White Box, Gray Box, and Black Box Testing, Oh My

Black box testing

In speaking with many of our clients, MainNerve’s staff has fielded countless questions about the type of penetration testing and approach that will be used, such as black box testing.  Often, clients are uncertain of what they are needing for their business, so we work with them to ensure we are providing the correct services. Our goal is to partner with and keep the clients’ needs first. We are geeks… we don’t read minds; we leave that part up to the psychics.

For some clients, black box testing simply means external penetration testing.  It’s a phrase often heard in movies, which aren’t always accurate. However, black box testing is an approach where an ethical hacker has no knowledge of the system being attacked.  The goal of a black box testing is to simulate an external hacking or cyber warfare attack.   MainNerve would perform reconnaissance, which is often called Open Source Intelligence (OINST), on the company to obtain sensitive knowledge of the networks.  This may take days or weeks for knowledge gathering.  This of course places us in the same role as an unethical hacker.

While this may be more like a real-world attack, the cost will be much higher due to the time it takes gathering data and attempting to brute force a network.  Many clients feel they are getting the best test possible with this approach.  However, MainNerve would like to remind companies that they may be overlooking many vulnerabilities on devices a tester may not have found.  Some attackers will take months attempting to harvest credentials before they get lucky and get into a network.

However, at MainNerve we like to presume that given enough time, a malicious actor would be able to find everything a client owns.  Therefore, we suggest gray box testing instead of black box testing.  We can still test the external network or applications as if we had no knowledge.  Once we verify that we cannot penetrate the firewall(s), we would then have the IPs and URLs in scope to continue testing to ensure you get the best bang for your buck.

Now you might be asking about the white box testing.  Isn’t gray box testing enough?  White box, or sometimes called crystal box, means we have even more information, like network diagrams or topology of the network.  This is mainly used for PCI testing, as that requires 100% of the network be verified and segmentation checks conducted.  This is more costly for internal network penetration testing, as those devices reside behind a firewall and we will have to ensure one network cannot talk to another network.

If you aren’t sure what you need, we have non-nerds standing by ready and willing to translate ‘geek’ and help you figure it out.  We are your partners in this endeavor, so feel free to call an expert at – 833-847-3280.

Leave a comment