White Box Approach
A white box approach to testing requires full knowledge and access:
- We know everything you know
- Have access to everything you have access to
Like any reputable firm, we are always going to recommend a white box approach. We still offer black box testing as an option, but you may receive a significantly lower ROI by paying for more hours of reconnaissance and enumeration than necessary.
White box is always going to be a better value. There’s nothing that black box can provide that white box cannot provide - there is no test skipped, all tests are still performed. We’ve calculated white box to be ~20x more thorough compared to black box in terms of the number and thoroughness of tests that can be performed in the same amount of time, which translates to cost as well. Black box can take twice as long, or even longer, cost twice as much, or more, and is far less thorough.
However, white box requires more preparation and setup on the client side.
Items required for a white box approach (as applicable):
- IP ranges and domains - the testing scope
- Testing credentials/accounts for each role - standard user, administrator, and all the way up to domain admin
- Configuring firewalls, WAFs, VLANs, etc. to allow unmitigated testing from a whitelisted IP (Note: we will also test from non-whitelisted IPs)
- Importing our internal testing VM, which we call a dropbox
- Remote access to an internal workstation
- DNS exports
- Email account(s)
- Architecture diagrams
- Password and lockout policies
- Log/SIEM access – especially important for web app testing, or if a goal is to validate detection capabilities
- Backend privileged access to servers (ex. via SSH)
- Access to cloud infrastructure (ex. AWS console and API access)
- Source code - web app, mobile app, etc.
- Syncs with the red team (during a purple team approach)
- Red team knows what blue knows and has been granted access to everything blue has access to
More information about white box vs black box can be found here: https://penconsultants.com/graybox