Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,330 --> 00:00:01,770 Instructor: Every penetration test 2 00:00:01,770 --> 00:00:04,440 should follow a specific methodology. 3 00:00:04,440 --> 00:00:07,380 Now, a methodology is defined as a system of methods 4 00:00:07,380 --> 00:00:10,530 used in a particular area of study or activity. 5 00:00:10,530 --> 00:00:12,480 In terms of penetration testing, 6 00:00:12,480 --> 00:00:14,310 it refers to the systematic approach 7 00:00:14,310 --> 00:00:17,160 that a penetration tester is gonna use before, 8 00:00:17,160 --> 00:00:20,790 during, and after a test, assessment, or engagement. 9 00:00:20,790 --> 00:00:23,190 Now notice I use three different terms here 10 00:00:23,190 --> 00:00:25,290 to talk about a penetration test. 11 00:00:25,290 --> 00:00:28,380 This is the term test, assessment, and engagement. 12 00:00:28,380 --> 00:00:30,930 All three of these are often used interchangeably 13 00:00:30,930 --> 00:00:33,210 both on the exam and in the industry. 14 00:00:33,210 --> 00:00:35,730 And you're gonna notice I use all three interchangeably 15 00:00:35,730 --> 00:00:37,560 throughout this course as well. 16 00:00:37,560 --> 00:00:40,140 A methodology is simply a structured approach 17 00:00:40,140 --> 00:00:43,110 to penetration testing with each step working to serve 18 00:00:43,110 --> 00:00:45,510 a unique purpose as you try to identify 19 00:00:45,510 --> 00:00:48,870 and exploit various vulnerabilities on a given system. 20 00:00:48,870 --> 00:00:50,850 There are many different penetration testing 21 00:00:50,850 --> 00:00:52,320 methodologies available, 22 00:00:52,320 --> 00:00:54,090 but the one this course is built around 23 00:00:54,090 --> 00:00:56,880 is the Comp TIA penetration testing process 24 00:00:56,880 --> 00:00:59,250 which includes four major steps or phases 25 00:00:59,250 --> 00:01:01,260 that occurred during an engagement. 26 00:01:01,260 --> 00:01:03,570 First, we have planning and scoping. 27 00:01:03,570 --> 00:01:05,670 Second, we have information gathering 28 00:01:05,670 --> 00:01:07,500 and vulnerability scanning. 29 00:01:07,500 --> 00:01:09,960 Third, we have attack and exploit. 30 00:01:09,960 --> 00:01:13,080 And fourth, we have reporting and communicating. 31 00:01:13,080 --> 00:01:14,670 In fact, you may have noticed 32 00:01:14,670 --> 00:01:17,040 that these four steps match up perfectly 33 00:01:17,040 --> 00:01:20,310 with the first four domains of the PenTest+ exam. 34 00:01:20,310 --> 00:01:24,180 The fifth domain tools and code analysis doesn't fit cleanly 35 00:01:24,180 --> 00:01:25,740 into a single phase though, 36 00:01:25,740 --> 00:01:27,750 because we're gonna use different tools and code 37 00:01:27,750 --> 00:01:30,750 during all of the phases of a penetration test. 38 00:01:30,750 --> 00:01:32,790 Now, there are many other methodologies 39 00:01:32,790 --> 00:01:34,860 that a penetration tester can utilize 40 00:01:34,860 --> 00:01:36,900 when they're conducting their own assessments, 41 00:01:36,900 --> 00:01:39,120 and many have more steps since they're dividing 42 00:01:39,120 --> 00:01:42,270 up portions of the four phases that we just covered. 43 00:01:42,270 --> 00:01:45,600 For example, EC council presents an eight step model 44 00:01:45,600 --> 00:01:47,220 in their certified ethical hacker 45 00:01:47,220 --> 00:01:49,620 or CEH certification program. 46 00:01:49,620 --> 00:01:52,530 This involves permission, reconnaissance, 47 00:01:52,530 --> 00:01:55,830 scanning and enumeration, gaining access, 48 00:01:55,830 --> 00:01:57,630 escalation of privileges, 49 00:01:57,630 --> 00:02:00,210 maintaining access, covering your tracks 50 00:02:00,210 --> 00:02:03,750 and installing back doors, and of course, reporting. 51 00:02:03,750 --> 00:02:05,820 Even though the EC council methodology 52 00:02:05,820 --> 00:02:07,650 might seem to be more in depth, 53 00:02:07,650 --> 00:02:10,289 both methodologies are fairly equivalent. 54 00:02:10,289 --> 00:02:13,140 For example, the permission phase from CEH 55 00:02:13,140 --> 00:02:17,100 parallels the planning and scoping stage from PenTest+. 56 00:02:17,100 --> 00:02:19,620 The reconnaissance scanning and enumeration steps 57 00:02:19,620 --> 00:02:21,450 are gonna be combined from CEG 58 00:02:21,450 --> 00:02:22,950 into the information gathering 59 00:02:22,950 --> 00:02:26,460 and vulnerability identification inside of PenTest+. 60 00:02:26,460 --> 00:02:29,670 Whereas your attack and exploit phase inside PenTest+ 61 00:02:29,670 --> 00:02:32,910 is actually broken down into several steps in CEH, 62 00:02:32,910 --> 00:02:34,530 including gaining access, 63 00:02:34,530 --> 00:02:37,290 escalation of privileges, maintaining access, 64 00:02:37,290 --> 00:02:40,170 covering your tracks, and installing back doors. 65 00:02:40,170 --> 00:02:42,660 Finally, the reporting and communication phase 66 00:02:42,660 --> 00:02:44,280 that we have in PenTest+ 67 00:02:44,280 --> 00:02:47,730 is covered under reporting inside of CEH. 68 00:02:47,730 --> 00:02:50,040 As you can see, these similar methodologies 69 00:02:50,040 --> 00:02:52,950 only really differ by the amount of specification 70 00:02:52,950 --> 00:02:55,740 by combining or splitting apart different steps. 71 00:02:55,740 --> 00:02:58,470 For this reason, the PenTest+ methodology 72 00:02:58,470 --> 00:03:01,200 does tend to be a little bit easier to learn and implement 73 00:03:01,200 --> 00:03:04,440 in the real world because it is only four steps. 74 00:03:04,440 --> 00:03:05,760 Now, regardless of whether you follow 75 00:03:05,760 --> 00:03:07,650 the CompTIA four-step process, 76 00:03:07,650 --> 00:03:09,780 or the CEH eight-step process, 77 00:03:09,780 --> 00:03:11,850 it's important to remember that this is essentially 78 00:03:11,850 --> 00:03:13,800 the same steps that are being taken 79 00:03:13,800 --> 00:03:16,440 by a threat actor or unauthorized hacker 80 00:03:16,440 --> 00:03:18,780 when they attempt to break into your systems. 81 00:03:18,780 --> 00:03:20,280 The only real difference is 82 00:03:20,280 --> 00:03:22,110 that that threat actor doesn't ask 83 00:03:22,110 --> 00:03:24,300 for permission during the planning and scoping, 84 00:03:24,300 --> 00:03:26,310 and they don't bother to report or communicate 85 00:03:26,310 --> 00:03:28,950 to you about the exploits that they're able to achieve 86 00:03:28,950 --> 00:03:31,230 against your given vulnerabilities. 87 00:03:31,230 --> 00:03:34,530 Now, CompTIA and CEH are not the only two methodologies 88 00:03:34,530 --> 00:03:35,820 that are out there though. 89 00:03:35,820 --> 00:03:37,800 For example, the National Institute 90 00:03:37,800 --> 00:03:40,110 of Standards and Technology known as NIST 91 00:03:40,110 --> 00:03:42,090 has their own methodology that's published 92 00:03:42,090 --> 00:03:46,110 in the NIST special publication 800-115 93 00:03:46,110 --> 00:03:47,610 known as the Technical Guide 94 00:03:47,610 --> 00:03:50,430 to Information Security Testing and Assessment. 95 00:03:50,430 --> 00:03:53,190 This publication provides a recommended methodology 96 00:03:53,190 --> 00:03:54,960 for conducting penetration tests 97 00:03:54,960 --> 00:03:57,780 utilizing a four phase approach of plan, 98 00:03:57,780 --> 00:04:00,360 discover, attack, and report. 99 00:04:00,360 --> 00:04:03,150 And this methodology seems to be what CompTIA designed 100 00:04:03,150 --> 00:04:04,620 their methodology upon, 101 00:04:04,620 --> 00:04:06,990 because it clearly matches up to the four steps 102 00:04:06,990 --> 00:04:09,330 of the PenTest+ methodology. 103 00:04:09,330 --> 00:04:11,970 The NIST methodology is the industry standard use 104 00:04:11,970 --> 00:04:13,830 throughout the entire United States, 105 00:04:13,830 --> 00:04:15,420 especially, in the federal government 106 00:04:15,420 --> 00:04:16,649 and the Department of Defense 107 00:04:16,649 --> 00:04:18,990 for all their internal assessments. 108 00:04:18,990 --> 00:04:21,870 Now, sometimes when you're conducting an engagement, 109 00:04:21,870 --> 00:04:22,890 you're gonna be asked to do 110 00:04:22,890 --> 00:04:25,620 what is known as adversary emulation. 111 00:04:25,620 --> 00:04:28,050 Adversary emulation is a specialized type 112 00:04:28,050 --> 00:04:30,420 of penetration test where you're trying to mimic 113 00:04:30,420 --> 00:04:32,910 the tactics, techniques, and procedures 114 00:04:32,910 --> 00:04:36,270 of a real world threat actor in your penetration test. 115 00:04:36,270 --> 00:04:39,150 For example, maybe you're conducting a penetration test 116 00:04:39,150 --> 00:04:41,730 against a company that's gonna be expanding their operations 117 00:04:41,730 --> 00:04:43,590 into a new market, and they're worried that 118 00:04:43,590 --> 00:04:45,780 a nation state advanced persistent threat 119 00:04:45,780 --> 00:04:47,820 might wanna hack their networks. 120 00:04:47,820 --> 00:04:49,680 In this case, they may wanna train 121 00:04:49,680 --> 00:04:50,910 their cyber security analyst 122 00:04:50,910 --> 00:04:53,310 on what that type of attack is gonna look like 123 00:04:53,310 --> 00:04:55,470 by having you conduct a penetration test 124 00:04:55,470 --> 00:04:57,090 using the techniques associated 125 00:04:57,090 --> 00:04:59,100 with a specific threat actor. 126 00:04:59,100 --> 00:05:01,410 If you ever find yourself in this situation, 127 00:05:01,410 --> 00:05:04,260 you should definitely check out the MITRE ATT&CK framework 128 00:05:04,260 --> 00:05:06,780 when you research a specific threat actor. 129 00:05:06,780 --> 00:05:09,060 Now, unlike the methodologies we discussed earlier 130 00:05:09,060 --> 00:05:11,280 in this lesson, the MITRE ATT&CK framework 131 00:05:11,280 --> 00:05:13,020 is a knowledge base that's maintained 132 00:05:13,020 --> 00:05:14,370 by the MITRE Corporation 133 00:05:14,370 --> 00:05:17,490 for the listing and explaining of common adversary tactics 134 00:05:17,490 --> 00:05:20,400 and techniques that are observed in the real world. 135 00:05:20,400 --> 00:05:22,590 The word attack in the name of the framework 136 00:05:22,590 --> 00:05:23,910 is actually an acronym, 137 00:05:23,910 --> 00:05:25,830 and it stands for Adversarial Tactics, 138 00:05:25,830 --> 00:05:28,080 Techniques and Common Knowledge. 139 00:05:28,080 --> 00:05:30,360 If you would like to explore the attack framework 140 00:05:30,360 --> 00:05:34,950 you can visit attack.mitre.org. 141 00:05:34,950 --> 00:05:37,260 This is a free and open-source website 142 00:05:37,260 --> 00:05:38,910 that contains a matrix model 143 00:05:38,910 --> 00:05:40,380 that's gonna give you different columns 144 00:05:40,380 --> 00:05:43,560 for each type or category of attack that could occur. 145 00:05:43,560 --> 00:05:45,870 Basically, it's gonna map out each threat 146 00:05:45,870 --> 00:05:47,790 actor's methodologies that's gonna be used 147 00:05:47,790 --> 00:05:49,650 during different types of attacks. 148 00:05:49,650 --> 00:05:52,770 For example, there is columns for defensive evasion, 149 00:05:52,770 --> 00:05:54,930 credentialed access, discovery, 150 00:05:54,930 --> 00:05:57,270 lateral movement, and execution. 151 00:05:57,270 --> 00:05:59,670 Underneath each of these categories is a tactic 152 00:05:59,670 --> 00:06:01,800 or technique that could be used by an attacker 153 00:06:01,800 --> 00:06:04,050 to accomplish that particular goal. 154 00:06:04,050 --> 00:06:06,540 When you visit attack.mir.org 155 00:06:06,540 --> 00:06:08,400 you're gonna see the attack navigator 156 00:06:08,400 --> 00:06:10,650 where you're gonna select different tactics or techniques, 157 00:06:10,650 --> 00:06:13,020 and they'll be highlighted with different colors. 158 00:06:13,020 --> 00:06:14,370 Here you can see one example 159 00:06:14,370 --> 00:06:18,780 for APT 28 that's already been mapped out by the MITRE team. 160 00:06:18,780 --> 00:06:21,300 APT 28 is an advanced persistent threat 161 00:06:21,300 --> 00:06:22,770 that has been identified as being 162 00:06:22,770 --> 00:06:26,130 a Russian Cyber Espionage Group, likely associated with 163 00:06:26,130 --> 00:06:30,210 the Russian Military Intelligence Agency known as the GRU. 164 00:06:30,210 --> 00:06:33,390 You'll also hear this APT called Fancy Bear. 165 00:06:33,390 --> 00:06:37,170 Using the Attack Navigator, you can quickly see that APT 28 166 00:06:37,170 --> 00:06:40,590 or Fancy Bear uses 10 common reconnaissance techniques 167 00:06:40,590 --> 00:06:43,380 including vulnerability scanning, credential harvesting 168 00:06:43,380 --> 00:06:45,120 and phishing for information. 169 00:06:45,120 --> 00:06:47,670 They're also known for using spearfishing with attachments 170 00:06:47,670 --> 00:06:51,300 and links and exploiting public facing web applications. 171 00:06:51,300 --> 00:06:53,790 This attack matrix is a great way to visualize 172 00:06:53,790 --> 00:06:54,660 the different types of techniques 173 00:06:54,660 --> 00:06:57,180 that are used by a particular adversary. 174 00:06:57,180 --> 00:06:58,980 And it shows all the different capabilities 175 00:06:58,980 --> 00:07:02,190 and capacities that they're gonna use in their attacks. 176 00:07:02,190 --> 00:07:03,930 By learning what an adversary does 177 00:07:03,930 --> 00:07:06,570 and mimicking your penetration test to those techniques, 178 00:07:06,570 --> 00:07:08,790 you can provide exceptional levels of training 179 00:07:08,790 --> 00:07:10,200 to cyber defense personnel 180 00:07:10,200 --> 00:07:13,260 at your target organization during your engagements. 181 00:07:13,260 --> 00:07:14,970 Now, another use case for this tool 182 00:07:14,970 --> 00:07:16,410 is on the defensive side, 183 00:07:16,410 --> 00:07:18,780 if you're responding to an adversary response. 184 00:07:18,780 --> 00:07:20,670 By going through and mapping out the attack 185 00:07:20,670 --> 00:07:22,200 using the attack matrix, 186 00:07:22,200 --> 00:07:24,300 and then comparing it to determine which adversary 187 00:07:24,300 --> 00:07:25,800 is likely exploiting your network, 188 00:07:25,800 --> 00:07:29,370 you can identify who may be causing you all that pain. 189 00:07:29,370 --> 00:07:31,950 Another variation of the MITRE ATT&CK framework is 190 00:07:31,950 --> 00:07:36,240 called the Attack for Industrial Control Systems or ICS. 191 00:07:36,240 --> 00:07:38,730 This MITRE ATT&CK for ICS framework describes 192 00:07:38,730 --> 00:07:40,410 the set of tactics and techniques 193 00:07:40,410 --> 00:07:42,660 specific to industrial control systems 194 00:07:42,660 --> 00:07:43,980 and list the elements described 195 00:07:43,980 --> 00:07:47,640 in the attack for ICS knowledge base as another matrix. 196 00:07:47,640 --> 00:07:49,890 It works just like the regular attack matrix 197 00:07:49,890 --> 00:07:51,930 except this one is focused on techniques. 198 00:07:51,930 --> 00:07:54,123 They're used only for ICS devices. 15237