My Authors
Read all threads
Among the 20-year old arguments we still haven't resolved in infosec is this one. Part of the inconclusiveness is that both sides of the argument are right, depending on unspoken premises. We all assume your premises are the same as mine.
Some organizations haven't yet gotten the basics down. They need pentests doing the basics. Other organizations have solved what hackers did yesterday and want pentesters doing things that hackers will do tomorrow.
The underlying thread brings up a slightly different topic. Defenders are treated worse than dogs. I'm referring to sniffer dogs in airports that search bags for drugs and bombs. The dogs become bored and disillusioned unless they are occasionally given successes.
You need to regularly give sniffer dogs a bag containing explosive materials or rugs. Likewise, you need to feed defensive teams random pentesters who they can catch.
But while organizations need practice at what they are designed to do, they also need pentesters thinking outside the box doing oddball things that challenge their preconceptions.
Too often pentester contracts are designed to limit the pentester to doing only the things the organization knows they can defend against. Orgs need unrestricted pentests where the pentesters are allowed to do anything.
I don't want to attack your main web server. I want to attack that server somebody in IT setup for retirees, which is not strictly part of the company, yet (once popped) has access to the internal corporate network.
Adversaries like Anonymous or the GRU are often found having used the simplest of techniques, like SQL injection or phishing. The lesson many take from this is that they only need to defend against such simple techniques.
But in truth, they could do more -- but the simplest techniques worked. In other words, this reflects the maturity of the defenders more than the maturity of the attackers. If suddenly every fixed phishing, such hackers wouldn't go away, they'd simply get more advanced.
We hear about Anonymous and GRU hacks that used simple techniques like SQL injection and phishing. We don't hear about NSA hacks. It doesn't mean the NSA isn't hacking, it means we don't hear about it.
Anyway, the point of this thread is that we've been debating for 20 years what a "pentest" ought to do, and we still haven't come to consensus on this. I don't suppose we ever will.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Robᵉʳᵗ Graham

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!