Thinking Inside the Box: Black vs. Gray vs. White
With cybersecurity all over the news and breaches becoming a commonplace occurrence, its important for technology professionals to be well-versed in all aspects of cybersecurity. It is obviously important to cybersecurity technology professionals to understand all aspects of security, but every IT worker needs to understand at least some aspects of information security.
For this article, we will dive into a sometimes overlooked aspect of intrusion prevention: penetration testing. What is penetration testing, and what does a tester learn from white, gray, and black box testing? What type of cybersecurity expertise is required to perform these tests? Also, even bystanders to these tests need to have at least some degree of security expertise.
I've written about quite a few different types of "tests" in my time, especially certification exams. A penetration test is a different animal: a simulated cyberattack on one system, or even across an entire networks. A company seeking a test typically hires an outside firm to attempt to break into its network, application, or sometimes even into the company itself.
While the stages of a penetration test are fairly widely understood — planning, scanning, gaining access, maintaining access and analysis — the methods are sometimes unknown to people outside of the cybersecurity realm. These methods — white, gray, and black box — determine the way the test is conducted and, oftentimes, to what degree the company that hired the test opens the door.
Penetration in Stages
The first stage of a test is planning, which involves defining the scope and goals of a test, including the systems to be addressed and the testing methods to be used. This is a collaboration between the organization being tested and the group performing the test. The testers gather intelligence about the company network, including its potential vulnerabilities. And the client becomes the target.
The next stage is scanning, where the testers attempt to understand how the target application will respond to various intrusions. Some testers run code against firewalls, or look into other possibilities, such as walking into the client's main building dressed, say, as a UPS driver.
The next stage is gaining access, where the testers use a cross-site script or SQL injection to break into the network, and install various backdoors. The testing team actually exploits the vulnerabilities that it mapped out in the first stage to steal data (in a sanctioned manner that causes no lasting damage). This stage is where the testers really understand what they are capable of doing.
The final goal of any penetration test is to maintain access, to really set up shop. A persistent presence is really needed to steal any organization's most sensitive data. This leads into the final stage: analysis. The testers prepare a report that digs in and provides details of the penetration test, including how and where the system was compromised, along with recommendations for improvement in those areas.
Now that we have laid out the stages in a penetration test, we will discuss the methods in which the test can be carried out. These three methods, as mentioned earlier, are white box, gray box, and black box. These methods have to do with the "box" that is drawn around the test.
That is to say: How much data is given to the tester, or testing team, before the actual test is carried out. These testing styles have a huge influence on whether there is a successful breach and sustained hack. In a broad sense, the testing style determines how much insight into the target the penetration tester(s) will have going in.
First, lets start with the white box. This approach gives a high degree of advantage to the tester or testing team, while saving money for the company hiring the test. White box penetration testing — sometimes also called "crystal" or "oblique" box — involves sharing full network and system information with the tester or testing team.
This includes network maps, credentials, and even passcodes to buildings. This helps save time and reduces the overall cost of an engagement, since the longest step in hacking a location is to gain access. A white box penetration test is useful for simulating a targeted attack on a specific system utilizing as many attack vectors as possible.
In gray and black box scenarios, as you may have guessed, the attackers receive less and less information. I recently participated in a white box test where the "keys to the kingdom" were given to the testing firm and they logged on to the application and "hammered" in with a password cracking, a cross-script test, and a SQL injection.
The testers didn't need to spend gaining network access, and in turn devoted more time to the actual application testing. This is why, in the real world, the white box testing is well suited for application testing.
Next, we have gray box testing, which involves a lower level of knowledge provided to the tester(s). In a gray box penetration test, also known as a translucent box test, only limited information is shared with the tester. Usually this takes the form of login credentials.
Gray box testing is useful to help understand the level of access a privileged user could gain and the potential damage they could cause. For instance, if I gave you a common user's login credentials, could you become an admin? Gray box tests strike a balance between depth and efficiency and can be used to simulate either an insider threat, a good person doing bad things, or an attack that has breached the network perimeter.
In most real-world attacks, a persistent adversary will conduct reconnaissance or a scoping session on the target environment, giving them similar knowledge to an insider. Gray box testing is often favored by customers as the best balance between efficiency and authenticity, stripping out potentially time-consuming reconnaissance for the testing company.
Last is black box penetration testing. It shouldn't be hard to guess how it differs from the other two: In a black box scenario, no information is provided to the tester or testing firm at all. The pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation.
This approach is often seen as being the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organization. This typically makes it the costliest option, of course, since the testing team has to completely "case" the target company.
In the real world, a company with a substantial testing budget would mostly likely choose a black box test. Most people use it when they are concerned about every attack vector. I know of a friend of mine that allowed a pen-test company to start with black box test. When, after quite some time, the testers were still on the outside looking in, he relented and turned it into a white box test.
Each of the three approaches has its merits, depending on the level of confidence a customer firm has in its existing defenses, or on how much money is available to spend on testing. Just bear in mind what every expert will tell you: No matter which scenario you start with, you should test your defenses sooner rather than later.