Goal-Based Penetration Testing

The COVID-19 pandemic has changed the way the world operates. Organizations of all sizes have transformed themselves from having none or partial remote working to all of their employees adopting this style. With the new normal, accessible and remote technology has become very important for work and in peoples’ personal lives. We can certainly call this a virtual world, where confidential activities that used to happen in closed rooms now happen over the internet. This has significantly increased the number of cyber threats at least five-fold. Threat actors utilize this digital transformation to exploit the mistakes made by users and companies as their entry point for financial gain, generating reputational damage, or whatever else their goal may be. This occurs in the form of ransomware, phishing, and data breaches.

To understand the current and future ways of working, let us start by exploring the different objectives or goals of threat actors. In this chapter, we will discuss the different types of threat actors and the importance of goal-based penetration testing with a set of objectives; we investigate misconceptions and how a typical vulnerability scan, penetration testing, and red team exercise can fail without the importance of a goal. This chapter also provides an overview of security testing and setting up a verification lab, focusing on the customization of Kali to support some advanced aspects of penetration testing. By the end of this chapter, you will have covered the following:

• The different types of threat actors
• An overview of security testing
• Misconceptions of vulnerability scanning, penetration testing, and red team exercises
• The history and purpose of Kali Linux
• Updating and organizing Kali
• Installing Kali on various services (Amazon Web Services/Google Cloud Platform/Android)
• Setting up defined targets
• Building a verification lab

Let us begin with the types of threat actors that exploit technological infrastructure.