked at the experiences of small and medium enterprises regarding cyber threats. However, we focus on the hackers themselves rather than the companies being attacked. Our research highlights the mindset of security professionals and how they go about their work, which has not been adequately covered in existing literature.
Many publications discuss penetration testing without delving into the operators' thought processes or decisions. Our study fills this gap by exploring how security experts approach their tasks and the challenges they face.
Becoming a Hacker
Participants in our study shared their journeys into the hacking field, revealing several common themes.
Academic Education
Most interviewees had a university background, with many holding degrees in IT or related fields. A significant number pursued higher education in IT security. This trend reflects a growing awareness of the importance of security training.
Experience Prior to IT Security
Interviewees reported that prior experience in IT, even if not security-focused, helped them transition into the security field. A broad knowledge of IT, combined with specialized skills, was seen as beneficial.
Staying Relevant
All participants recognized the need for continuous learning in their field. They often turned to social media, online courses, conferences, and colleagues to keep up with trends and new vulnerabilities.
Capture the Flag (CTF) Participation
Many professionals participated in CTF competitions, which provided valuable skills applicable to their work. These events are seen as both educational and a way to engage with the community.
How Do Hackers Work?
While each project varies, certain types of penetration tests have distinct requirements and strategies. Here’s an overview of different security assessments.
Types of Security Tests
Vulnerability Assessments: These tests aim for broad coverage and often involve scanning for known vulnerabilities. They require a high level of automation due to the number of targets.
Penetration Tests (Pen-Tests): These focus on specific targets in greater depth. They involve searching for new vulnerabilities in software and are usually performed manually, especially against custom applications.
Internal Network Tests: These evaluate the security of internal company networks. The assumption is that an attacker is already present, and the goal is to find sensitive data or gain more access.
Operational Technology (OT) Tests: These tests focus on critical infrastructure like power plants and require strict coordination with clients to minimize potential risks.
Red-teaming: This approach involves simulating attacks on a company to test its response. The objective is specific, and tactics can include social engineering and stealthy techniques.
Black-Box vs. Gray-Box Security Testing
A key difference in testing approaches is the level of information provided by the client.
Black-Box Testing: This involves starting without any insight into the system, relying entirely on the tester's skills to find vulnerabilities.
Gray-Box Testing: Here, some information is shared, allowing for a more focused approach.
Overall, participants suggested that moving toward gray-box testing could improve efficiency.
Typical Testing Workflows
Interviewees described their typical workflows for different types of tests. Many tasks included both exploratory testing and more structured checklist approaches.
In web penetration tests, testers often focus on authorization checks, ensuring that user access is appropriately restricted. Automated tools are also widely used for common vulnerability checks.
Internal network tests typically follow a phased approach that begins quietly and may escalate to more noticeable activities. Testers aim to gather credentials from accessible data and then move laterally through the network.
Common Tools
Interviewees used a variety of tools, with each having its strengths and weaknesses. While many relied on existing solutions, few created custom tools for specific tasks.
The setup of automated tools could be cumbersome, especially in tight timelines. Some areas were deemed unsuitable for automation due to the need for nuanced human judgment, such as during social engineering attacks.
How Do Hackers Think?
Understanding how security professionals think is just as important as knowing what they do. During our interviews, several themes emerged regarding their decision-making processes.
Known Vulnerabilities vs. New Vulnerabilities
Participants often distinguished between searching for existing vulnerabilities and hunting for new ones. This division affects how they approach their testing and what tools they use.
Identifying Vulnerable Areas
Interviewees described using intuition based on experience to guide their exploratory testing. They analyze requests and responses to uncover unexpected behaviors that may suggest a vulnerability.
Dealing with Uncertainty
Hackers routinely operate in environments where they lack complete information about the systems they are testing. They make educated guesses and progressively adapt their strategies based on the responses they receive.
Time Management
Efficiency is vital, and many participants noted the need to manage their time effectively. They aim to avoid unnecessary tasks and focus on high-impact actions.
Quality Control
The quality of their work is a major concern for testers, particularly when dealing with sensitive data. They rely on checklists and collaborative efforts to ensure thorough testing.
Dealing with Change
The field of security is always evolving. As defenses improve, hackers must adapt their strategies. Some areas have become more challenging, prompting professionals to shift their focus to different types of testing.
Discussion and Implications
Reflecting on our findings, we can summarize important points regarding the alignment of research and industry practices.
Research Must Align with Project Scope
Understanding how security tests are structured in terms of time and resources is crucial for effective research. Developments should consider practical constraints faced by testers.
Opportunities for Future Research
Several areas could benefit from targeted research that directly aids security practitioners:
Automating Authorization Testing: Since this process is often time-consuming, research into automating it could yield significant efficiency gains.
Gray-Box Testing Solutions: Investigating ways to automate tests based on available source code and configurations can help in creating more effective security assessments.
API Testing Automation: The manual creation of test cases for APIs is burdensome. Finding ways to automate this process can streamline procedures.
Information Gathering: Developing automated methods for gathering critical data can enhance efficiency in internal network tests and red-team engagements.
Scalable Phishing Techniques: Harnessing machine learning to personalize phishing efforts can increase the effectiveness of social engineering tactics.
Human-In-The-Loop for OT Testing: Balancing human oversight with automation in sensitive environments can improve the quality and safety of tests.
Study of Knowledge Communities: Researching how security professionals keep updated can help develop better educational resources tailored to their needs.
Conclusion
Through our exploration of the work and thought processes of security professionals, we gain valuable insights into the challenges they face and the opportunities for improving security testing practices. Ongoing research and collaboration between practitioners and researchers can lead to advancements that benefit both fields, ultimately improving the security landscape for all.
Title: Understanding Hackers' Work: An Empirical Study of Offensive Security Practitioners
Abstract: Offensive security-tests are a common way to pro-actively discover potential vulnerabilities. They are performed by specialists, often called penetration-testers or white-hat hackers. The chronic lack of available white-hat hackers prevents sufficient security test coverage of software. Research into automation tries to alleviate this problem by improving the efficiency of security testing. To achieve this, researchers and tool builders need a solid understanding of how hackers work, their assumptions, and pain points. In this paper, we present a first data-driven exploratory qualitative study of twelve security professionals, their work and problems occurring therein. We perform a thematic analysis to gain insights into the execution of security assignments, hackers' thought processes and encountered challenges. This analysis allows us to conclude with recommendations for researchers and tool builders to increase the efficiency of their automation and identify novel areas for research.
Authors: Andreas Happe, Jürgen Cito
Last Update: 2023-08-23 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2308.07057
Source PDF: https://arxiv.org/pdf/2308.07057
Licence: https://creativecommons.org/licenses/by/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.