Domain 6 Β· Lesson 2 of 5

Penetration Testing Methodology

Kiểm thα»­ XΓ’m nhαΊ­p

Test Types by Knowledge Level

Type Knowledge Given Realism Thoroughness BSP Suitability
Black Box None Most realistic Least thorough Limited β€” misses code-level issues
Gray Box ⭐ Partial (architecture, some creds) Balanced Balanced Most common for compliance; best ROI
White Box Full (source code, DB schema) Least realistic Most thorough Best for audit/compliance; code-level coverage

7 Penetration Test Phases

1

Planning & Scoping

Obtain WRITTEN AUTHORIZATION β€” legally required before any testing. Define scope, Rules of Engagement, prohibited actions (no DoS, no data destruction), time window, emergency stop contacts.

2

Reconnaissance

Passive: OSINT, WHOIS, LinkedIn, Shodan β€” no direct contact with target. Active: Nmap port scan, DNS enumeration, banner grabbing β€” direct contact.

3

Scanning & Enumeration

Nmap (ports/services), Nessus (vulnerabilities), Nikto (web), dirsearch (web directories), Enum4linux (SMB).

4

Exploitation

Metasploit, manual exploits, custom payloads. Goal: confirm exploitability and demonstrate initial access or impact.

5

Post-Exploitation

Lateral movement, privilege escalation, persistence, data exfiltration proof. Shows true blast radius β€” not just "can we get in" but "what can we do after."

6

Reporting

Executive summary (risk + business impact) + technical findings (CVSS scores, proof-of-exploit, remediation steps). Dual-audience: CISO and engineers.

7

Remediation + Retesting

Fix all findings. Retest to confirm closure. BSP requires closure evidence (written confirmation from pen test firm) for regulatory sign-off.

Rules of Engagement (RoE)

Formal document signed BEFORE testing begins. Defines what is and isn't allowed during the engagement.

RoE Must Cover

  • β€’ Scope definition: exact IPs, domains, APIs in-scope vs out-of-scope
  • β€’ Prohibited actions: no DoS, no data destruction, no SE without authorization
  • β€’ Testing time window: avoid peak hours for production systems
  • β€’ Emergency stop contacts: who to call if something breaks
  • β€’ Data handling: how captured data is stored and destroyed post-engagement

Red / Blue / Purple Teams

  • Red: Offensive. Simulates a full adversary campaign (weeks/months). Tests stealth, persistence, all kill chain phases.
  • Blue: Defensive. Detects and responds. Operates SOC, SIEM, incident response.
  • Purple: Red and Blue work together β€” Red attacks, Blue observes. Knowledge transfer improves both sides.

Key Terms

Pen Test Black Box Gray Box White Box Rules of Engagement Reconnaissance Exploitation Post-Exploitation Red Team Blue Team Purple Team OSINT
Exam Tips
  1. WRITTEN AUTHORIZATION required before any pen test β€” without it, testing is illegal (Computer Fraud and Abuse Act). Verbal okay is not sufficient.
  2. Gray box = most common in real world β€” balances realism and thoroughness; best ROI for time invested.
  3. Red team β‰  pen test β€” red team simulates full adversary campaign (weeks/months); pen test is time-boxed (days/weeks, specific scope).
  4. Rules of Engagement must be signed BEFORE testing starts β€” no exceptions.
  5. Post-exploitation shows TRUE impact β€” not just "can we get in" but "what can we do after initial access" (lateral movement, data exfiltration).
Work Application β€” BSP VAPT for Partner E

Recommended test type: Gray box β€” provide architecture docs, API specs, and test credentials. Testers can be more efficient while remaining realistic. BSP doesn't prescribe the box type, so gray box maximizes coverage per testing hour.

Pre-test checklist:

  1. Written authorization signed by CISO/CTO before tester touches anything
  2. Scope defined: Partner E APIs, mobile app, Card Processor integration β€” explicitly exclude Bank A systems (out of scope)
  3. RoE: no DoS attacks, no accessing real customer data, testing window 9am–5pm PHT only
  4. NPC compliance: no actual customer PII to be captured by pen test firm β€” use synthetic test accounts only
  5. Retesting explicitly included in scope after remediation β€” get written closure attestation

Practice Quiz

Q1. A penetration tester receives verbal approval from the CISO over a phone call and begins port scanning production servers. What is the legal status of this activity?

β–Ό Reveal Answer
The testing is potentially illegal β€” verbal authorization is not sufficient. Written authorization (signed Rules of Engagement) is legally required before any penetration testing activity, including reconnaissance and port scanning.
Under laws like the US CFAA (Computer Fraud and Abuse Act) and equivalent laws in PH/VN, unauthorized access to computer systems is illegal β€” even if you believe you have permission. Only signed written authorization provides legal protection for both the tester and the organization. The tester should stop immediately, obtain a signed RoE, and only then begin. "Verbal okay" from even the highest authority provides no legal protection.

Q2. For BSP regulatory compliance in the Philippines, which pen test type (black/gray/white box) provides the best coverage for an audit requirement?

β–Ό Reveal Answer
White box provides the most thorough coverage for compliance. For regulatory audit purposes, you want to confirm that all known attack surfaces have been tested. Gray box is the most common practical choice that BSP typically accepts.
The exam distinction: "most realistic" = black box (simulates an external attacker who knows nothing). "Most thorough for compliance" = white box (ensures no stone is left unturned). For BSP VAPT: white box is ideal but gray box is typically accepted and has better ROI. The CISSP exam answer for "best for compliance audit" is white box. The practical answer for "best balance" is gray box.

Q3. How long does a red team engagement typically run compared to a penetration test, and what does a red team test that a pen test typically doesn't?

β–Ό Reveal Answer
Red team: weeks to months (simulates a persistent adversary across the full kill chain). Pen test: days to a few weeks (time-boxed, specific scope). A red team tests whether your Blue team (SOC/IR) can detect and respond to an active, stealthy adversary β€” a pen test focuses on finding and exploiting vulnerabilities, not testing detection capability.
Red team = simulates an APT (Advanced Persistent Threat) actor operating over an extended period. They test stealth (can they remain undetected?), persistence (can they maintain access?), and the Blue team's detection and response capability. Pen test = can we exploit these specific vulnerabilities? The key difference: pen test answers "are we vulnerable?" Red team answers "would we catch an attacker exploiting our vulnerabilities?"

Q4. What must be defined in Rules of Engagement before a pen test of Partner E begins?

β–Ό Reveal Answer
Scope (which systems/APIs are in-scope vs out-of-scope), prohibited actions (no DoS, no accessing real customer data), testing time window (business hours vs off-hours), emergency stop contacts (who to call if something breaks), and data handling (how captured data is stored and destroyed post-engagement).
The RoE is a contract that protects both the organization and the testers. Without clear scope, testers might accidentally test a third-party system (e.g., Bank A's infrastructure) causing legal liability. Without prohibited actions, a tester might accidentally take down production. Without emergency contacts, a legitimate production issue during testing could be ignored. Without data handling rules, captured customer PII becomes a compliance incident.

Q5. During post-exploitation of Platform C, a tester achieves initial access via a compromised engineer's credentials, then escalates to an admin role and accesses loan records from all lenders. What does this phase demonstrate beyond the initial access?

β–Ό Reveal Answer
Post-exploitation demonstrates the true blast radius β€” that a single compromised engineer account leads not just to entry, but to privilege escalation and cross-tenant data exposure across all lenders. This proves the business impact (mass PII exposure, regulatory violation) that makes the initial vulnerability critical rather than just theoretical.
Initial exploitation proves "we can get in." Post-exploitation proves "getting in means getting everything." For management reporting, the difference is critical: a "low-risk" entry point that leads to full database access is actually a Critical finding. Post-exploitation findings drive the severity rating in the final report and the urgency of remediation. This is why pen tests that stop after initial access are less valuable than those that continue to demonstrate the full attack chain.
← Lesson 1: Vulnerability Assessment Lesson 3: OWASP Top 10 β†’