What is Penetration Testing?
Penetration testing, sometimes referred to as pen testing or ethical hacking, is the simulation of real-world cyber attack in order to test an organization’s cybersecurity capabilities and expose vulnerabilities. While some might consider pen tests as just a vulnerability scan meant to check the box on a compliance requirement, the exercise should actually be much more.
The purpose of pen testing is not just to test your environment’s vulnerabilities, but to test your people and processes against likely threats to your organization as well. Knowing which adversaries are more likely to target you allows a penetration tester to mimic the specific tactics, techniques, and procedures (TTPs) of those specific adversaries – giving an organization a much more realistic idea of how a breach might occur.
Penetration Testing Steps
In most cases a penetration test will follow the steps laid out in the MITRE ATT&CK framework. If you’re not familiar with the MITRE framework, it is a knowledge base of known adversarial tactics, techniques, and procedures that occur along various phases of a breach’s life cycle.
Following this framework offers a way for pen testers to create a model for a specific adversary’s behavior, thereby allowing them to more accurately mimic the attack during the test. Currently, there are twelve tactics along the Mitre Enterprise matrix:
- Initial access tactic refers to the vectors hackers exploit to access an environment
- Execution refers to the techniques used to execute the adversary’s code after gaining access to the environment
- Persistence tactics are actions that allow attackers to maintain presence in a network
- Privilege escalation refers to the actions taken by an adversary to gain higher access into a system
- Defense evasion tactics are techniques used by penetrators that allow them to go unnoticed by a system’s defenses.
- Credential access refers to techniques used to obtain credentials from users or admins
- Discovery refers to the learning process through which adversaries better understand the system and the access they currently possess
- Lateral movement is used by adversaries to obtain remote system access and control
- Collection tactics are those that are used by attackers for gathering targeted data
- Command and control are tactics used to establish communication between the compromised network and the controlled system
- Exfiltration are the actions adversaries take to remove sensitive data from the system
- Impact tactics are those that are meant to affect a business’s operations
It’s important to note that the above tactics used in a pen test are dependent on the tactics of the adversary being mimicked.
Generally speaking though, carrying out a penetration test typically involves the following stages: Planning, Reconnaissance, Gaining/Maintaining access, Analysis, Remediation.
Types of Penetration Testing
When considering to conduct a pen test, it’s important to remember that there is not a one-size-fits-all test. Environments, industry risks, and adversaries are different from one organization to the next. Furthermore, there isn’t just one type of pen test that will serve all the needs of an organization.
There are several types of pen tests that are designed to meet the specific goals and threat profile of an organization. Below are some of the most common types of pen tests.
1. Internal Pen Testing
Assesses your organization’s internal systems to determine how an attacker could move laterally throughout your network: The test includes system identification, enumeration, vulnerability discovery, exploitation, privilege escalation, lateral movement, and objectives.
2. External Pen Testing
Assesses your Internet-facing systems to determine if there are exploitable vulnerabilities that expose data or unauthorized access to the outside world: The test includes system identification, enumeration, vulnerability discovery, and exploitation.
3. Web Application Pen Test
Evaluates your web application using a three-phase process: First is reconnaissance, where the team discovers information such as the operating system, services and resources in use. Second is the discovery phase, where the team attempts to identify vulnerabilities. Third is the exploitation phase, where the team leverages the discovered vulnerabilities to gain unauthorized access to sensitive data.
4. Insider Threat Pen Test
Identifies the risks and vulnerabilities that can expose your sensitive internal resources and assets to those without authorization: The team assesses weaknesses such as deauthentication attacks, misconfigurations, session reuse, and unauthorized wireless devices.
5. Wireless Pen Testing
Identifies the risks and vulnerabilities associated with your wireless network: The team assesses weaknesses such as deauth attacks, mis-configurations, session reuse, and unauthorized wireless devices.
6. Physical Pen Testing
Identifies the risks and vulnerabilities to your physical security in an effort to gain access to a corporate computer system: The team assesses weaknesses such as social engineering, tail-gating, badge cloning and other physical security objectives.
When Should You Conduct a Penetration Test?
The most important time to conduct a pen test is before a breach occurs. Many organizations don’t make the effort until after they’ve been successfully attacked — when they’ve already lost data, intellectual property and reputation. However, if you have experience a breach, a post breach remediation pentest should be conducted to ensure mitigations are effective.
Best practices suggest conducting a pen test alternatively while the system is in development or installed, and right before it’s put into production. The dangers of running a pen test too late are that updated to the code are most costly and code change windows are usually smaller.
Pen tests are not a one-and-done proposition. They should be conducted whenever changes are made and/or at least annually. Factors including company size, infrastructure, budget, regulatory requirements, and emerging threats will determine the appropriate frequency.
How often should you perform a pen test?
Businesses are advised to carry out an extensive penetration test at least once a year. This not only allows for regular security upgrades and patches to be rolled out but also supports compliance with data security standards, for example, PCI DSS (Payment Cardholder Industry Data Security Standard).
However, testing bi-annually or even quarterly can highlight potential security risks more frequently – and before they become compromised – giving you a more comprehensive overview of your security status.
Penetration testing is designed to highlight specific vulnerabilities in a system or network. So, ideally, pen testing should be conducted on any new additions to the network infrastructure or whenever there has been a significant overhaul to key applications. This is when an environment is at its most vulnerable and weaknesses are most likely to be exposed.
Who Performs Pen Tests?
Many independent cybersecurity experts and businesses provide penetration tests as a service. And while pen testing can be carried out in-house, external ‘ethical hackers’ can offer greater insight, as they have no prior knowledge of the system.
However, the nature of the business lends itself to complications. Legal considerations surrounding any ‘hacking’ activity mean that the entire process of pen testing needs to be handled with care. Until now, penetration testing under US law has been mostly unmonitored. However, state and federal statues are in place to guarantee its ethical and compliance.
Under US legislation, companies have to sign a consent form outlining the exact scope and depth of what they’re testing. If they don’t, it falls under the umbrella of unauthorized hacking, and you can face different penalties depending on the state – as some states still consider it a form of hacking.
Make sure any pen testing activity meets legal requirements and all legal documents are completed accurately and in full. It’s also important to perform background checks on ethical hackers to review their credentials. For example, CREST and NCSC accreditations are recognized industry certifications given to credible penetration testing firms.
What should you do after a pen test?
Penetration testing is about growing and developing your long-term security strategy, based on patching real-world, tested vulnerabilities.
Acting on the results of pen tests quickly is crucial for avoiding the downtime and disruption associated with cybersecurity breaches, as well as the hefty fines dealt to those who fall foul of data protection regulations.
After you penetration test, you should:
- Review the final report and discuss the findings with both the external pen testing team and your in-house cybersecurity team
- Develop a comprehensive cybersecurity strategy and remediation plan to action the findings
- Use repeat tests and vulnerability scans to track the success and progress of your patches and upgrades long-term
Pen tests are comprehensive by design. They provide detailed insights into the scope and severity of any potential weakness in your environment. So, there will always be plenty of actionable findings to help you bolster your security.
What is teaming?
Teaming is a penetration testing methodology that businesses use to organize and improve their cybersecurity credentials. Participants are split into two teams – red and blue – with one team actively looking for and testing vulnerabilities, while the other team attempts to patch these risks and avoid being compromised.
It’s less about exposing as many vulnerabilities as possible, and more about gauging the effectiveness of responses to threats and weaknesses. The learnings from teaming exercises are designed to improve a business’ ability to protect itself quickly and effectively in the risky modern cyberspace.
Teaming exercises may include three types of teams:
- Red teams – usually externally based, red teams examine the effectiveness of an organization’s existing security infrastructure. Red teams conduct tests similar to a penetration test but targeting isolated issues, rather than the whole environment at once.
- Blue teams – are the business’ in-house security team. Those employed to bolster security in a company are tested and alerted by the red team to ensure rapid and quality responses to sudden threats.
- Purple teams – are formed when red and blue teams work together to form a cohesive unit. A purple team aims to improve cybersecurity responses by providing greater information and feedback on potential threats. Purple teams are also useful for reviewing and evaluating learnings from the exercise.