Last week GNUCITIZEN posted an article entitled “Tiger Team Operations vs. Penetration Testing”. I personally feel this is a spot on article and is a must read for anyone involved in either tiger team operations or penetration testing. The article focused on three areas in regards to these two types of assessments: quality, pricing and time frames. While these three areas are quite different when comparing a tiger team operation vs. a penetration test I see something more when it comes to penetration testing. I see the penetration test as we know it eventually evolving into tiger team operations.
While we will always need to conduct traditional network and web application penetration tests, clients and employers are asking us to conduct more “unique” assessments. These unique types of assessments include things like social engineering, client-side phishing, physical security reviews, user security awareness, or testing the overall security of a specific facility or business unit. These unique individual assessments are addressing the changing threat landscape and new ways information systems and people are being exploited.
A tiger team can address many of these different types into one unique assessment of it’s own (including network and web application penetration when appropriate). Keep in mind, a tiger team operation is very different then a penetration test in terms of quality and quantity as GNUCITIZEN mentions. A tiger team requires multiple unique skill sets (for example a physical security specialist) and always requires multiple high performance team members. Let’s also not forget about timing and preparation. A tiger team operation and a penetration test should always be conducted unannounced and to conduct the operation properly the team must be held to strict confidentiality. In regards to preparation, a tiger team operation may take many weeks and/or months to prepare. Why so long? The longer preparation time (meaning the reconnaissance phase) the closer you will get to simulating an actual attack on the targets selected. The real bad guys that want to do harm to your organization have the advantage of time…a tiger team must try to replicate this as close as possible. There may also be variations of a tiger team operation as well. Some methods may or may not need to be used depending on the scope and the target(s).
I am currently putting together a presentation for a conference later this year on how tiger team assessments work in a large corporate environment and how you can take these same concepts and use them either with an internal penetration testing program or for clients. More on this in the coming weeks. In the meantime, if you want to know what a tiger team operation/assessment is like…I recommend you check out the Tiger Team series that was on TruTV last year. You can find torrents and also view one of the episodes on the TruTV web site.
yeah but the last thing we need is those average pentesters now doing physical security assessments too!
I totally agree with your comment. One of the points that I want to make clear is that anyone doing physical security assessments (or any assessment for that matter) needs to be qualified (by qualified I mean that they need to have previous experience) to do the job. One of the interesting things I have seen in the corporate world is when an average pentester becomes a super star with physical security and/or social engineering assessments after some mentoring and training. While network pentesting wasn’t the best fit for them, physical security ended up being the right fit. Interestingly enough, most pentesters make good physical security assessors with the right training…funny how the opposite is not true…physical security people generally don’t make good pentesters. Nor do we want them to be! 🙂
ASIS International is great organization for those interested in learning more about physical security. Also the ASIS Physical Security Professional (PSP) certification is a good cert to gain a foundation in physical security assessments.
Cheers,
Matt