From Threat Models to Red Team Dimensions

“A circle of transparent humanoid wizards with electronic devices in a crystal castle, playing with neon lights.” — runway.ml T2Image prompt.

This article is a review of popular methodologies for assessing the security of IT systems and in particular, the field of Web Applications.

MAIN SCOPE
Threat Modelling, Security Audits, Vulnerability Assessment (automated and manual), Penetration Testing, Red Teaming.

There is a sequential order of methodologies, and each has varying objectives, scope, timing and team size.

THE PROGRESSION
1) THREAT MODEL (before Dev., based on need which is based on care.)
2) [DEVELOPMENT — SSDLC] (see more after conclusion)
3) SECURITY AUDIT (after Dev.)
4) VULNERABILITY ASSESSMENT (without details, low-lying fruit)
5) PENTEST (outsource after a few Vuln. Ass. iterations)
6) RED TEAM (w Blue / Purple), attempts to exploit the findings of a vulnerability scan/assessment. The objective of the outsourcing is to emulate an attacker in order to verify the effectiveness of defensive mechanisms and to chain vulnerabilities with additional elements in order to obtain the desired effect, considering MITRE ATT&CK.

TESTING
A test is an action to demonstrate that an application meets the security requirements of its stakeholders.

The testing model consists of:
Tester: Performs the testing activities.
Tools and methodology.
Application: The black box to test.

WEB APP SEC TESTING
All of the activities mentioned — threat modelling, security audits, vulnerability assessment (automated and manual), penetration testing, and red teaming — are considered forms of testing in the context of web application security. However, they differ in their specific objectives, scope, methodologies, timing and team size:

Threat Modelling: involves analyzing the architecture and design of a system to identify potential security threats and vulnerabilities. It aims to proactively identify and mitigate risks by assessing the system’s assets, potential attack vectors, and potential impacts. While it doesn’t involve hands-on testing, it plays a critical role in shaping the security measures and priorities for a web application.

• Primarily a manual process that involves identifying and analyzing potential threats to a web application. While there are some tools available to assist with specific aspects of threat modeling, such as data flow diagramming or threat library management, the overall process heavily relies on human expertise and judgment.
• Focuses on analyzing the entire web application system, including its architecture, components, data flows, and interactions. It considers potential threats, attack vectors, and vulnerabilities at each stage of the application’s lifecycle.
• Typically conducted during the early stages of the web application development lifecycle. It is an iterative process that can span from a few days to several weeks, depending on the size and complexity of the application. The time frame involves identifying assets, defining the application’s architecture, analyzing potential threats, and mitigating risks.
• Can be conducted by a small team consisting of a security architect, system architect, application developer, and a subject matter expert (SME) from the business or operations team. However, for larger and more complex applications, the team may include additional security specialists, analysts, or consultants with expertise in threat modeling.

Security Audits: Security audits are systematic assessments of an application’s security controls, policies, and processes. They evaluate whether the implemented security measures align with industry best practices, compliance requirements, and organizational policies. Security audits typically involve reviewing documentation, conducting interviews, and examining configurations and settings to identify gaps and vulnerabilities and ensure compliance with relevant security standards or frameworks.

• Can benefit from both manual and automated approaches. Automated tools can assist in scanning for known vulnerabilities, misconfigurations, and compliance violations. However, the interpretation and validation of the audit results typically require human intervention, analysis, and validation.
• Encompass a comprehensive review of the web application’s infrastructure, configurations, policies, and practices. This includes examining network architecture, server configurations, access controls, authentication mechanisms, data storage, encryption, logging, and compliance with security standards.
• Comprehensive assessments that typically span several weeks to months. The time frame depends on the size of the web application, the depth of the audit, and the availability of resources. Audits involve reviewing policies, configurations, conducting interviews, examining infrastructure and code, and documenting findings.
• Typically involve a team of security professionals with expertise in different domains such as network security, application security, infrastructure security, and compliance. The team size can range from a small team of two to three individuals for smaller audits, to larger teams consisting of multiple specialists for comprehensive audits.

Vulnerability Assessment: Vulnerability assessment refers to the process of identifying and quantifying vulnerabilities in a web application. It can be performed using automated tools (scanners) or through manual testing techniques for a more in-depth analysis of the application’s code, configurations, and infrastructure to uncover complex or logic-based weaknesses. The objective is to identify known vulnerabilities, misconfigurations, or weak security controls that could be exploited by attackers. The output of a vulnerability assessment is a list of identified vulnerabilities along with their severity ratings and recommended remediation actions.

• Can be performed using a combination of automated scanning tools and manual testing techniques. Automated vulnerability scanners can efficiently identify a wide range of common vulnerabilities, while manual testing allows for in-depth analysis, verification, and identification of more complex or business logic-related vulnerabilities.
• Both automated and manual vulnerability assessments aim to identify vulnerabilities within the web application and associated components. This involves analyzing the application’s source code, APIs, databases, server configurations, and other elements to uncover common vulnerabilities such as cross-site scripting (XSS), SQL injection, insecure direct object references, and more.
• The time frame for vulnerability assessments varies based on the size and complexity of the web application. Automated vulnerability scanning can be completed within hours or days, depending on the scan depth and the number of assets. Manual vulnerability assessments may take days to weeks, depending on the extent of testing, identification of complex vulnerabilities, and verification of findings.
• For automated vulnerability assessments, a single security professional or a small team can handle the scanning and analysis of results. Manual vulnerability assessments may require a larger team, depending on the size and complexity of the web application, as well as the depth of testing required. The team may include security analysts, penetration testers, and specialists in specific areas such as code review or configuration assessment.

Penetration Testing: Penetration testing (or ethical hacking) involves actively simulating real-world attacks on a web application to identify vulnerabilities and validate the effectiveness of security measures. It combines automated scanning tools with manual testing techniques to discover and exploit vulnerabilities. The goal is to assess the security posture of the application by attempting to breach its defenses and gain unauthorized access or perform malicious activities in order to provide actionable recommendations for remediation.

• Combines both manual and automated approaches. Automated tools are used for initial reconnaissance, scanning, and vulnerability identification. However, manual testing techniques, such as targeted exploitation, privilege escalation, and proof-of-concept (POC) development, are essential to validate the identified vulnerabilities and assess the potential impact.
• Focuses on actively exploiting vulnerabilities in the web application. It simulates real-world attacks to identify weaknesses in the application’s defenses. Penetration testers attempt to gain unauthorized access, escalate privileges, manipulate data, and perform various attack scenarios to assess the effectiveness of security controls.
• The time frame for penetration testing depends on the scope, complexity, and objectives of the test. It can range from a few days for a focused test on specific functionalities to several weeks for a comprehensive assessment of the entire web application. The duration also depends on the availability of resources and the coordination required with the development team.
• The size of a penetration testing team can vary depending on the scope and objectives of the test. Typically, a team consists of two or more individuals, including experienced penetration testers, network security specialists, and application security experts. The team may also include support staff to manage logistics, documentation, and coordination with the development team.

Red Teaming: Red teaming is an advanced form of security testing that goes beyond traditional penetration testing. It involves simulating targeted attacks using a combination of technical and non-technical means, including social engineering, physical security testing, and complex attack scenarios. Red teaming focuses on assessing the overall effectiveness of an organization’s security measures, including detection and response capabilities, by emulating the tactics, techniques, and procedures (TTPs) of real adversaries. The objective is to identify potential security weaknesses that might go undetected through traditional security assessments.

• Engagements heavily rely on manual techniques and human expertise to simulate real-world attacks and test the effectiveness of an organization’s security controls. While some automated tools can aid in the reconnaissance and initial information gathering phase, the core activities of red teaming, such as social engineering, physical security testing, and complex attack simulations, require a high degree of manual involvement.
• Take a holistic approach and considers the entire web application system, including the application, infrastructure, network, people, and processes. Red teaming involves comprehensive testing to identify vulnerabilities and weaknesses that may go undetected by traditional security assessments. It often involves a combination of reconnaissance, social engineering, penetration testing, and advanced attack simulations.
• Typically long-term projects that span from weeks to months. The time frame varies based on the goals, complexity, and depth of the engagement. Red teaming involves multiple phases, including reconnaissance, planning, testing, and reporting. The duration allows for in-depth analysis, advanced attack simulations, and collaboration with the organization’s security team.
• Often involve a larger team, including specialized security professionals with diverse skills and expertise. The team may consist of penetration testers, threat intelligence analysts, social engineers, network security specialists, and application security experts. The size of the team can vary significantly depending on the complexity and duration of the engagement.

CONCLUSIONS

While these activities are all part of the broader testing process in web application security, they differ in terms of their goals, approaches, and depth of testing. Organizations often employ a combination of these activities to comprehensively assess and improve the security posture of their web applications.

These approaches examine various aspects of the web application system, including architecture, configurations, code, infrastructure, network, people, and processes, to identify vulnerabilities, weaknesses, and potential attack vectors.

Automation plays a significant role in web application security testing, but its extent varies across different activities. A Vulnerability Assessment and Security Audit is easier to automate than a Pentest or Threat Model.

It’s worth noting that while automation can enhance the efficiency and effectiveness of web application security testing, it cannot replace human intelligence, creativity, and critical thinking. Manual testing and analysis are crucial for uncovering nuanced vulnerabilities, identifying logical flaws, and providing a comprehensive understanding of the security posture of the web application. Therefore, a combination of automation and manual testing is typically employed to achieve the best results in web application security testing.

In web application security testing, the time frames for each activity can vary depending on the scope, complexity, and objectives of the testing. It’s important to note that the time frames and team sizes mentioned are general estimates and can vary based on specific project requirements, resources, and the level of detail desired in the testing activities.

MORE ABOUT SECURE PRACTICES

The following are other examples of the various approaches and methods used in security assessments. The specific combination of methods used will depend on the organization’s goals, resources, and the nature of the Web Application being assessed.

Security Code Review: Reviewing the source code of an application to identify security vulnerabilities and weaknesses.

Security Architecture Review: Evaluating the overall security architecture of a system to ensure it aligns with best practices and meets security requirements.

Security Awareness Training: Educating users and employees about security best practices, common threats, and how to protect sensitive information.

Security Incident Response: Establishing processes and procedures to detect, respond to, and mitigate security incidents and breaches.

Secure Configuration Management: Ensuring that systems and devices are properly configured with secure settings and configurations.

Compliance Assessments: Assessing systems against regulatory and industry-specific security standards to ensure compliance with relevant requirements.

Threat Intelligence Monitoring: Monitoring and analyzing emerging threats and vulnerabilities to proactively identify and address potential risks.

Security Governance and Risk Management: Implementing effective governance frameworks and risk management practices to prioritize security investments and allocate resources appropriately.

Security Operations Center (SOC) Monitoring: Deploying security monitoring tools and processes to detect and respond to security incidents in real-time.

Secure Software Development Lifecycle (SDLC): Integrating security practices throughout the software development process to identify and mitigate vulnerabilities early on.

GRATITUDE

I wrote this with the knowledge from my excellent school course instructors, such as AD from bezpiecznykod.pl, select books, some experience, my own mind-maps and ChatGPT. The bridged dimensions I wished to present are my work, as part of a deep dive into specific upcoming articles about Vulnerability Assessments through black-box Stealth Recon.