Skip to main content

S.T.E.M. (Systematic Threat Evaluation Methodology)

I LOVE security testing.

There, I said it. 

Penetration Testing, Red Teaming, Threat Emulation… I LOVE it all.  Looking at a system, learning about the individual components, understanding how they were intended to work together, and pushing those preconceived limits… it energizes me.

When I first started in this industry, asking clients (whether internal or external) to whitelist source IP addresses for testing was a common practice.  It remains so to this day.

 Recently, something about this process was bugging me. 


Paulie (the young dude in the baseball cap) is indeed correct. But so is Senior (the old dude with the killer stache).

Queue Dramatic Narrator: The limited perspective of most security assessment fails to consider multiple layers of functional security controls, and can create a false sense of urgency.

Most organizations, including White Oak Security clients, spend tens (if not hundreds) of thousands of dollars on their defense-in-depth strategy.  This may include next-gen, machine-learning, heuristic, buzzword, buzzword, buzzword versions of:

·      Web Application Firewalls (WAF)

·      Intrusion Prevention Systems (IPS)

·      Runtime Application Self-Protection (RASP)

·      Interactive Application Security Testing (IAST)

You get the idea. These tools are an integral part of the organization’s security posture, and excluding them from security testing (via whitelisting) fails to tell the whole story.  

So, how can you properly evaluate the security posture of an organization, taking into account the organization’s compensating controls?

Allow me to introduce you to the White Oak Systemic Threat Evaluation Methodology (a.k.a. STEM)!


For those of you who have participated in a penetration test, you will surely notice some familiar phases: 

·      Planning

·      Reconnaissance

·      Vulnerability Analysis

·      Exploitation

·      Post Exploitation

·      Reporting

These phases still align with popular methodologies like the Penetration Testing Execution Standard (PTES) and OWASP Testing Guide.  However, keen-eyed observers will also notice that cute little blue triangle labeled “Remove Whitelist”. So, how does that cute little blue triangle help White Oak add value to the penetration testing process?  

The initial phases of the security assessment are performed from a whitelisted perspective.  These whitelisted phases offer several important benefits:

·      Less likely to miss True Positives

·      More accurate snapshot of the defects within the root systems / apps

·      More efficient

At this point, White Oak has gained a detailed understanding of the security defects impacting the root systems / apps.  Now, let’s add some additional value.   

By removing the whitelist, White Oak reverts to the unprivileged perspective of standard attackers.  White Oak can now leverage the list of known security defects and repeat the Exploitation phase with the whitelist removed.  Armed with the list of known security defects, White Oak can now evaluate the effectiveness of security controls with unparalleled precision.

Queue Dramatic Narrator: Will the WAF prevent this darn Cross-Site Scripting (XSS) vulnerability? Will the IPS protect our system from that notorious EternalBlue exploit?

In general, the additional test phases do not add a significant amount of time to the initial engagement scope.  In most cases, White Oak already has working exploit code (or proof-of-concepts) that simply need to be replayed from the non-whitelisted perspective. In some cases, the non-whitelisted attack is initially blocked, but White Oak is able to leverage advanced exploitation techniques in order to bypass compensating controls. 

Let’s prove Senior right!
Let’s prove Senior right!

If the compensating controls prevent the attack, White Oak can then adjust the severity rating to provide a more accurate representation of the real-world impact to the organization.

Now let’s take this concept a step further and repeat the Vulnerability Analysis phase, again focusing on the known security defects.  If the compensating controls make vulnerability identification more difficult, or make the attack more difficult to exploit, White Oak can then adjust the difficulty of exploit rating accordingly. Again, this provides a more accurate representation of the real-world impact to the organization.

So that’s pretty cool, but are there any intrinsic benefits that we haven’t considered yet?

Queue Dramatic Narrator: You bet your sweet bippy there are!

Alternate Mitigation Options

If a particular exploit was not protected by the compensating controls, it is often easier to implement a rule within the IPS/WAF/whatever to block the exploit than it is to fix the root cause of the defect.  This may decrease the risk rating to an acceptable level for the organization, or may at least buy some additional time until the root cause can be addressed.

Security Tools ROI

Determining the true ROI of security is inherently difficult.  Some might even say it’s downright impossible.  However, if the STEM methodology indicates that the compensating controls prevent few defects (or even no defects – YIKES!), it may be time to reconfigure the compensating controls, or even consider alternate solutions entirely. Conversely, if the compensating controls prevent most defects (or even all defects – YAY!), it becomes clear that the cost of those compensating controls is entirely justified.


Ultimately, the Systemic Threat Evaluation Methodology (STEM) is not rocket science, but rather a simple and efficient methodology extension that adds a whole lot of additional value.  Your organization can implement STEM internally, or can leverage third-party vendors such as White Oak Security to help implement STEM throughout your organization’s penetration testing universe.

Queue Dramatic Narrator: The time has come. Go forth and get unleash your inner STEM. Add value to the security assessment process and gain a crystal-clear vision into the true security posture of your organization.

Dramatic Narrator: For real. This blog post is now over. Thank you for your time.
Dramatic Narrator: For real. This blog post is now over. Thank you for your time.