Why you should get a grey box pentest instead of a black box pentest
It's that time of the year where you are looking for a pentesting company to execute a penetration test on your network and you are trying to assess how much information you should provide to the penetration testing company. A question that I often hear is "Should I get a black box or a grey box pentest?"
TL;DR: Get a grey box pentest.
On this blog I'll try to convince you about why you should consider the grey box approach instead of the black box approach.
Here are in my opinion, the top 5 reasons why you should go with the grey box pentest:
Yes, you heard that, money. Penetration Testing services aren't exactly cheap, so you wanna get the most out of the penetration tester's time, and you want them to try to identify (and exploit) as many weak points as they possibly can within their given time frame. So, do you really want your penetration testing company spending time on researching your people on Linkedin, StackOverflow, looking for recent acquisitions and trying to identify your AWS IP address space? Not really.
Customer: But wait, isn't that what a cyber criminal would do? They would start with zero information about my company, I want my pentest to be as close as possible to what a real attack would look like.
Pentester: OK, so does that mean that you have unlimited money for this project?
Customer: Of course not.
Pentester: OK, then you don't want a black box pentest.
Customer: I don't understand what do you mean by unlimited money?
Pentester: You do realize we charge by the hour right?
Customer: OK I see...
The bottom line is, pentests are scoped (and quoted) based on the amount of work that they will require from the penetration testing company and this is tied to the amount of time that the company will need to complete the pentest, but still that does not mean that pentest companies have unlimited time, which takes us to the second reason:
A penetration test is like any other project, bounded by time and resources. Pentesters are given a time frame to complete a pentest, typically a week or two. Because of this you want to facilitate some information to your pentesters so you save them some time. The main reason for this is, unlike attackers, penetration testers do not have unlimited time to complete a project (unless you have unlimited budget, see reason 1, Do you have unlimited money for this project?).
Pentesters even need to set time aside for the most exciting part of any penetration test which is creating that awesome report that you are going to share with your CISO. (Sometimes this part is scoped separately, sometimes it is not)
3. Insider Threats
Attacks can also come from within your network (surprise surprise) and I am not necessarily talking about the infamous "Disgruntled Employee", a.k.a. Jeff , former IT member seeking revenge because the got fired right before Christmas. I am taking about Carol from payroll who accidentally clicked on a pop up from a "Virus Alert" and just generated a reverse shell to an EC2 instance pwned by some guy based out Ukraine or Carlos Roberto, who accidentally entered his network credentials on a phishing site that looked just like the employees portal, or Arturo who reused his old LinkedIn password for his corporate login, the same password that got leaked by LinkedIn back in 2016.
In summary, threats can also come from within your network, they could come from trusted partners, recent acquisitions or pretty much any employee. Attackers could already posses low privilege users before they even get started, so why wouldn't you give the same advantage to the company that you are going to trust to analyze your network security?
4. Critical/Forgotten Assets
OK you chose the blackbox route and your blackbox pentest is done, the penetration testing company couldn't get passed your DMZ (do people still use DMZs?, I feel kinda old by even mentioning it... well you get the point, they didn't get passed your externally facing assets). Every externally facing asset is properly hardened which means you Aced this pentest right?
Well, not so fast. What about your critical assets? Perhaps those that sit behind the firewall? Are they properly hardened? How about that one server that that you stood up last year when your cloud provider went down and that's still connected to your network via VPN but the pentester failed to find within that one week time frame (I know, sometimes we miss things too :) )
Again it goes back to getting the best out of the pentester's time. You wanna make sure that those assets that are critical to the operation are not missed and the only way to ensure that is by providing these pieces of information to the pentesting company.
5. Missed attack vectors
Alright your time's up Mr. Pentester, it's time to start working on that report (Yay!). A week went by, and with the exception of some medium and low severity findings (missing security headers, lack of rate limits, etc) not a lot was found, yet the pentester missed that the employees portal allowed any valid user to become an admin and therefore execute commands on the server. The reason why this was missed was because he was never given a valid low level user to poke around.
The same concept could apply to other attack vectors such as OS privilege escalations or vulnerabilities that are visible only to authenticated users.
If you wanna make sure that you covered all your bases you might want to share a little more information (e.g. low level users for your web applications, low level user Postman collections for your APIs etc. )
Customer: So, if you are as good as those black hats out there, why do you need this much information? Do u 3v3n kn0w h0w to h4ck?
Pentester: With all the respect, are you testing our skills or are we trying to help you identify potential issues with your network?
Cutomer: The latter.
Pentester: OK that's what I thought.
Note: If this is the reason why you think you need a black box pentest as opposed to a grey box pentest, then you have the wrong approach to pentesting altogether and you might want to consider looking for another pentesting company that you or someone close to you trusts.
Penetration test should NOT to try to emulate full blown attack against your infrastructure, attackers have unlimited time and resources, pentesters don't. Instead, a pentest should allow you to reduce your attack surface by identifying issues that can be exploited and focus on those things that matter to your operation while getting the best out of your money.
I hope this was helpful.
BTW you feel like buying me a beer, please knock yourself out: