What is Penetration Testing?
Penetration testing, or pen testing, is the simulation of real-world attacks by authorized security professionals in order to test an organization’s detection and response capabilities. While some might consider pen tests as just a vulnerability scan meant to check the box on a compliance requirement, the exercise should actually be much more.
The purpose of pen testing is not just to test your environment’s vulnerabilities, but to test your people and processes against likely threats to your organization as well. To do this properly, threat intelligence must be baked in to every pen test. By incorporating threat intelligence, an organization can better understand which adversaries are likely to target them and the assets they would pursue.
Knowing which adversaries are more likely to target you allows pen testers to mimic the specific tactics, techniques, and procedures (TTPs) of those specific adversaries – giving an organization a much more realistic idea of how a breach might occur.
Download CrowdStrike’s Pen Testing data sheet to learn about the full suite of penetration testing services and tactics we use to simulate real-world incident response experiences that are relevant to your organization.
Benefits of Pen Testing?
1. Battle Test Your Playbook
No matter how sound your incident response playbook is, it’s not much use if it’s never actually been tested in combat. By far, the number one benefit of pen testing is that it gives your team the invaluable training of going head-to-head with an adversary – without the damaging consequences of losing.
When it comes to training, pen testers should look to firefighters as their role models. When firefighters train – and they train often – they gain the most valuable experience from live-fire exercises. A live-fire exercise allows firefighters to observe and fight an actual, uncontrolled fire. This type of exercise offers firefighters a much more realistic experience that they wouldn’t get with a controlled propane fire environment.
The more reps a pen tester gets defending against real adversary TTPs, the more prepared and confident they’ll be when the real thing comes around.
The idea behind penetration testing is quite similar. Pen tests give security professionals unparalleled insight into how a real cyberattack occurs, and what it takes to detect and stop one. The more reps a pen tester gets defending against real adversary TTPs, the more prepared and confident they’ll be when the real thing comes around.
Let’s put things in perspective: If your house was on fire, who would you want responding to your emergency?
Option 1: A firefighter who trains in controlled environments
Option 2: A firefighter who trains in live-fire scenarios
The answer is a no-brainer.
2. Budget Prioritization
A pen test helps an organization focus its security dollars where they are needed most, saving money over the long run by preventing wasteful expenditures over the broader security landscape.
3. Visibility into Security Gaps
When outside consultants are involved, the organization gains an objective perspective that exposes blind spots that could be missed by internal IT teams due to a lack of expertise or unfamiliarity with the latest threats. Outside consultants also transfer knowledge to internal teams, improving their skills and increasing their ability to respond to threats independently once the engagement is over.
4. Tool Efficacy
Organizations that have invested heavily in leading security brands may believe their environments are nearly invulnerable, but this assumption is misguided unless they’ve tested their systems against an attack. A pen test helps the IT team understand which investments are working and which need to be tuned or replaced.
Types of Pen Testing
When considering to conduct a pen test, it’s important to remember that there is not a one-size-fits-all test. Environments, industry risks, and adversaries are different from one organization to the next. Furthermore, there isn’t just one type of pen test that will serve all the needs of an organization.
There are several types of pen tests that are designed to meet the specific goals and threat profile of an organization. Below are some of the most common types of pen tests.
1. Internal Network Testing
Assesses your organization’s internal systems to determine how an attacker could move laterally throughout your network: The test includes system identification, enumeration, vulnerability discovery, exploitation, privilege escalation, lateral movement, and objectives.
2. External Network Testing
Assesses your Internet-facing systems to determine if there are exploitable vulnerabilities that expose data or unauthorized access to the outside world: The test includes system identification, enumeration, vulnerability discovery, and exploitation.
3. Web Application Test
Evaluates your web application using a three-phase process: First is reconnaissance, where the team discovers information such as the operating system, services and resources in use. Second is the discovery phase, where the team attempts to identify vulnerabilities. Third is the exploitation phase, where the team leverages the discovered vulnerabilities to gain unauthorized access to sensitive data.
4. Insider Threat Test
Identifies the risks and vulnerabilities that can expose your sensitive internal resources and assets to those without authorization: The team assess areas of escalation and bypass to identify vulnerabilities and configuration weaknesses in permissions, services, and network configurations.
5. Wireless Testing
Identifies the risks and vulnerabilities associated with your wireless network: The team assesses weaknesses such as deauth attacks, mis-configurations, session reuse, and unauthorized wireless devices.
6. Physical Testing
Identifies the risks and vulnerabilities to your physical security in an effort to gain access to a corporate computer system: The team assesses weaknesses such as social engineering, tail-gating, badge cloning and other physical security objectives.
Download the CrowdStrike Services Cyber Intrusion Casebook to discover the strategies that the CrowdStrike Services team used to quickly investigate, identify and effectively remove dangerous threats from victims’ networks.
Going Beyond Pentesting
While pentesting has its place in endpoint protection, we recommend that organizations also conduct red team exercises to test their ability to detect and respond to malicious activities. Red team exercises help to identify gaps in each phase of an attack that a penetration test might not catch.
Below are two primary Red Team offerings that every organization should consider in addition to a pen test:
1. Adversary Emulation Test
Adversary emulation is designed to gauge the readiness of an organization to defend against an advanced adversary attack. Lasting about four to five weeks, an adversary emulation test will help an organization answer three key questions:
- 1. How would a targeted attack on your environment manifest?
- 2. What could a targeted attacker do with access to your environment?
- 3. How effective is your current security posture at preventing, detecting, and responding to a targeted attack?
2. Red Team Blue Team Test
A red team blue team exercise incorporates adversary emulation, but adds a hands-on training component. Along with the red team consultants, who design and conduct the attack; there are also blue team consultants onsite, who work with the client to tune their existing defense mechanisms to better protect against the malicious activity. A red team blue team exercise typically lasts a week.
Penetration Testing Steps
In most cases a penetration test will follow the steps laid out in the MITRE ATT&CK framework. If you’re not familiar with the MITRE framework, it is a knowledge base of known adversarial tactics, techniques, and procedures that occur along various phases of a breach’s life cycle.
Following this framework offers a way for pen testers to create a model for a specific adversary’s behavior, thereby allowing them to more accurately mimic the attack during the test. Currently, there are twelve tactics along the Mitre Enterprise matrix:
- Initial access tactic refers to the vectors hackers exploit to access an environment
- Execution refers to the techniques used to execute the adversary’s code after gaining access to the environment
- Persistence tactics are actions that allow attackers to maintain presence in a network
- Privilege escalation refers to the actions taken by an adversary to gain higher access into a system
- Defense evasion tactics are techniques used by penetrators that allow them to go unnoticed by a system’s defenses.
- Credential access refers to techniques used to obtain credentials from users or admins
- Discovery refers to the learning process through which adversaries better understand the system and the access they currently possess
- Lateral movement is used by adversaries to obtain remote system access and control
- Collection tactics are those that are used by attackers for gathering targeted data
- Command and control are tactics used to establish communication between the compromised network and the controlled system
- Exfiltration are the actions adversaries take to remove sensitive data from the system
- Impact tactics are those that are meant to affect a business’s operations
It’s important to note that the above tactics used in a pen test are dependent on the tactics of the adversary being mimicked.
When to Perform a Penetration Test
The most important time to conduct a pen test is before a breach occurs. Many organizations don’t make the effort until after they’ve been successfully attacked — when they’ve already lost data, intellectual property and reputation. However, if you have experience a breach, a post breach remediation pentest should be conducted to ensure mitigations are effective.
Best practices suggest conducting a pen test alternatively while the system is in development or installed, and right before it’s put into production. The dangers of running a pen test too late are that updated to the code are most costly and code change windows are usually smaller.
Pen tests are not a one-and-done proposition. They should be conducted whenever changes are made and/or at least annually. Factors including company size, infrastructure, budget, regulatory requirements, and emerging threats will determine the appropriate frequency.
In order to help organizations be prepared to identify, respond, and mitigate a targeted attack, the CrowdStrike Services team used their decades of experience to put together a 17-Point Targeted Attack Checklist.
Pen Tests Provide Insight Into Your Security Maturity
Learning how an adversary can actually move through an organization’s environment gives the security team the actionable information necessary to take a proactive stance against future attacks. From a strategic perspective, pen testing is necessary to ensure a security program will be effective, in the event of an attack.
At a more immediate level, pen testing is an effective way to assess the maturity of your security posture at a particular point in time.