What is Penetration Testing?
Penetration testing, or pen testing, is the process of simulating cyber-attacks against computer networks and applications to expose security vulnerabilities. It is a technical assurance exercise that has become an integral part of organizations’ cybersecurity programs, applying to both physical and virtual infrastructure.
What Is Involved In Penetration Testing?
Penetration testing usually involves a combination of manual and automated techniques to identify possible entry points that can be compromised on network devices, servers, web applications, API’s, mobile applications, wireless networks and more. Once an initial foothold is gained, the penetration tester is provided with an opportunity to launch further attacks against additional internal or external resources. The aim is to get a point-in-time snapshot of the overall security exposure then demonstrate the depth an adversary can reach by laterally compromising other assets and escalating privileges to resources of higher security requirements. Deeper levels of compromise can help an organization understand the risks they face and what the impact of a breach can look like.
During the penetration test, deep visibility is gained in to the organization’s security posture, exploitable vulnerabilities are identified and recommendations are made on how best to fix those weakness. The results of the penetration test are aggregated into an easy to digest format so that leadership is provided with a prioritized list of vulnerabilities to make strategic decisions, enabling IT professionals and developers to make tactical fixes to remediate weaknesses or misconfigurations. Once remediation efforts have taken place, penetration testers will often retest the original findings and validate that they have been adequately fixed or sufficiently mitigated with compensating security controls. By following these steps, organizations receive a level of assurance that the overall security posture is more resilient against cyber-attacks.
Benefits of Pen Testing
Manage risk– Getting an external or internal penetration rest conducted on a regular basis allows you, as an organization to manage your risks. A penetration test identifies vulnerabilities in your environment and allows you to remediate them. Penetration tests are a very proactive approach to cyber security. Rather than just sitting back and hoping for the best, a penetration test allows you to protect yourself against the risk before it happens.
Protects clients, partners and third parties– Think about all the stakeholders within your organization, it could be your clients and their personal data, your business partners or even third parties. Penetration testing allows you to not only minimise the risk to your own business, but also to those who have some sort of involvement. Another great benefit of penetration testing is that it shows your clients that you take cyber security seriously, and it builds trust and a good reputation, that you’re doing everything you can to mitigate the risks of a cyber breach.
Allows you to understand the environment– Penetration testing has huge benefits when it comes to having a better understanding of the cyber security environment. A penetration test allows you to understand what is going on in the environment around you, and it helps you to understand the types of cyber-attacks that your organization may face. If your organization can understand the types of risks, and the fact that it’s not if it will happen, but when, then you will be much more successful in protecting yourself.
Identifies weaknesses you didn’t know where there– Penetration testing looks for the backdoors into your network. A cyber-attack won’t always be obvious to you, it looks for weaknesses and ways in that you won’t be able to spot. Penetration testing identifies these hidden weaknesses so you can patch them up.
When should a company conduct penetration testing?
There are many factors to consider for when to carry out pen testing for your business, especially when it comes to deciding how often they should be done. There are several factors that need to be considered when booking your next penetration test:
Changes in the environment– Cyber security is an ever-evolving world. It’s constantly changing and adapting, and cyber criminals are finding new ways to enter your networks and data each and every day. This is why you should consider booking a penetration test whenever there has been a major change in the environment. This could be after your organization has suffered a breach, or if a new threat actor threatens your business with an attack.
Organization structure changes– Over time your organization will grow and change, and with that comes new people, processes and technology. Here at LRQA Nettitude we believe you should be testing your business on a regular basis to make sure the latest technology is up to scratch, and that your employees have been educated to the highest standards to avoid a cyber security breach through social engineering approaches.
Compliance requirements – Sometimes you need a penetration test as part of a requirement. For example to become PCI DSS accredited, as part of requirement 11, you must make sure that “system components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment”. This requirement states that a penetration test should be carried out on an annual basis, however, as stated above we’d also recommend organizing a test to be carried out if any major changes have taken place.
Penetration testing strategies
LRQA Nettitude’s penetration testing often reveals surprises for clients by demonstrating how easy it is to gain remote access to protected networks, operating systems, applications and sensitive information. The culture of security within organizations is shifting as they are starting to take a more serious approach to cybersecurity and protecting their data. The introduction of GDPR in 2018 has also meant strict penalties for those who suffer a breach, and fail to report it to the authorities. LRQA Nettitude has helped organizations improve their cybersecurity posture through the following penetration testing strategies, techniques and methodologies:
Internal Penetration Testing
An internal penetration test takes the context of your business into consideration to highlight key weaknesses and misconfigurations which present a risk to the resources you are trying to protect. Assess your organizations internal security controls to determine if an attacker is able to navigate through the internal network to access critical systems, escalate privileges and exfiltrate sensitive data. The penetration test involves starting from a device connected to the internal network to conduct passive and active network reconnaissance, enumeration, vulnerability mapping, exploitation, lateral movement, privilege escalation and acting on post-exploitation objectives. Wireless networks can pose a risk to internal network environments and can also be examined during an internal penetration test.
External Penetration Testing
External networks are typically public facing and observable to anyone that has an Internet connection. Most organizations have a variety of infrastructure exposed to the Internet which can include remote access services, cloud-based services, applications, API’s, authentication and authorization entry points, communication and collaboration services, and network devices. Assess your organizations external service exposure to determine if an attacker is able to exploit vulnerabilities that undermine existing security controls. The impact of a successful compromise can vary from sensitive data being exposed to gaining unauthorized access to protected systems or resources.
Targeted Penetration Testing
Targeted penetration testing is a real-time collaborative experience between the penetration tester and the organizations internal security group. The penetration tester will be actively seeking to compromise defined assets, while the internal security group monitors for attacks, choosing whether or not to react to detections. A direct line of communication is opened between the two parties, who work together to identify any weaknesses or misconfigurations in the security controls designed to protect the targeted resource. Targeted penetration testing allows organizations to focus on specific areas of concern and receive immediate feedback. This paints a clear picture of the current security posture and how to rapidly remediate areas of risk through a collaborative offensive and defensive scenario.
Blind/Black Box and Double-Blind Penetration Testing
Blind penetration testing (also referred to as black box) can help determine the depths can be reached by an attacker who only knows the name of the organizations being targeted. Organizations are able to assess their security resiliency against a simulated real-world attack. Organizations typically have well-defined entry points; however blind testing has the potential to uncover shadow IT networks; infrastructure or applications that have been forgotten about or removed from an organizations inventory. These side channels can be abused to gain unauthorized access into the organizations trusted environment or expose sensitive data.
Double Blind testing seeks to identify how effective internal security groups are when they have no prior knowledge that a penetration test is taking place. We often find that once internal groups know that a penetration test is happening, people tend to act unnaturally, which can sometimes lead to false sense of security. The purpose of this is to put the people, processes and technologies under a microscope to determine if an organizations security controls are functioning correctly, without needing to preemptively mobilize and harden defenses in anticipation of a breach.
White Box Penetration Testing
White box penetration testing is almost the opposite of blind/black box penetration testing. Penetration testers are given access to the source code and relevant design documentation which applies to the application being tested. Penetration testers are able to perform static testing using source code analyzers to identify vulnerabilities. They are then able to then compile the application and run it within a sandboxed environment, making use of dynamic testing using debuggers and common application testing tools. As a result, white box testing offers one of the highest levels of technical assurance.
Intelligence Led Red Teaming / Adversarial Simulation
Red teaming (also referred to as adversarial simulation) focuses on your organizations capability to detect and respond to a sophisticated threat actor targeting your organizations critical business functions. Adversarial simulation involves emulating the real-world tactics, techniques and procedures (TTPs) used by threat actors to determine the effectiveness and resiliency of the people, processes and technology used to secure your organization. This is a real-world simulated attack that looks for the less obvious entry points into your systems. Red teaming looks for the back doors within your business and carries out simulated scenarios to test whether your business can detect and defend against them. It includes physical security testing, social engineering, 3rd party relationships, hacking, malware insertion, pivoting and human manipulation.
Blue Teaming
Whilst blue teaming isn’t a type of penetration test, it’s important to understand its role within the context of purple teaming. The blue team are the defenders against the red team’s attack. Blue teams need to monitor network and application traffic access log data, SIEM data and threat intelligence data. The blue team needs to be able to ingest and analyze vast swathes of intelligence to detect the proverbial needle in the haystack. Take a look at our section on purple teaming to find out why you should conduct a blend of red and blue teaming exercises.
Purple Teaming
Purple teaming is a blend of our red and blue teaming tests. The red team goes on the offensive and looks for all the gaps and entries into your infrastructure and system. The blue team will spend the time during the test defending against the red team attacks. The blue team needs to be able to defend against all of the red team attacks, at all times. Through the sharing of intelligence data across the purple teaming process, it is possible to understand threat actors’ TTPs. By mimicking these TTPs through a series of red team scenarios, the blue team has the ability to configure, tune and improve its detection and response capabilities.
Penetration Testing Stages
The stages of a penetration test are structured in a way to optimize the work and are typically delineated into five different phases. These phases assist a consultant with structuring the work in a manner to ensure that certain types of work aren’t overlooked or missed during an assessment. Each phase attempts to further the access a consultant can gain during an assessment so that the full security of an asset can be fully understood and ultimately improved upon. These phases are typically demarcated as (1) reconnaissance, (2) vulnerability mapping, (3) exploitation, (4) post exploitation, and (5) reporting. There are other models which list these phases as seven different components and with some variation to the naming of each phase but it should be noted that the work is the same.
Prior to the start of any particular engagement, the consultant works with the client to understand their security goals. This discussion addresses the unique assets that the client retains and which type of security work can best be applied to meet those desired goals. This discussion may result in multiple types of engagements to address each security goal. For example, a client may desire to understand the effectiveness of their workforce security education program and resilience against social engineering which can be determined through a social engineering penetration test. They may also desire to learn how secure their web application is against cyber-attacks, which could be achieved through a web application penetration test. In each instance, these requirements and the desired work are appropriately documented and agreed upon by the client prior to the start of an engagement. This ensures that the client’s requirements and goals are recorded and accomplished per their unique needs. Following this pre-engagement work, the consultant is scheduled and goes about the penetration test using the five penetration testing steps.
1. Reconnaissance Phase
During the reconnaissance phase of a penetration test, a consultant works to gather information about the asset. This information gathering assists with understanding the system and all of its components. In the instance of an external infrastructure penetration test, this reconnaissance phase can concern learning about the provider or registration information, external services, potentially employees of the associated infrastructure, technologies in use, or other useful information. An example of this type of work can include domain name registration queries, reading job postings, looking for passwords in past database breaches, or using Google to find unintended information disclosures. Much, if not all of this work, is conducted using passive or indirect intelligence gathering methods; the assets are not interacted with directly. This information is compiled and then used in the later stages of the penetration test.
2. Vulnerability Mapping Phase
Next, within the vulnerability mapping phase of the engagement, a consultant directly interacts with the systems being assessed. This vulnerability mapping phase can comprise of using automated or manual tools to determine the composition of the system and any particular vulnerabilities. An example of this type of work could include using a port scanner to determine if a server has open services (e.g. FTP, HTTP/S, SSH, etc.) which can be used by the consultant. During this phase of the work, like it in the reconnaissance phase, findings are recorded and cataloged by the consultant for potential use in the exploitation phase of the engagement.
3. Exploitation Phase
During the exploitation phase, the consultant uses the information learned in the reconnaissance and vulnerability mapping phases of the engagement to attempt to gain active access to the system. For example, a consultant may use potential usernames and passwords learned through the reconnaissance phase to gain access to a SSH service learned about in the scanning phase of the engagement. Another example of this work may be using exploits for vulnerable software discovered during the reconnaissance and vulnerability mapping phases. The goal of the exploitation phase is to gain unauthorized access to the system through the exploitation of discovered vulnerabilities.
4. Post-Exploitation Phase
Should the exploitation of the systems under review be successful, then the engagement moves into the post-exploitation phase. This phase of the work seeks to understand the impact of such vulnerability or vulnerabilities being exploited. Understanding the impact through the work during this phase assists system owners with determining the criticality of such a system vulnerability being exploited. Examples of this work include accessing or exfiltrating sensitive data present within the exploited system, maintaining or gaining additional access to the system, or otherwise learning about the exploited system. During this phase of a penetration test, a consultant may attempt to laterally move to other vulnerable systems within a network should the activity be deemed in scope by the client. Lateral movement assist in showing the potential impact of an exploited vulnerability so that the risk can be determined.
5. Reporting Phase
Finally, within the reporting phase of the engagement, a consultant reports on each finding discovered during the engagement. These findings may include both positive and negative things about system security. Each vulnerability is listed with details, evidence, and suggested remediation. The reporting phase of the engagement is arguably the most important because it represents the vehicle to ultimately increase the security of the systems being tested within the engagement. Each of the previous phases within the engagement is used to feed this final phase.
Within the reporting phase, LRQA Nettitude generates two reports at a minimum. These reports include a “technical report,” with specific and granular technical details about each vulnerability, and a “management report” which includes C-suite level discussion about the state of security for the systems being reviewed. While the technical report assists technical staff with remediation, the management report assists management with allocating appropriate resources to the improvement of security. In addition to these reports, LRQA Nettitude also provides a debrief to discuss these findings and to answer any specific questions. These deliverables are highly flexible and designed to meet the first priority of an engagement, improving a client’s security.
Penetration Testing Tools
Various tools are used within penetration testing to complete the work. These tools seek to automate the work in some areas of the assessment in order to more effectively and efficiently complete the effort. In each phase of a penetration test, tools exist to more effectively compile data for analysis. Examples of such tools may include email aggregators used within the reconnaissance phase which use public resources to find potential email addresses for a company.
The use of email aggregators assists with understanding potential usernames for systems being assessed, which can be then used for attacks in later stages of the engagement. Another example of tools may include port scanners, which can assist a penetration tester with understanding which services are available and can potentially be attacked. A simple example of a series of tools used during an engagement could include:
- Nmap,
- Burp Suite,
- Nikto,
- Metasploit,
- Other Kali Linux-related tooling, and/or
- PoshC2 (https://github.com/nettitude/PoshC2).
In some cases, LRQA Nettitude may create a custom tool during an engagement to more effectively automate a solution to a problem. PoshC2 is such an example of a LRQA Nettitude-created custom tool. Another example of custom tooling may be using scripting to format data obtained through the post-exploitation phase of the engagement. In each instance of tool usage, the tool may be public and free, a commercial paid-for tool, or a LRQA Nettitude custom tool created for a specific problem.
General Enquiry.
