Introduction
Life inside of any career field imaginable relies on social science to be able to do the job to the maximum effect. A physical therapist uses research in natural science to identify different exercises to help a person recover from a traumatic injury or ailment, but uses research in social science to identify what kinds of exercises people are actually going to do at home when prescribed. The difference is the effect that human behavior has on the results. Even the most remote software engineer residing in the darkest closet and hasn’t seen a human in three years, their career relies upon human interaction with or need for their software, and thus, social science research and the principles thereof apply.
The role of an Exploitation Analyst, or Penetration Tester, depends heavily upon the social science principles of empiricism, determinism, ethic neutrality, relativism, parsimony, objectivity, and skepticism. Further, the relationship between social science and penetration testing is ever evolving, as social scientists are researching how pen-testers’, and technology as a whole, affect society, and pen-testers are finding new ways to do so. The following sections cover this relationship in more detail.
Doing the Job
According to the NICE Framework, an Exploitation Analyst, “Collaborates to identify access and collection gaps that can be satisfied through cyber collection and/or preparation activities. Leverages all authorized resources and analytic techniques to penetrate targeted networks.” (Petersen et al., 2020) What this means is the Penetration Tester attempts to gain access to a customer’s target system using any information given by the customer or available by other means.
Once the customer offers the Pen-Tester the job, and all of the contracts and paperwork has been signed, the work can begin. Separated into five distinct stages, the entire penetration test has elements reliant upon social science research and principles. These stages are: reconnaissance, scanning, vulnerability assessment, exploitation, and reporting (EC Council, 2022).
During the reconnaissance stage, the Exploitation Analyst has to gather as much information as is publicly available about the target system. This is an occasion that social science gets involved. For example, economics, or the study of, “the consequences of choices made concerning scarce productive resources,” (Blaug, 2023) valuable information can be very easily collected about their three most limited resources: time, money and people. A job website like Indeed.com or a networking company like LinkedIn can be used to identify how long a role, like CISO or ISSO, has been filled or vacant, how much money a company is willing to invest in cybersecurity, and the background of the people they hire. All of this information can lead to clues about the customer’s hardware and software setup, which is a critical piece of a penetration test.
Psychology and anthropology, specifically social psychology and cultural anthropology, are heavily relied upon in this stage as well. Understanding the culture surrounding cybersecurity and the general attitude of a company and its employees with regards to cyber-hygiene can save a lot of time during the vulnerability assessment later in the process.
The principles of social science can clearly be seen in the reconnaissance stage. Relativism and determinism are critical lines of thought when doing reconnaissance. Identifying how actions are related to events and how preceding events led to those actions can be beneficial when implementing a social engineering exploit, if needed to gain access in the exploitation stage of a penetration test. Skepticism keeps the analyst from jumping to the next stage of the penetration test too early, and sticking around to collect more information.
The next stage is scanning. Scanning refers to the use of, “various tools to identify open ports and check network traffic on the target system.” (EC Council, 2022) This is the collection of real data. Rather than speculative or relative, this is empirical data that can help connect things learned in the reconnaissance stage to a real world vulnerability for later exploitation.
After scanning is the vulnerability assessment. This is when the Pen-Tester uses all of the information gathered during the previous two stages to identify the proper exploitation path. This may be a known software or hardware vulnerability, or identifying that relying on human error is the best way in. This is when combined efforts in criminology, sociology and psychology pay the biggest dividends. Research in social science can help decide if the profile of the people in the company makes them a viable social engineering target, if physical penetration may be required to prepare for exploitation, or if a network approach (preferred for many to maintain anonymity) can be used with little risk of detection.
The next, and arguably most exciting, step is the exploitation. As a culmination of all of the prior steps, its dependance on the social sciences and their principles is undeniable. As exciting as this stage is, in many kinds of penetration tests, it is short-lived and the last phase of the test comes quickly.
Finishing the Job
The final stage of a penetration test is reporting. This is what the customer was really paying for, so it is definitely the most important aspect of this entire process. The report contains two distinct parts, the “Executive Summary” and the “Final Report.” (Hammond, 2021) In the Executive Summary parsimony is very important; the individuals who hire an Exploitation Analyst won’t always have a very technical background, and keeping this part of the report simple will decrease confusion and increase the functionality of the
report. Objectivity and ethical neutrality are also important in this report as a Pen-Tester’s personal feelings about a particular vulnerability or company shouldn’t reflect in the professionalism of the provided document.
Evolution of the Job
The first penetration test was conducted on the ARPANET, the predecessor of the Internet, in 1972 by James P. Anderson. Anderson is known as one of the, “pioneers of penetration testing.” (Ben-Aderet, 2023) Today, penetration testing and other forms of exploitation analysis are being performed as “gigs” or freelance security researchers. The social sciences and research for them have helped to open society to the idea of these cybersecurity gigs, as in the article Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties.
Conclusion
Although not always obvious during every facet of the job all cybersecurity fields require interaction with society and, by extension, with social science. The Exploitation Analyst is a master of social sciences and their principles. Through each of the five stages of a penetration test, the interaction between social science and technology is evident.
It could be argued that a penetration test or other form of exploitation analysis could be done outside of the social science disciplines, but even if you ignore the social need for security and the social aspect of the cyber-world, the connection between the Exploitation Analyst and social sciences can be seen in the role they play within the economy. How the service they provide have an affect on society, and how society drives the need for them to exist.
References
Ben-Aderet, B. (2023, June 16). The Five Important Moments In History That Shaped The Modern Cybersecurity Landscape. Forbes. Retrieved December 2, 2023, from https://www.forbes.com/sites/forbestechcouncil/2023/02/17/the-5-important-moments-in-history-that-shaped-the-modern-cybersecurity-landscape/?sh=42f9e714907e
Blaug, M. (2023, October 11). Economics | Definition, History, Examples, Types, & Facts. Britannica. Retrieved December 2, 2023, from https://www.britannica.com/money/topic/economics
EC Council. (2022, March 28). Learn About the Five Penetration Testing Phases | Pen Testing. EC-Council. Retrieved November 29, 2023, from https://www.eccouncil.org/cybersecurity-exchange/penetration-testing/penetration-testing-phases/
Hammond, J. (2021, January 12). Tips for How to Create a Pen (Penetration) Testing Report – Download Report Sample. YouTube. Retrieved December 2, 2023, from https://www.youtube.com/watch?v=NEz4SfjjwvU
Petersen, R., Santos, D., Wetzel, K. A., Smith, M. C., & Witte, G. (2020, November 13). National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. NIST Technical Series Publications. Retrieved November 29, 2023, from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf