6/21/2023 0 Comments Black box pentesting![]() ![]() The gray box method is an attempt to get the benefits of both the black and crystal box methods in one assessment. Gray box tests are a mixture of the zero-knowledge black box and the full-disclosure crystal box. In my experience, almost every engagement I have ever been involved in that began as a black box test has turned into, at a minimum, a gray box level of foreknowledge. The gray box penetration testing method is somewhat more common. Edge protection and security monitoring services force the tester to perform the bare minimum of testing to find an entry point, often causing the test to miss a plethora of other weaknesses it could have uncovered. While it seems logical that an offensive assessment may want to remain under the radar, this is not the most effective approach. This approach adds another wrench to the works: the tester has to be “slow and quiet” to not be discovered by the defenses and defenders. As is clearly defined in all of the current industry accepted penetration testing frameworks, the discovery phase can easily take half or more of a penetration test’s allotted time. If the black box method is used at all it generally leads to longer engagements, since this method requires the tester to spend a significant amount of time on the initial discovery phase of the test. ![]() More commonly, these limitations are used during large internal penetration tests. During a black box penetration test, the penetration tester has only been given the bare minimum information on the in-scope systems. Let us begin with, in my experience, the least common type of assessment, known as the black box penetration test. Black Box Testing: A Dark View of the Engagement Really, the names are just descriptors – the concept remains the same and that is what’s most crucial. Many, including CynergisTek, use the term “crystal” in place of “white”. In college, I was taught white box, gray box, and black box as the three levels of disclosure related to a penetration test. This aspect has a plethora of names but is almost always referred to with the “box” descriptor. It is critically important to determine the amount of foreknowledge that the tester should get. There is one important aspect I have not written much about. I have talked at length in other blog posts about many of these considerations. There are many important aspects to consider in any given penetration test. ![]()
0 Comments
Leave a Reply. |