A penetration test is a set of risk assessment methodologies where the “penetration testers” or auditors assume the place of an attacker in order to examine the security controls in place of an infrastructure of networked computers and applications. Typically, the penetration tester will mimic a specific profile of an attacker, which can be a disgruntled employee in a given area of an organization, an external “script kiddie,” or a corporate spy. The result of the penetration test is generally a report that includes the list of threats that this profile of an attacker could exercise. For example, a disgruntled employee in accounting may be able to steal the clients and credit card database, a corporate spy may be able to access secret Intellectual Property, and a “script kiddie” may compromise and leave unavailable the machines for all the cashiers of a retailer business.
The last ten (10) years have witnessed the development of a new kind of information security tool: the Penetration Testing Framework. These tools facilitate the work of penetration testers on networked computers and applications, and make the security assessment more accessible to non-experts. The main difference between these tools and network security scanners is that Penetration Testing Frameworks have the ability to exploit vulnerabilities, and help to expose risk by assessing the complete attack path an attacker would take, whereas scanners simply look for evidence of vulnerablities.
Penetration tests involve successive phases of information gathering, where the penetration testing framework helps the user to gather information about the networked computers and applications under attack (available hosts, their operating systems, open ports, and the services running in them). Penetration tests also involve exploiting, where the user actively tries to leverage vulnerabilities present on specific assets in the network and gain unwarranted access to these. When this leverage is through an exploit launched against a vulnerable machine and this exploit is successful, the machine becomes compromised and can be used to perform further information gathering, or the machine can be used to launch subsequent attacks. This shift in the source of the actions of an attacker is called pivoting. Other forms of leveraging vulnerabilities include, but are not limited to, exploitation of application vulnerabilities and gaining non-authorized access to Wi-Fi communication channels or other types of assets.
Newly compromised machines or applications can serve as the source for posterior information gathering. This new information might reveal previously unknown vulnerabilities. As a result, the phases of information gathering and exploiting usually succeed one another.
As penetration testing frameworks have evolved they have become more complex, covering new attack vectors, shipping increasing numbers of exploits and information gathering modules. With this growth, the problem of successfully controlling the Penetration Testing Framework has become a complex task for all of its users.
Computer attacks are the object of study of computer scientists and computer security professionals. In particular, the threats or potential attacks underlying a target network can be described through attack graphs, which are modeling tools used for these studies. In particular, attack graphs can be used to model an attack before executing it, or during its execution in order to analyze future next steps.
There are many ways to model an attack through attack graphs. To define one such model, one needs to define “nodes” and “edges”. In one possible way to model attack graphs, nodes identify a state of the attack, while edges represent individual actions in the attack. Generally speaking, the state is defined by the knowledge that the attacker has gained so far about the network—from the start of the attack until the action (edge) preceding this node. An action comprises an action done by the attacker; an action could be using a penetration testing module to gain information regarding a given asset or compromise an asset. In attack graphs, an attack path is a sequence of actions, where the preconditions for an action are always guaranteed by the previous actions and the last action conquers the goal.
Most studies in attack graphs require having the complete attack graph in memory for its studying. Unfortunately, most, if not all, attack graph models make it impossible to do this, since one can only hold in storage attack graphs on small networks, as an example, with fewer than twenty (20) hosts. In medium-sized networks, building complete attack graphs quickly becomes unfeasible since the size of the attack graph (and then of the memory required to store this graph) increases exponentially with the number of machines and available actions.
Thus, a heretofore unaddressed need exists in the industry to address the aforementioned deficiencies and inadequacies.