From this article, we are starting the 2nd Phase of Penetration Testing, Information Gathering processes and their details. We will follow the path of explaining the topics listed below in separate articles. You can review the general stages in thisarticle. Correct and effective information gathering processes will provide input to the following stages. What will be explained in this phase will also show all institutions and companies that want to ensure information security the measures they need to take to protect information. Revealing what the information gathering phase covers will shed light on what measures managers at all levels should take because the information gathering processes followed by the security team conducting the test are very similar to the processes followed by malicious structures in real life.We recommend that you review the article onCyberspace Definition and Actors.

We will investigate the subject under the following headings. In the rest of the article, we explained the basic approach to Information Gathering.

• Basic Approach

• Target Selection

• Open Source Intelligence

• Covert Information Collection

• Identifying Protection Mechanisms

Basic Approach

It is necessary to separate the information collection processes into certain groups according to the tools used and the outputs obtained. If this distinction is not made, the results obtained can easily exceed the determined scope and purpose. The separation of the tools ensures that the scope remains. For this reason, we will divide the processes to be carried out into 3 layers. In addition to the topics explained in other articles to be prepared on this subject, we will indicate in which layer the process can be carried out. For example, when you see the expression 1K-2K next to a subject, this means that Layer 1 and Layer 2 information collection processes are intended. In this way, the processes can be understood more clearly.

Layer 1

This layer is the fastest part of information gathering and is performed through automatic programs. These automatic information gathering tools produce results about the target by scanning search engines and internet archives.
It also includes researching whether the target has certain standard information security policies and how well these standards are followed. This layer must be implemented in order to be able to say that the Information Gathering phase has been completed.
If a company wants to have a conformity test done for the sector standard (e.g.: ISO 27001), this layer will be sufficient.

Layer 2

In addition to the operations carried out in the 1st Layer, these are detailed information collection operations, especially those performed manually. It also includes information gathering methods and Open Source Intelligence that seek answers to specific questions. More details of physical location, address information and business relationships are examined.
If a company aims for long-term information security along with compliance with industry standards and plans to enter into business agreements with 3rd party suppliers, it should also consider using this layer.

Layer 3

These are detailed information gathering processes that may be required in very advanced penetration tests. This is a layer that is spread over a long period of time and where every possible technique is used. It is not required to be done in every penetration test. Information gathering for this layer is more relevant to the state level.
In addition to information gathering, structures that plan to establish a permanent and staffed cyber defense organization should use this layer.

What is Information Collection?

In the later stages of the Penetration Test, vulnerability analysis and system entry processes will be performed. In order for these stages not to be inconclusive, some basic information is needed. The more information is collected in this stage, the more attack vectors that can be revealed and the probability of success will increase.
The attack vector describes the path of the attack. Let’s assume that 10 different methods can be used and which steps can be followed in light of the information collected. Each of these 10 different methods is called an attack vector, but they are also ranked by calculating the probability of success among themselves. It is not possible to apply all of them at once.
All vectors and potential threats must be reported to the company in the Penetration Test result report.

Why Collect Information?

Penetration Testing Information Gathering process is completely related to Open Source Intelligence. In this way, the company will determine how much of its information is in the hands of open sources and will be able to take the necessary precautions.
In this process, the points that are likely to enter the system are tried to be revealed. These can be electronic, physical and human-based. Physical vulnerabilities will shed light on the precautions that need to be taken in the field of physical security, and human-based vulnerabilities will shed light on social engineering and employee training.

What is Information Collection Not?

If the desired information cannot be obtained through the layers used during information collection processes, non-standard methods are not used to find it. This approach is outside the scope of Penetration Testing. For example, operations such as garbage disposal are not covered.