Vulnerability assessment Versus Pentest
So here we are, do we do a vulnerability assessment or a pentest?
When I talk to companies, especially management, C level and also sales, there is always a misunderstanding to what a Vulnerability scan is. It is being compared to pentests and therefore the expectations is often off to what the results will be. Therefore a small blog about the differences.
The common ground a pentest and Vulnerability scan has, they are both a methodology to assess the security of an IT (or OT but this requires a different approach) infrastructure.
Vulnerability assessment
So at first, VA (I am lazy so from now on, VA instead of Vulnerability assessment or scan) is used to scan the whole network with all its assets in it (read, everything with an IP address). The scan will knock on every port to see if it is open, if so it will try to gather information about the service running on the port and check it against all known vulnerabilities based on CVE’s.
There is a risk in this approach, because it cannot tell for sure what service and version is running it has to do a guess. And as we all know, a guess is not a guaranty. This could lead to lots of so called valse positives.
In order to get a more accurate result I prefer to do an authenticated scan, where a service account will logon to every asset and actually check the product and versions installed making the result accurate.
Of course the tooling used will be able to create a report with all findings in it (ranging from informative to critical). This usually leads to reports with hundreds of findings per asset. To make this report worthwhile it requires a good analysis to really mitigate the vulnerabilities that matter and not get overwhelmed by all the results.
Pentest
The pentest uses a different approach. The pentester (preferably a white hat hacker) that has a way into the system, or granted as part of the pentest or through other means like phishing. When inside the network his or her goal will be to acquire administrative privileges.
To reach this goal the pentester does not need to find every vulnerability in the network, he/she needs just one. This means he will do a scan on the network but not as extensive as a VA because the hacker wants to stay of the radar of the SOC team and EDR tooling in place. When the hacker finds a server with eternal blue or other nice vulnerability he/she will exploit that specific item and escalate his privileges to administrator.
Recommended by LinkedIn
The report will present the tactics used to get to the point of administrative privilege, what exploits where used etc etc. It will also advice on how to prevent this type of hack and inform of potential additional findings that where not part of the attack itself.
Conclusion
As you can see, there are distinct differences between the two.
VA is very extensive but does not actually try to abuse the vulnerabilities found, it only reports on them. But is does report everything!
In comparison to the pentest where only a few high/critical vulnerabilities where found and actually exploited to get to a real hack.
So if you want to know everything that is going on in your environment, go for VA, make it a program, repeat and possibly even real-time. Remediate systematically and become less vulnerable in time.
If you want to test your SOC, EDR and other security measures that you have in place, go for the pentest and see if you can catch the pentester before they reach their goal.
Either way, you will definitely learn and become more secure by doing a pentest or a vulnerability scan!
If you like this blog and want to read more blogs by me, please leave a comment. If you want to know more about a certain topic, just ask and who knows….