Examining Penetration Tester Behavior in the Collegiate Penetration Testing Competition-Reference-Cited by-同舟云学术

Examining Penetration Tester Behavior in the Collegiate Penetration Testing Competition

Published:2022-04-09 Issue:3 Volume:31 Page:1-25
ISSN:1049-331X
Container-title:ACM Transactions on Software Engineering and Methodology
language:en
Short-container-title:ACM Trans. Softw. Eng. Methodol.

Author:

Meyers Benjamin S.¹^ORCID,Almassari Sultan Fahad¹,Keller Brandon N.¹,Meneely Andrew¹

Affiliation:

1. Department of Software Engineering, Rochester Institute of Technology, Rochester, NY, USA

Abstract

Penetration testing is a key practice toward engineering secure software. Malicious actors have many tactics at their disposal, and software engineers need to know what tactics attackers will prioritize in the first few hours of an attack. Projects like MITRE ATT&CK™ provide knowledge, but how do people actually deploy this knowledge in real situations? A penetration testing competition provides a realistic, controlled environment with which to measure and compare the efficacy of attackers. In this work, we examine the details of vulnerability discovery and attacker behavior with the goal of improving existing vulnerability assessment processes using data from the 2019 Collegiate Penetration Testing Competition (CPTC). We constructed 98 timelines of vulnerability discovery and exploits for 37 unique vulnerabilities discovered by 10 teams of penetration testers. We grouped related vulnerabilities together by mapping to Common Weakness Enumerations and MITRE ATT&CK™. We found that (1) vulnerabilities related to improper resource control (e.g., session fixation) are discovered faster and more often, as well as exploited faster, than vulnerabilities related to improper access control (e.g., weak password requirements), (2) there is a clear process followed by penetration testers of discovery/collection to lateral movement/pre-attack. Our methodology facilitates quicker analysis of vulnerabilities in future CPTC events.

Funder

National Science Foundation

Department of Defense DARPA SBIR program

Publisher

Association for Computing Machinery (ACM)

Subject

Software

Link

https://dl.acm.org/doi/pdf/10.1145/3514040

Reference54 articles.

1. Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2016. You get where you’re looking for: The impact of information sources on code security. In IEEE Symposium on Security and Privacy (SP). IEEE, 289–305.

2. Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L. Mazurek, and Sascha Fahl. 2017. Security developer studies with github users: Exploring a convenience sample. In 13th Symposium on Usable Privacy and Security (SOUPS’17). 81–95.

3. Raymond Albert, George Markowsky, and Joanne Wallingford. 2010. High school cyber defense competitions: Lessons from the trenches. In International Conference on Security and Management (SAM’10). 280–285.

4. Nicolas Aussel, Yohan Petetin, and Sophie Chabridon. 2018. Improving performances of log mining for anomaly prediction through NLP-based log parsing. In IEEE 26th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (MASCOTS). IEEE, 237–243.

5. Yogeshwar Rao Bachupally, Xiaohong Yuan, and Kaushik Roy. 2016. Network security analysis using big data technology. In SoutheastCon. IEEE, 1–4.

Cited by 5 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Introducing a New Alert Data Set for Multi-Step Attack Analysis;Proceedings of the 17th Cyber Security Experimentation and Test Workshop;2024-08-13

2. Penetration Testing and Ethical Hacking: Risk Assessments and Student Learning;2023 IEEE Frontiers in Education Conference (FIE);2023-10-18

3. Battle Ground: Data Collection and Labeling of CTF Games to Understand Human Cyber Operators;2023 Cyber Security Experimentation and Test Workshop;2023-08-07

4. An Empirical Comparison of Pen-Testing Tools for Detecting Web App Vulnerabilities;Electronics;2022-09-21

5. The Pentest Method for Business Intelligence;2022 45th Jubilee International Convention on Information, Communication and Electronic Technology (MIPRO);2022-05-23