What Is NIST Special Publication 800-115 and What Does it Say About Penetration Testing?
As technology advances, the need for effective cybersecurity measures becomes increasingly important. The necessity for regular testing, including penetration testing, has raised awareness of best practices and standards for such assessments.
The National Institute of Standards and Technology (NIST) has developed comprehensive guidelines and standards to help organizations safeguard their information systems from cyber threats. Among these guidelines is NIST 800-115, a guide for conducting penetration testing on information systems.
This article will explore the fundamental principles of NIST 800-115 and the benefits of conducting penetration testing according to its guidelines. We will also discuss how organizations can use the information gathered from penetration testing to improve their cybersecurity. Organizations can better protect their systems and data from cyber threats by following the recommendations outlined in this guide.
What Is Penetration Testing?
Penetration testing is a process where security professionals attempt to breach an organization’s network, systems, or applications to identify vulnerabilities and weaknesses that malicious attackers could exploit. Penetration tests simulate an attack on an organization’s IT systems to identify vulnerabilities that attackers could exploit. NIST 800-115 guides the planning, execution, and reporting of penetration testing to help organizations identify and address security weaknesses.
It’s important to note that the techniques and tools employed during a penetration test may vary depending on the scope, objectives, and target environment. A skilled penetration tester will continually adapt their approach to the specific needs and context of the tested organization.
What Is NIST Special Publication 800-115?
NIST 800-115, titled “Technical Guide to Information Security Testing and Assessment,” is a publication developed to provide guidelines and recommendations for conducting information security assessments to evaluate the security posture of information systems and networks.
NIST 800-115 is aimed at assisting organizations in understanding the various types of security assessments, selecting the appropriate assessment techniques, and designing comprehensive assessment programs. The guidelines can be applied to multiple organizations, including federal agencies, private sector organizations, and educational institutions.
The guide covers several key areas, such as:
- Overview of Security Testing and Assessment: This section introduces the fundamental concepts, goals, and benefits of security testing and assessment, including the differences between testing, inspection, and auditing. Of importance here is the notion of developing assessment methodologies that address consistency of assessment across different systems, apps, networks, policies, and other components of infrastructure. Finally, this section outlines how methodologies make determinations about comparing test results, making recommendations, and conducting overt vs. covert tests and the value of each.
- Review Techniques: Review techniques are passive assessments of systems. These techniques can include documentation assessments (related to security systems, network systems, or other IT infrastructure), Audit logs, Rulesets for identity and authentication systems, system configurations, and network traffic.
- Target ID and Analysis Techniques: Simply put, security testing should be able to identify live, active devices on a network, including their active port numbers, host IDs, and operations. These analyses should identify potential vulnerabilities related to network and network device discovery, service identification, wireless network discovery, Bluetooth scanning, and device location services. This can include mobile, Bluetooth, wireless, and wired vulnerability scans.
- Target Vulnerability Validation Techniques: Security analysis should be able to exploit vulnerabilities to the extent that they can be uncovered and, if possible, identify cascading vulnerabilities from such exploitation. These tests can include deploying password-cracking techniques (brute force, dictionary, rainbow tables, etc.).
Assessments should also include penetration testing that models real-world attack patterns, sophistication, and countermeasures. Such attacks should consist of extensive social engineering attacks.
Penetration testing has, in its section, an extensive breakdown of appropriate techniques. Generally speaking, most penetration tests should include the following basic stages:
- Reconnaissance: This initial phase involves gathering information about the target organization, its infrastructure, and potential vulnerabilities.
- Scanning: In this phase, security professionals use automated tools and scanners to identify open ports, services, and potential vulnerabilities in the target system.
- Exploitation: Once vulnerabilities have been identified, penetration testers exploit them to gain access to the target system. This can include technical attacks or social engineering. After gaining initial access, penetration testers often attempt to elevate their privileges within the target system to gain greater control and access to more sensitive resources.
- Lateral Movement: Once inside the network or system, testers may try to move laterally across the infrastructure to access other systems and resources through techniques like network scanning or privilege escalation.
- Data Exfiltration: In this phase, testers simulate the extraction of sensitive information from the target system to demonstrate the potential impact of a successful breach.
- Cleanup and Reporting: After completing the penetration test, testers will remove any traces of their activities, restore systems to their original state, and prepare a detailed report outlining the vulnerabilities discovered, exploitation methods used, and recommendations for remediation.
Accordingly, NIST 800-115 calls for specific pen testing requirements. These are broken down into the following sections:
A penetration test should include the following phases:
Like many software development cycles, this phase schedule is circular, and further attacks will lead to further discovery and reporting.
Discovery techniques can consist of information gathering, scanning, surveillance, etc., and standard vulnerability analysis.
Furthermore, the attack phases should include several different complementary components, including:
- Gaining access to the system through information gained during the discovery phase. Several ways to gain access must be on the table, including kernel flaws, buffer overflows, validation issues, or misconfigurations.
- Escalating privileges based on the credentials compromised while gaining access.
- Browsing the system to learn more information that can lead to lateral movement or further privilege escalation.
- Installing malware and other tools to exploit the system.
The tester must consider scenarios that can exploit defects in the target system. This includes insider and outsider scenarios to model associated threats. The scenarios launched must include realistic threats that resemble the organization and its infrastructure, including IT systems, network systems, and vulnerabilities due to different types of system access.
Penetration testing should include, where relevant, the use of social engineering (email phishing, vishing, spear phishing, etc.) to target high-value individuals that could compromise key system assets. Most importantly, the pen test should not be a punitive measure against anyone who falls for an attack. Instead, it should be used as a learning tool to train existing personnel.
Trust Lazarus Alliance, a NIST 800-115 Accredited Penetration Tester
Trusting reliable and accredited partners regarding proper penetration testing is the only best practice. Whether it’s social engineering, code and API vulnerabilities, identity, and access management security, or network protection flaws, we have the credentials, expertise, and track record to ensure your pen test is thorough and effective.
Are you ready to take control of your cybersecurity? Contact Lazarus Alliance.