Scribd
Upload
2K views6 pages

Assignment 2 - Comparing Pentesting Methodologies

The document outlines an assignment focused on comparing various penetration testing (pentesting) methodologies, including OSSTMM, PTES, OWASP WSTG, and MITRE ATT&CK. It provides instructions for researching each methodology, detailing their purposes, structures, and key components. The assignment emphasizes the importance of using established methodologies to ensure effective and reliable penetration testing practices.

Uploaded by

Azizul Abir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2K views6 pages

Assignment 2 - Comparing Pentesting Methodologies

The document outlines an assignment focused on comparing various penetration testing (pentesting) methodologies, including OSSTMM, PTES, OWASP WSTG, and MITRE ATT&CK. It provides instructions for researching each methodology, detailing their purposes, structures, and key components. The assignment emphasizes the importance of using established methodologies to ensure effective and reliable penetration testing practices.

Uploaded by

Azizul Abir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Assignment 2 - Compare Pentesting Methodologies

Objectives
In this lab, you will complete the following objectives:

• Compare Various Pentesting Methodologies


• Conduct Research of Popular Pentesting Methodologies

Background / Scenario
You are conducting a penetration test for a customer. To show that your planned
methods are valid, you will use well-known and accepted pentesting methodologies.
Because there is more than one methodology to choose from, you decide to research
and compare four of the most widely used methodologies to be familiar with the
strengths of each.

Required Resources
• PC or mobile device with internet access

Instructions
Part 1: Conduct Research Popular Pentesting Methodologies
Using your favorite search engine, conduct research on four of the most popular
pentesting methodologies:

• OSSTMM
• PTES
• OWASP WSTG
• MITRE ATT&CK

Step 1: Gather information about OSSTMM.

In this step, you will learn about the Open Source Security Testing Methodology Manual
(OSSTMM), which includes a complete methodology for security assessment.

• Navigate to [Link] click RESEARCH > OSSTMM.


• On the OSSTMM main page, view the OSSTMM document.

What is the latest version of the manual and its copyright date?
Answer: The latest version of the OSSTMM is version 3.0, and its copyright
date is 2010.
Assignment 2 - Compare Pentesting Methodologies

Although OSSTMM is old, it is still a good starting off point for planning and conducting
security tests and audits. It is important however to use it in combination with more up-
to-date standards and methodologies.

What organization develops the OSSTMM? What do they do?


Answer: The OSSTMM was developed by the Institute for Security and Open
Methodologies (ISECOM), a non-profit organization that provides research,
certifications, and develop open-source security methodologies for security
testing and analysis.

What are the stated primary and secondary purposes of the OSSTMM as stated in the
OSSTMM publication?
Answer: The primary purpose of the OSSTMM is to provide a structured methodology
for testing and analyzing the operational security of any environment. And the second
being is to provide a means of measurement that is both qualitative and quantitative,
allowing for the accurate assessment of the security state.

What six outcomes are assured then the OSSTM guidelines are correctly followed?
Answer: Here are six outcomes are assured then the OSSTM guidelines are correctly
following below:
 Operational Security Efficiency
 Transparency
 Measurement Accuracy
 Security Assurance
 Risk Reduction
 Compliance.

What are the ten steps of applying the OSSTM when the 4 Point Process and Trifecta
are combined?
Answer: 4 Point Process [Link] the Scope [Link] the Target [Link]
the Target [Link] Findings Trifecta [Link] Posture Evaluation
Assignment 2 - Compare Pentesting Methodologies
[Link] Security Measurement [Link] and Validation
[Link] and Vulnerability Analysis [Link] Analysis
[Link] for Improvement

Step 2: Gather Information About PTES.

The Penetration Testing Execution Standard is a comprehensive guide to the process of


conducting penetration tests.

Navigate to [Link].

What is the latest version of the standard?


Answer Area

What are the seven main sections of the PTES?


Answer Area

What is the stated purpose of the PTES? (Hint: Look in the FAQs)
Answer Area

What document specifies tools and techniques to be used in the seven sections of the
test?
Answer Area

Step 3: Gather information about the OWASP WSTG.

The OWASP WSTG is a guide for testing the security of web applications and web
services. It is not a general guide to penetration testing. Instead, it focuses on
developing, deploying, and maintaining secure web applications.

Navigate to [Link]

What is the latest version of the WSTG standard?


Answer Area
Assignment 2 - Compare Pentesting Methodologies

Access the current stable version of the WSTG. What are the five phases of the Web
Security Testing Framework?
Answer Area

What is the stated purpose of the OWASP WSTG?


Answer Area

What are the twelve categories of active tests defined in the OWASP Web Testing
Framework?
Answer Area

Step 4: Gather information about MITRE ATT&CK.

MITRE ATT&CK is a detailed knowledgebase of attacker tactics, techniques, and


procedures (TTP) that have been gathered from real attacks. It is not a manual or
standard regarding how to conduct penetration tests. However, penetration testers can
use it for ideas and guidance about how to exploit vulnerabilities as part of a test.

• Navigate to [Link]

What is the latest version of the ATT&CK standard?


Answer Area

Why did MITRE develop ATT&CK? (Hint: Look in the FAQs)


Answer Area

• In the page menu click Resources > General Information > ATT&CK Design
and Philosophy.
• Open and review the ATT&CK Design and Philosophy pdf.

What six common use cases for ATT&CK are described?


Answer Area
Assignment 2 - Compare Pentesting Methodologies

What are the three ATT&CK Technology Domains?


Answer Area

• Go to the MITRE ATT&CK Enterprise matrix by opening the Matrices menu and
choosing Enterprise.
• The matrix represents tactics as column headers with techniques arranged as
entries in each column. For information on a given technique, click its entry.
Additional information is shown on the information page. The information page
can include sub-techniques, procedures, mitigations, detection methods, and
references. Not all techniques include procedures.
In the column for the Reconnaissance tactic, click the Gather Victim Identity
Information entry.

Review the information there.

What are three sub-techniques that are provided for this technique?
Answer Area

• Select the Email Addresses sub-technique. Review the information there.


Look at the entries under Procedures.

Who is the Lazarus Group? They conducted a campaign to gather email addresses for
later attacks. How did they gather and use email addresses?
Answer Area

Reflection Questions

1. You researched four popular pentesting methodologies in this lab. Name at least two
additional pentesting methodologies that are in common use.
Answer Area

2. Why is it important to follow a recognized pentesting methodology?


Assignment 2 - Compare Pentesting Methodologies
Answer Area

You might also like