(WEBINAR) Whitebox pentesting: A faster, more accurate pentest for the enterprise

Editor’s note: Want to learn about how whitebox pentesting can benefit your organization? Then you’ll want to view our on-demand webinar, “Whitebox pentesting: A faster, more accurate pentest for the enterprise”.

Most security professionals know that pentesting systems and environments provide insight on what an attacker could do if given the opportunity. Historically, variations of blackbox or zero-knowledge pentesting have been the security assessment of choice for this.

But is this always the right approach? While this age-old method of pentesting will uncover vulnerabilities in an enterprise environment, it will likely miss key things—some of which may be extremely important to understand. Additionally, it can take time for a pentester to move through the kill chain, mimicking the process an attacker would take. Even after multiple weeks, the pentest may not uncover the most important issues.

More often than not, organizations want one simple question answered—how susceptible to compromise are our most important assets?

Enterprise Attack Modeling and Whitebox Pentesting

To better answer this question, we’ve introduced a different kind of assessment we refer to as Whitebox Pentesting. In this approach, a pentester’s activities are more targeted and leveraged to answer more specific security questions explicitly.

To achieve this, they may be given access to key systems up front to simulate a compromise, which can then showcase the possibility of compromising key assets or important data from that position of compromise. The goal of doing so is to go beyond knowing what would be possible, to forcing the consideration of security measures that genuinely prevent the impact of initial compromises.

When used well, whitebox pentesting can reduce the amount of time spent on pentesting in general, and provide the answers you are truly interested in.

In a previous open-scope engagement, our security team spent three weeks helping uncover vulnerabilities. On many levels the engagement was a huge success, but after talking with the client it turned out they only really cared about a very specific workflow, which fortunately we did manage to uncover and compromise. 

However, there are plenty of other times when a traditional blackbox penetration test, attack simulation or red team test will miss the most important flaws because the testing was not specific enough. Like looking for a specific needle in a stack of needles! With a whitebox pentesting approach, it’s possible we could have answered the client’s key question in as little time as a single day.

To understand what is important, and how to test susceptibility to compromises in an impactful way, a company may first go through a process of Enterprise Attack Modeling. 

In this, we establish the following:

• The most important assets in the organization
• The theoretical controls protecting them from compromise
• The likely ways an attacker will attempt to compromise those key assets
• The potential to do so if key protections fail, or wider compromises exist
• A series of focused tests that will exercise assumptions and test susceptibility under a range of conditions.

“I’ve been advising clients towards this approach for some time now”, says NCC Group’s Kev Dunn, Senior Vice President and Head of Professional Services. “I was sick of seeing only partial value from pentest projects or repeat pentests for clients that kept showing the same problems with little improvement. Security is hard and the constant whack-a-mole game is only ever going to be partially effective. Ensuring clients are focused on the assets most important to their organization is absolutely vital.”

How can this approach help your organization? Register for the on-demand webinar to learn how to get the most value out of your pentesting engagements.

About the speaker

Kevin Dunn is Senior Vice President for NCC Group in North America. Kevin serves as the Head of Professional Services in North America and the Global Co-Head of Professional Services for NCC Group worldwide.

Kevin has been a professional security consultant for over 18 years, working on diverse projects and challenging technologies for the world’s largest and most demanding companies. Kevin works closely with Fortune 500 companies, covering Oil & Gas, Finance and Software sectors, developing strategic security assessment, remediation and advisory services for NCC Group from his office base of operations in Austin, TX.

In the early part of his career, Kevin worked in the area of vulnerability assessment for the UK government in the Ministry of Defence. He has presented and provided training extensively at recognized security conferences like BlackHat and TechEd and has often been asked to offer this expertise at closed-door security events for technology leaders such as Microsoft (BlueHat), VMware (Moosecon), and Amazon (Zoncon).

In 2016, Kevin was invited to testify for a United States Congress committee on the subject of security for small businesses. He has been an active contributor to InfraGard, the partnership between the Federal Bureau of Investigation of the private sector, receiving a DoJ/FBI award for his contributions. Additionally, he has been active in security education for the United States Secret Service Electronic Crimes Task Force (USS-ECTF).