One morning in August 2022 – I’ve just had breakfast – my phone rings. At the other end is the head of the IT department of an automotive supplier from southern Germany. I had already been in contact with him via e-mail two weeks earlier. He would like to commission me with a pentest, I already know that much. A pen test can be many things, ranging from security analyzes of individual applications or systems to the simulation of targeted attacks.
An attitude that has become widespread in the IT industry in recent years is also known as the “assume breach” mentality. One assumes pessimistically to have an intruder in the network. Attackers can gain access, for example, through phishing, critical security gaps in open source projects such as in Log4j, or infected updates to purchased software, as in the case of Solarwinds 2020 or Kaseya 2021. During the call, the caller describes what he has in mind. Unlike a black box test, I’m not supposed to try to break into the corporate network. My starting point should be different, following the “Assume Breach” idea: I’m already in.
The pen test is intended to show whether and how far an attacker who already has access to the internal network could penetrate to the highest authorization levels. The aim is to identify weak points in the network so that my client can readjust the relevant points in terms of IT security.
