The importance of research questions in cybersecurity assessments
When conducting cybersecurity assessments – whether it’s a pentest, social engineering exercise or physical security pentest – it is easy to focus on or get lost in the most fun parts: discovering a lot of vulnerabilities. Over the years, we noticed that a critical component of any successful assessment often is overlooked: research questions.
What do we mean by research questions?
With research questions in the context of a cybersecurity engagement we mean specific questions that the engagement is designed to answer.
Why do research questions matter?
Let’s take an internal network pentest as an example. A common pitfall is where the pentester just plugs their hacker laptop into the network and tries to find as many vulnerabilities as they can. While finding and exploiting new vulnerabilities is fun, there’s no focus on what’s important for the client. Unlike a real attacker, pentesters are bound to time constraints and need to allocate their time wisely. How can a pentester decide what’s important during an engagement without clear research questions?
When we are defining the research questions with a client, we often get the question to see if we can obtain domain administrator privileges. These are high-administrative permissions in a Windows network which leads to a total compromise. While this is a challenge we’d love to take on (and often succeed) it does not clearly project the question that the client has. Instead, we work with our client to discover what they really want to know: can we get hold of company secrets, financial records, sensitive employee information? We find that defining research questions enables us to really understand what our clients need.
Another example is about a social engineering engagement at a physical office location. During a social engineering engagement, we target and manipulate employees to perform actions that compromise security. For example, we use psychological tricks to make employees share sensitive information, open a locked door, provide their account password, and so on.
Getting into the server room is often the question that is asked by our clients when we are defining the research questions. Although this sounds exciting, it is not a well-defined question. The real question should be what a real-world attacker is going to do in that server room. Is he going to enter the server room, make a selfie and then leave? Or is he going to install a hardware backdoor? And does he need access to the server room to do so or will a standard office network connection do the trick: get remote access to the internal network from the outside. And does that objective fit into the social engineering engagement?
Align research questions with corporate risk
As you can see, it is important to think about specific questions and to align them with your corporate risks. That way, you’ll get more value from your offensive security engagements. In the end, every attacker has an objective.
So, here are some examples of clearly defined research questions:
[Internal network pentest] To what extent is it possible for an unauthorized person to obtain access to sensitive corporate assets XYZ?
[Web application pentest] Is it possible for user A to perform actions XYZ in the name of user B?
[Web application pentest] Is it possible to gain unauthorized access to customer data XYZ by exploiting vulnerabilities in the web application ABC?
[Social engineering] Is it possible to use impersonation to gain unauthorized access to the corporates most secret assets XYZ that are in the clean room?
Wrap-up
At Nullbyte, we define research questions together with our clients at an early scoping stage. Research questions help to define what the engagement aims to uncover and are the foundation of any cybersecurity engagement. Research questions give structure to the test and ensure alignment with business objectives and their associated risks.
Are you interested in a well-structured research for your organization’s security posture? View our available services here. Would you like to hear more about our approach of security research, or do you have another question? Don’t hesitate to contact us!