Skip to main content

Systematic Threat Evaluation Methodology – S.T.E.M.

I LOVE security testing.

There, I said it. 

Penetration Testing, Red Teaming, Threat Emulation… I LOVE it all. Looking at a system, learning about the individual components, understanding how they were intended to work together, and pushing those preconceived limits… it energizes me.

When I first started in this industry, asking clients (whether internal or external) to whitelist (now we call it an Allow List) source IP addresses for testing was a common practice. It remains so to this day.

 Recently, something about this process was bugging me…

White Oak Security created a meme from pawnstars, featuring Paulie & Senior fighting about a the Allow List (whitelist) method.

Paulie (the young dude in the baseball cap) is indeed correct.

But so is Senior (the old dude with the killer stache).

Queue Dramatic Narrator: The limited perspective of most security assessment fails to consider multiple layers of functional security controls, and can create a false sense of urgency.

Most organizations, including our clients, spend tens (if not hundreds) of thousands of dollars on their defense-in-depth strategy. This may include next-gen, machine-learning, heuristic, buzzword, buzzword, buzzword versions of:

  • Web Application Firewalls (WAF)
  • Intrusion Prevention Systems (IPS)
  • Runtime Application Self-Protection (RASP)
  • Interactive Application Security Testing (IAST)

You get the idea… These tools are an integral part of the organization’s security posture, and excluding them from security testing (via the Allow List) fails to tell the whole story.

So, how can you properly evaluate the security posture of an organization, taking into account the organization’s compensating controls?

Systemic Threat Evaluation Methodology

Allow me to introduce you to White Oak Security’s Systemic Threat Evaluation Methodology (a.k.a. S.T.E.M.)!

White Oak Security's STEM Methodology, our systematic threat evaluation method which is our unique way of penetration testing. This in-depth infographic goes into our 3 phases of engagement process, what it entails, and how we're different from vulnerability scanners & assessments.
our S.T.E.M. penetration testing process

Penetration Testing Process

For those of you who have participated in a penetration test, you will surely notice some familiar phases: 

  • Planning
  • Reconnaissance
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

These phases still align with popular methodologies like the Penetration Testing Execution Standard (PTES) and OWASP Testing Guide. However, keen-eyed observers will also notice that cute light blue locked lock with an x on it called “Remove From Allow List”.

cute little light blue locked lock with an X on it, White Oak Security's icon for STEM phase of being removed from the allow list.

So, how does that cute little locked lock help White Oak Security add value to the penetration testing process? 

Pentesting With & Without Allow List Access

The initial phases of the security assessment are performed from the Allow List (whitelisted) perspective. These Allow List phases offer several important benefits:

  • Less likely to miss True Positives
  • More accurate snapshot of the defects within the root systems / apps
  • More efficient

At this point, White Oak Security has gained a detailed understanding of the security defects impacting the root systems / apps. Now, let’s add some additional value. 

By removing the Allow List access, White Oak Security reverts to the unprivileged perspective of standard attackers. Our expert pentesters can now leverage the list of known security defects and repeat the Exploitation phase without the Allow List access. Armed with the list of known security defects, we can now evaluate the effectiveness of security controls with unparalleled precision.

Queue Dramatic Narrator: Will the WAF prevent this darn Cross-Site Scripting (XSS) vulnerability? Will the IPS protect our system from that notorious EternalBlue exploit?

In general, the additional test phases do not add a significant amount of time to the initial engagement scope. In most cases, White Oak Security already has working exploit code (or proof-of-concepts) that simply need to be replayed without the Allow List access or perspective. In some cases, the regular (without Allow List access) attack is initially blocked, but White Oak Security is able to leverage advanced exploitation techniques in order to bypass compensating controls. 

Those controls can often be circumvented! says the White Oak Security meme of Senior from Pawnshop.
Let’s prove Senior right!

If the compensating controls prevent the attack, White Oak Security can then adjust the severity rating to provide a more accurate representation of the real-world impact on the organization.

Vulnerability Analysis

Now let’s take this concept a step further and repeat the Vulnerability Analysis phase, again focusing on the known security defects. If the compensating controls make vulnerability identification more difficult or make the attack more difficult to exploit, White Oak Security can then adjust the difficulty of exploit rating accordingly. Again, this provides a more accurate representation of the real-world impact to the organization.

So that’s pretty cool, but are there any intrinsic benefits that we haven’t considered yet?

Queue Dramatic Narrator: You bet your sweet bippy there are!

Alternate Mitigation Options

If a particular exploit was not protected by the compensating controls, it is often easier to implement a rule within the IPS/WAF/whatever to block the exploit than it is to fix the root cause of the defect. This may decrease the risk rating to an acceptable level for the organization, or may at least buy some additional time until the root cause can be addressed.

Security Tools ROI

Determining the true ROI of security is inherently difficult. Some might even say it’s downright impossible. However, if the STEM methodology indicates that the compensating controls prevent few defects (or even no defects – YIKES!), it may be time to reconfigure the compensating controls, or even consider alternate solutions entirely. Conversely, if the compensating controls prevent most defects (or even all defects – YAY!), it becomes clear that the cost of those compensating controls is entirely justified.

Senior and Paulie from Pawnstars are hugging in this image - making up from the White Oak Security meme.

Systemic Threat Evaluation Methodology Conclusion

Ultimately, the Systemic Threat Evaluation Methodology (S.T.E.M.) is not rocket science, but rather a simple and efficient methodology extension that adds a whole lot of additional value. Your organization can implement STEM internally or can leverage third-party vendors such as White Oak Security to help implement STEM throughout your organization’s penetration testing universe.

Queue Dramatic Narrator: The time has come. Go forth and get unleash your inner STEM. Add value to the security assessment process and gain a crystal-clear vision into the true security posture of your organization.

White Oak Security's Dramatic Narrator: For real. This blog post is now over. Thank you for your time. Paulie & Senior hug and look into the future with sunglasses on in a stoic position.
Dramatic Narrator: For real. This blog post is now over. Thank you for your time.


White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team