Penetration Testing Techniques - DREAD Methodology

October 16, 2013

This week's Whiteboard Wednesday is on DREAD as a reporting methodology as it pertains to penetration testing. Rene Aguero, Senior Sales Engineer for Rapid7 will dive into the DREAD and why he thinks that every pen tester should use DREAD as a reporting methodology when pen testing. Check out the video to learn more!

Video Transcript

Hi, my name is Rene Aguero and I'm an SE here at Rapid7. Today's Whiteboard Wednesday is going to be covering the DREAD Methodology, as it pertains particularly to a penetration test. Now, the word penetration test gets thrown around quite a bit and really, when you're doing a penetration test, you want to make sure that you're getting most of the work in the realm of it being manual tools, using things that are very specific or even to the point where they're surgical.

Show more Show less

There is going to be a percentage of the penetration test that's going to come from some automatic tools, but you want that percentage to be about 10 to 15% automatic tools and about 85 to 90% manual tools. As you start to get those findings, "Okay, I was able to compromise this host and I pulled out this type of information," you need a good way to really go out there and score these findings.

That's where the DREAD Methodology really comes into play. So, really what we're going to be talking about when we have a finding is what's the damage potential. How much damage could this cost to the organization? A good pen tester will sit down and say, "Hey I found this. How could this impact your organization or your IT department or your security team in a negative way?"

Another really big part of this would be reproducibility. Can I just go out there and reproduce this? Can somebody with not that much skill, like your average day common hacker, go out there and exploit this? Exploitability. So, are there exploits readily available that I can use? Go out there, get a session onto system and then pivot out.

How many different users or how many different users in the organization are going to be affected if this type of breach, this type of compromise were to happen. Finally, is this something that would completely fly under the radar and be totally stealth or would you be able to quickly discover this? So, you want to be able to cross-reference all this information on each one of the findings.

Lastly, another thing that I really recommend on a penetration test is making sure that you have some element of knowledge transfer. There are some pen tests, when they happen, are going to give you a lot of different results and you come back and say, well this is great. How did you actually find it? Many times a pen tester think that they're holding some type of secret sauce that they don't want to share with you.

They might say things like, "We use convoluted methods." Really, so that you're getting the most value possible out of the pen test, they should be sharing you know what, "I use this particular tool. I ran this command. This is how I did it, so that if you want to do it again you can go out there and do it."

The goal is not to turn you into a pen tester just to have a certain layer of transparency as to how this information was compromised. You can go out there and reproduce it on your own. So, that really covers kind of what a good pen test is, the DREAD Methodology, and how to really get the most value out of the work that's being performed in your environment.

Thanks for tuning in to this week's Whiteboard Wednesday. If you have any questions feel free to reach out to the folks here at Rapid7.