Towards a Penetration Testing Framework Using Attack Patterns
The problems of system security are well known, but no satisfactory methods to resolve them have ever been discovered. One heuristic method is to use a penetration test with the rationale of finding system flaws before malicious attackers. However, this is a craft-based discipline without an adequate theoretical or empirical basis for justifying its activities and results. We show that both the automated tool and skill-based methods of pen testing are unsatisfactory, because we need to provide understandable evidence to clients about their weaknesses and offer actionable plans to fix the critical ones. We use attack patterns to help develop a pen-testing framework to help avoid the limitations of current approaches.
- 1.Gamma E, Helm R, Johnson R, Vlissides J. Design patterns: elements of reusable object-oriented software. Boston: Addison-Wesley; 1995.Google Scholar
- 2.Barnum S, Sethi A. Introduction to attack patterns. Cigital Inc. (2006). (Revised 14 May 2013). https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/attack/585-BSI.html. Accessed 23 Sept 2013
- 3.Moore AP, Ellison RJ, Linger RC. Attack modeling for information security and survivability. No. CMU-SEI-2001-TN-001. Software Engineering Institute, Carnegie Mellon University, Pittsburgh; 2001.Google Scholar
- 4.Hoglund G, McGraw G. Exploiting software: how to break code. Boston: Addison-Wesley; 2004.Google Scholar
- 5.Barnum S, Sethi A. Attack patterns as a knowledge resource for building secure soft-ware. Cigital Inc. http://capec.mitre.org/documents/Attack_Patterns-Knowing_Your_Enemies_in_Order_to_Defeat_Them-Paper.pdf. (2007). Accessed 23 Sept 2013.
- 6.Mitre Corporation: Common attack pattern enumeration and classification (CAPEC). http://www.capec.mitre.org (2013). Accessed 23 Sept 2013.
- 7.Blackwell C. Formally modelling attack patterns for forensic analysis. In: 5th international conference on cybercrime forensics education and training. Canterbury; 2011.Google Scholar
- 8.Williams L. Testing overview and black box testing techniques. Open seminar in software engineering. North Carolina State University. http://agile.csc.ncsu.edu/SEMaterials/BlackBox.pdf. (2006). Accessed 26 September 2013.
- 9.Miller BP, Barton P, Fredriksen L, So B. An empirical study of the reliability of UNIX utilities. Commun ACM. 1990; 33(12):32–44.Google Scholar
- 10.Williams L. White black box testing. Open seminar in software engineering. North Carolina State University. http://agile.csc.ncsu.edu/SEMaterials/WhiteBox.pdf. (2006). Accessed 26 September 2013
- 11.Kicillof N, Grieskamp W, Tillmann N, Braberman V. Achieving both model and code coverage with automated gray-box testing. In: Proceedings of the 3rd international workshop on advances in model-based testing. ACM. 2007; pp. 1–11.Google Scholar
- 12.Geer D, Harthorne J. Penetration testing: a duet. In: Proceedings of the 18th annual computer security applications conference (IEEE); 2002.Google Scholar
- 13.Hedayat AS, Sloane NJA, Stufken J. Orthogonal arrays: theory and applications. New York: Springer; 1999.Google Scholar
- 14.Takanen A, DeMott JD, Miller C. Fuzzing for software security testing and quality assurance. Norwood: Artech House; 2008.Google Scholar
- 15.Kaminsky D. Black ops 2006: Pattern recognition. Usenix LISA ’06. https://www.usenix.org/legacy/events/lisa06/tech/slides/kaminsky.pdf. (2006) Accessed 7 Oct 2013.
- 16.OISSG: The information systems security assessment framework (ISSAF) Draft 0.2.1. OISSG. http://www.oissg.org/files/issaf0.2.1.pdf. (2005). Accessed 5 Oct 2013.
- 17.Barceló M, Herzog P. Open Source security testing methodology manual (OSSTMM) ver 3. ISECOM. http://www.isecom.org/mirror/OSSTMM.3.pdf. (2010). Accessed 5 Oct 2013.
- 18.ISECOM: Security test audit report. ISECOM. http://www.isecom.org/mirror/STAR.3.pdf. (2010). Accessed 5 Oct 2013.
- 19.Penetration Testing Execution Standard Team: Penetration testing execution standard. www.pentest-standard.org (2013). Accessed 5 Oct 2013.Google Scholar
- 20.Meucci M, Keary E, Cuthbert D. OWASP testing guide ver 3.0. OWASP foundation. https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf. (2008). Accessed 5 Oct 2013.
- 21.Schneier B. Attack trees: modeling security threats. Dr. Dobb’s J. 1999;24:21–29.Google Scholar
- 22.Swiderski F, Snyder W. Threat modeling. Redmond: Microsoft Press; 2004.Google Scholar
- 23.Fowler M. UML distilled: a brief guide to the standard object modeling language. 3rd ed. Reading: Addison-Wesley Professional; 2003.Google Scholar
- 24.Blackwell C. A strategy for formalising attack patterns. Cyberpatterns 2012. In: Cyberpatterns: unifying design patterns with security. attack and forensic patterns. Springer; 2014.Google Scholar
- 25.Myers G. The art of software testing. Chichester: Wiley; 2004.Google Scholar
- 26.Kolawa A, Huizinga D. Automated defect prevention: best practices in software management. New York: Wiley-IEEE Computer Society Press; 2007. p. 73.Google Scholar
- 27.Christey S, Brown M, Kirby D, Martin B, Paller A. CWE/SANS Top 25 most dangerous software errors. Mitre corporation. http://cwe.mitre.org/top25/archive/2011/2011_cwe_sans_top25.pdf. (2011). Accessed 9 Oct 2013.
- 28.Williams J, Wichers D. OWASP top 10–2013. OWASP foundation. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project. (2013). Accessed 9 Oct 2013.
- 29.Bayley I, Zhu H. A formal language for the expression of pattern compositions. Int J Adv Softw IARIA. 2011; 4(3,4):354–366.Google Scholar
- 30.Taibi T. Formalising design patterns composition. IEE Proc. Softw. IET. 2006; 153(3):127–136.Google Scholar