How to Pass a Pentest in a few easy steps!
Are you a CTO? Did the pesky board decide that you needed to have a Pentest to prove the fiefdom you painstakingly cultivated is building instead of talking in circles? Are they bringing in a Big 4 accounting firm to spoil the month long Civilization gaming marathon you had planned? Here are a some great ideas you can use to energize the Pentesters, put the entire company and the next fundraise at risk and pass your Pentest with flying colors.
Pentesters are employed globally to kill vibes in engineering teams. Kendrick Lamar was a hardcore Haskell developer going through a painful time on a Pentest when he wrote the song “Bitch, Don’t Kill My Vibe”. Through the years, like how the Stanford Prison Experiment evolved, Pentesters have become emboldened to a point where they believe they run the show. These delusions must be dealt with swiftly. Use the techniques outlined here to demonstrate that you are an engineering leader not to be trifled with. Don’t worry, these techniques require less effort than paying down your mountain of tech debt and are far more entertaining.
1. Discovery by Gas Light ๐
Give the Pentesters a VPN to connect to the “internal” network. Then scatter this network full of fake hosts. Use Docker to create a network and then randomly populate this network with containers that use Honeyd to respond as if it were a real host. Randomize MAC and IP addresses and pick some descriptive names like “CustDB”, “AdminWS”,“VoIPSrvr” or “AuthServer”. Make sure to setup high latency and include some packet loss when setting up your hosts using Honeyd. This is an effective way of pacing an impatient Pentester’s -T4 scans. Pentesters love to manually tweak their Nmap scans and you can tell they’re having fun when they start pulling out --initial-rtt-timeout, --min-rtt-timeout and --max-rtt-timeout.
You want to have the Pentesters find these fake hosts during discovery when they’re running their Nmap scans. Script this setup to teardown and reset itself at the end of each day so that the Pentesters will not find the hosts they discovered from the day before and will have to start their discovery again. If you automate this process and can run it several times a day, you will win big because that can tackle their Zmap scans which they will resort to when their Nmap scans take too long to complete.
Sow the seeds of doubt in your CEO’s mind by saying the Pentesting budget could have been better used to take a third engineering off-site in an exotic location for the year. Say these words: “These Pentesters can’t find that exotic location with a $200,000 Google Maps Places API budget. So how can they be expected to find our internal servers?”
Effort: 8
Entertainment: 6
2. Drop the Production Database ๐
Drop the two tables with the largest number of rows and highest IO, then take a long lunch. It doesn’t matter if you “eat lunch” at 10am. Do this when the Pentesters start their WebApp Pentesting. This will give the company a real-world opportunity to test the moat that the CEO pitched to the investors during the last fund raise. The only people other than your customers that need functioning databases is your growth team. But they’re still learning not to run nested SELECT * statements on prod during peak times, so they’re used to waiting minutes for a response anyway. They should really speak with my friend Crystal. But that’s for another time.
Come back after 3 hours and then announce on Slack that you’re adding indexes to some tables to “improve performance” during peak times and that the “CREATE INDEX” statement has to halt all DB operations while it runs on your 4 million row table. Prime one of your engineers to speak at length about the amount of seconds you will save in a year if you shave off 10,000ns from your DB reads. Tell him his only job is to answer Slack messages and talk to the CEO because you had to handle this critical, performance enhancing task. Give him a bonus if he has word bingo on “orthogonal”, “canonical”, and “security protocols”.
Pentesters can’t abuse SQL Injection when there’s no way to run SQL. Find them and insist on “being helpful” by telling them about this cool new “front end” tcp layer your engineers wrote to not only speed up database transactions but also block SQL injection. Tell the Pentesters to “try harder”, they love hearing this.
Find the guy in the company that they’re grooming to be the CISO and ask him in front of the CEO about his business continuity plan and why it has not kicked into action because he’s costing the company thousands in lost revenue per minute. Let him stew for a few days by not being available to discuss anything. Then swoop in and kick off a full DB restore to save the day. After about 4 days of no DB access, the Pentesters would have moved on to another phase and your CEO wouldn’t care about anything other than getting the business started back up so he can keep the investors off his ass.
Effort: 7
Entertainment: 8.5
3. Patch Early, Patch Often ๐
Insist that the Pentesters share a daily report of their WebApp Pentest findings. Pentesters relish the thought of writing a report after a stressful day of Pentesting non-responsive WebApps and high latency port scans. It is also a psychological win for you because you force them to re-live their failures of the day.
Use this technique to catch those stray moments when a possible SQL Injection or pesky XSS rears its ugly head. Share this report with and threaten your engineering team to come up with a fix or make the finding go away by the next day (remember that you built this team, so no threat you make to them is ever illegal). Pentesters love to uncover potential entrypoints to exploits that they can weaponize later. These ego-driven showboaters are so dramatic, they live for the moments when they can string together a bunch of smaller exploits into a bigger, more serious one. This in itself isn’t the dramatic part, thats reserved for the grandstanding during their final presentation to the CEO and the board. Unburden them of these moments by making the findings disappear as soon as they are discovered.
Invariably they will complain to the CEO that the “Pentest is only valuable on a frozen state architecture with minimal changes.” This is the moment that you hit back at them with the line “Well, in the real world, architectures are evolving and attackers have to deal with that.” Pentesters will usually wax poetic about the “real-world” so they will appreciate it and be impressed when you use language they are familiar with.
Effort: 5
Entertainment: 7
4. Point all your DNS entries at CIA and FBI IP addresses ๐
This two pronged technique is both science and art. The technical part is easy, just point the DNS A records of your app and database servers to IPs within the IP blocks of the FBI and CIA. If you can’t be arsed, then just point them to the web servers of the FBI and CIA. It is vital that you only do this if there is a “remote” component to the Pentest. This means that the Pentester is conducting his scans of your infrastructure from his own home, office, or cafe. This way, the Pentester can take all the credit, that he so richly deserves, for starting a scan and leaving his laptop for it to complete. Pentesters need to practice extreme ownership in order to grow and advance in the ranks of other Pentesters. You will be helping.
Now, the art of this technique lies in convincing not just the Pentesters, but also the company, board, and CEO that you are working together with the US authorities to catch people that want to harm human and animal kind. This is why you have volunteered to assist by changing the company servers to point to the ones operated by the CIA and FBI.
As for the loss of customers and revenue, repeat the scenario from technique 2 of inviting the potential CISO to take ownership of this situation. Question his lack of relationship building with authorities to keep him on his toes. Give him the number to the general hotline of the CIA and gather in a room with the CEO and board to watch as he calls them up to “take charge” of this operation. When he fails and gets yelled at by the CIA, volunteer in front of everyone to take him under your wing and help him learn how to build relationships and be on top of things but then be unavailable when he takes you up on that offer. This should get you enough time to at least play a little bit of Civilization until the CISO gets to grips with the developing situation.
Swoop back in on day 3 and restore the DNS records. Tell the CEO and board that the authorities just did not trust the CISO and that they recommended you run an in-depth background check on him. Post on LinkedIn that you were humbled to work with the authorities to flush moles out from within the company. Blame any country that’s being vilified in the press on that week.
Effort: 4
Entertainment: 8
5. Post on LinkedIn before the Pentest starts ๐
Forewarned is forearmed said someone. So make sure to take the opportunity to tell everyone about the upcoming Pentest the minute the ink on the contract has dried. Post on LinkedIn, making sure you are humbled and honored, about the Pentest being conducted on your infrastructure. Make sure to provide lots of information so that any third parties that work with you can tighten up their weak APIs that you’ve been exploiting instead of actually writing the features in-house. Next, email everyone in the company and post on Slack that they are to expect a team of Pentesters in the coming days. Do not specifically tell them to increase security and be tight-lipped, but give enough clues that you know what they’re doing when no-one is watching so that they know not to speak ill of the engineering team.
Then when the CEO proudly ushers the Pentest team into the office trying to pass them off as the “data cleaning crew”, everyone will know his treachery. This will win you more favor because you were the only one that cared enough to inform them not to print out the shared password on a banner and hang it in the office. Pentesters thrive on operating in a real-world environments, and this heightened staff paranoia is something that they will take joy in dissecting. If a networked departmental photocopier with a default password is switched off, is it really vulnerable? Have a private slack channel where people can report on what the Pentesters are doing and their whereabouts at all times.
Effort: 1
Entertainment: 4
As you can see, these techniques are strongly correlated to influencing the outcome of any Pentest. In the legal system, a lack of evidence is a strong indicator of innocence. Similarly, in Pentesting, inconclusive results do not indicate risk or vulnerabilities. It raises important questions about the Pentesters and their level of competence. It lowers the importance of future Pentests in the eyes of the CEO and board and it allows you to go about your work unencumbered. As your spoils of war, you also get the additional budget for Pentesting to spend on your department.
So if you are that CTO looking to run your next off-site at an exotic location, consider Sri Lanka. My friend and I have painstakingly built a hotel in Sri Lanka that not only has 14 rooms to accommodate your engineering team, but also a large co-working space overlooking the ocean. We’ve even got 3 meeting rooms, one large enough to house your entire board where you can discuss your next white elephant project that you and the team want to embark on. Book now, we’re open for business!