Penetration Testing: White Box, Grey Box or Black Box
When setting up a penetration test or security evaluation, your results will depend on how much information your researcher has in advance.
The results of a penetration test will depend on how much information your researcher has in advance.
Physical security teams are accustomed to testing their perimeters and defensive measures, and so are cybersecurity professionals. However, when setting up a new penetration test or red team exercise, enterprise security leaders have to set up the scope of the program, the goals and the rules for testers – including which box to use.
Penetration tests are categorized by color (black, white or grey), depending on the level of information or access provided to the tester before the start of the exercise.
In a black box test, the penetration tester knows little to nothing about the target, says Paul Brandau, Red Team Director for Fortalice. This produces more of an accurate adversarial approach to the test, as the tester is forced to scope out the entire network or infrastructure in an attempt to gain access or uncover vulnerabilities. Black box exercises allow enterprises to quickly identify and remediate vulnerabilities that could be potentially exploited by a malicious actor.
For a white box exercise (also called a clear box test), the enterprise is seeking to test a specific program or piece of network infrastructure, narrowing the scope of the test significantly. For these exercises, the attacker needs to understand how the system is set up from the onset to help inform the test and examine the target more thoroughly, Brandau says. A white box exercise sacrifices some of the realism from a black box test in order to gain information about a specific target.
A white box tester will often be provided with source code from internal applications or detailed documentation of inner configurations, along with internal user accounts with administrative properties, says JR DePre, Red Team Technical Manager for eSentire’s Advisory Services.
A grey box exercise is somewhere in between these two extremes. In this case, the penetration tester is provided limited internal information or access from an organization regarding the target system, and often the tester is assessing the infrastructure from the perspective of an actual user, DePre says. The information provided during a grey box test varies widely depending on the goal of the exercise, but organizations could commonly provide a basic network map, limited design or architecture of target systems, and access to user accounts.
So when would each test be most effective?
According to DePre, an incoming CISO or IT director could use a black box test to assess the current state of the organization’s security posture, or determine the low-hanging fruit that outside attackers could most readily use to access the network. Security leaders could call for a grey box test when the organization is looking to build a vulnerability management program or would like to test the detection and response of their internal security operations center (SOC) to an outside threat. A white box test could be used to thoroughly test a new application or system configuration before it’s launched to the public.
These differences don’t apply to cybersecurity testing alone, either. The same model applies to physical security, adds Brandau. In a physical penetration test, a CSO may be seeking to evaluate the effectiveness of a new security awareness program (an anti-tailgating initiative, for example). For a white box exercise, the tester could be given security officer patrol schedules and building layouts in advance; in a black box exercise, the tester would need to do their own recon, and would attempt to gain entry into the building by any means – whether by tailgating or stealing an employee badge or finding a propped-open door.
Security technology is also making a difference here. Automated tools and techniques can be used to find and address common vulnerabilities and so that analysts and penetration testers can be put to better use in more in-depth, complex exercises and programs.
“Penetration testing is an extremely valuable tool, but is only one part of the security equation,” says DePre. “It is important to also assess and continue to improve the security posture in all areas of the organization (such as security awareness in employees and other personnel.)”