A couple weeks ago I picked up a book with the very appealing title: Advanced Penetration Testing: Hacking the world’s most secure networks. The author of this book is the seasoned information security expert Wil Allsopp and it has been published by Wiley in March 2017. The foreword has been written by Hans van Looy, founder of Madison Gurkha (I’ve always wondered about this name when I saw it, finally explained in the foreword). The back cover states that this book is about more complex attack simulation and Advanced Persistent Threat (APT) modelling featuring techniques that are way beyond using Metasploit and vulnerability scanners.
Advanced Penetration Testing & APT Modelling
The book is covering Advanced Penetration Testing subjects such as:
- Discover and create attack vectors.
- Move unseen through a target enterprise and reconnoiter networks, operating systems, and test structures.
- Employ social engineering strategies to create an initial compromise.
- Establish a beachhead and leave a robust command-and-control structure in place.
- Use advanced data exfiltration techniques – even against targets without direct Internet connections.
- Utilize advanced methods for escalating privilege.
- Infiltrate deep into networks and operating systems using harvested credentials.
Generally we only write practical penetration testing tutorials on Hacking Tutorials but for a change I wanted to write a short review on this book. Personally I think this book is a must read for every penetration tester, red teamer and security specialist.
Personally I’ve enjoyed every page of this book because it offers a new perspective to penetration testing and security for many. The advanced penetration testing techniques described in this book are way beyond running a vulnerability scanner and downloading and executing exploits from exploit-db. The author challenges the reader to re-think security and everything that you know about penetration testing. He book does not simply provide a collection of code and scripts. Instead he challenges the reader to fully understand the techniques and tools and being able to develop their own. When progressing through the chapters it becomes more and more obvious how almost every network can be penetrated, including networks that are not connected to the internet. Some people might think that books like these are controversial because the techniques described can also teach the bad guys or how to become one. Truth is that many advanced techniques are used by the bad guys already and they can also be used to defend against them which is exactly what APT modelling is all about.
Another thing I liked about this book is that the author writes about his own experience with APT modelling against specific industries. Each chapter describes APT modelling against an organization in a specific industry such as a hospital, pharmaceutical company or bank. The break down in industry also gives the reader a clear view how specific industries have different assets to protect, how they are protected and by who. For instance the most important assets for a hospital are critical medical equipment and the confidentiality of medical records. A publishing company will have their security measures focusing on maintaining the integrity of their publications. Another important factor which can be distinguished between different industries is the competence level and of course IT budgets. All these factors require modelling different APT’s and using different techniques. I think the author did a great job on explaining this to the reader.
If you are looking for a book that covers the modelling of Advanced Persistent Treats and more advanced techniques, you should definitely buy this book. It will probably be a big eye opener for a lot of people that are new to penetration testing and a great asset for existing penetration testers. Both the paperback and Kindle edition are available to buy from Amazon:
Have you read the book too? Let us know what you think by leaving a reply.