What is a penetration test?
A penetration test, or a pentest for short, is an authorized simulated cyber attack against an organization &/or its digital assets such as networks, applications, and servers. The main reason why companies perform penetration tests is to assess and evaluate the efficiency of their IT security programs and controls. Generally outsourced to an accredited third party provider, penetration testing is not what industry experts will refer to as a one-time operation; more and more organizations are undergoing these security assessments on a regular basis and are adapting them as an important measure of their security programs.
How Does a Penetration Test Work?
Because there is a lot at stake when performing a penetration test, organizations resort to certified third party professionals to ensure accuracy and business continuity i.e. meticulous execution with no damage or downtime to the target systems. These professionals undergo both automated and manual approaches to uncover vulnerabilities in various point of exposure. If successful, pentesters use these vulnerabilities to access the system and exploit other assets to get hold of sensitive data otherwise not available to the public. The final deliverable report acts as an assessment of the effectiveness of the organization’s defensive measures and what would be at stake if it got breached.
Why Organizations Conduct Penetration Tests
There are many reasons why companies undergo penetration tests:
● To meet compliance with industry-specific security regulations
● To have a good understanding of their security posture
● To test their ability to detect and respond to real cyber attacks
● To uncover crucial vulnerabilities in their environment
● To prioritize and tackle these vulnerabilities based on urgency
● To keep management on the loop about potential risks
● To protect employee and customer data from being leaked
● To make pivotal decisions regarding their security programs
Types of Penetration Tests
A good categorization of penetration tests would be based on their targets, levels of confidentiality, and their extent.
1- Based on Targets:
One accurate way to put penetration tests into categories would be by specifying their targets i.e. what is to be tested. These targets can be external networks, internal networks, web applications, mobile applications, and employees.
● External Network Pen Test
Given the growing risks of internet access on corporate security, a remote infrastructure pen test can help identify security vulnerabilities within an organization’s systems to deal with these threats. External network penetrations tests are among the most conducted security assessments by large corporations and for a good reason; they act as an emulation of a motivated attacker trying to break into a corporate network from the outside and acquire sensitive data. Testers take advantage of both publicly available information and instructions given to them by the organization. Targets are usually DNS, email, and web servers, and the ultimate goal of this test is usually to breach the perimeter and gain internal access.
● Internal Network Pen Test
An internal network penetration test is the closest organizations can get to simulate a rogue employee. Internal tests are fundamentally different from external ones as objectives are often defined and the main goal is to climb vertically within the organization’s systems to escalate privilege and get authority access. A successful internal security assessment can also help corporations better understand how a single malware infected computer, stolen credentials, or an employees can undermine your organization’s security from the inside.
● Web Application Pen Test
Arguably the most technical type of penetration tests, a web application pen test will strictly focus on vulnerabilities found on web-hosted applications and all of their components. Testing web apps can also involve looking for technical flaws and is usually followed up by a secure code review to detect bugs and weak spots. The flow of web application penetration testing is thoroughly up to the provider to determine the tools and approaches to be used, however, there are some industry best practices to be followed. The OWASP top 10 framework leverages all possible testing techniques for web applications and is being constantly updated to cover new threats and security trends. Testers will present their finding to the IT departments of their partner organizations in the form of a comprehensive report that prioritizes threats based on their impact and exploitability.
● Mobile Pen Test
Mobile applications have recently gained a spike in popularity as more and more organizations are building mobile apps to make access to their products and services easier. Mobile applications are just as vulnerable to attacks as any other interface and that is why many developers tend to test their functionalities for issues before deployment. Mobile applications can be separated into two parts: the application as it operates on the device, and the web services with which it communicates. A mobile penetration test looks extensively into both of these element and is, in general, performed following a general penetration testing framework.
● Employees (Social engineering)
One of the most used attack vectors by sophisticated hackers, social engineering attacks can be defined as any communication that exploits the human factor to gather sensitive information. There are several different types of social engineering attacks that organizations could face including: phishing, pretexting, bating, tailgating, elicitation, and whaling. Social engineering assessment campaigns usually leverage the psychological aspects of its target employees to invoke emotions (such as the fear of missing out on a golden opportunity) and to deceive them into revealing valuable information the could either be the end target, or a useful asset to attain one. A social engineering experiment campaign can be useful to an organization and act as a showdown of awareness.
2- Based on levels of Confidentiality
A second way to categorize pen tests is by the attacker’s level of visibility when performing the test. Penetration tests can be overt, covert, or automated.
● Overt Pen Test
An overt penetration test is more like a collaboration between an outside team and the internal IT department to go through vulnerabilities, exploit them, and assess the damage that would take place if a real hacker could do the same. In this type of assessments, third party pen test teams have access to all the insider company knowledge they request. One of its advantages is that it could save time by prioritizing tasks and skipping through the information gathering phase. The main disadvantage however, is that this it is a mere technical assessment without any simulation of real world attacks.
● Covert Pen Test(Red Teaming)
Red Teaming is a full-fledged simulation of a real life cyber attack otherwise known as ethical hacking but with minor differences. Red teams challenge an organization to improve its security efficiency by acting as a motivated, well-planned opposing entity with zero insider knowledge. These strategic offensive procedures are conducted to measure how well planned an organization’s response strategy is. Red Teaming analyses a variety of aspects within a business such as technological, physical, and workforce assets to conclude whether a corporation can stand a real-life and how they would respond. These actions help the organization in making the required changes to update their current security systems.
● Automated Pen Test
An automated pentest is by far the least reliable type of penetration tests because it completely disregards the human element of the equation and the thorough manual approaches that other types of tests heavily rely on. Automated tests are usually performed by setting up or scripting vulnerability scanners to run scans on certain identified targets to deliver results in the form of logs and spreadsheets. It can be useful in a few cases nonetheless, such as when a company has a good security posture and they have one surface on which they need to run tests around the clock, or when they need to automate some aspects.
3- Based on Intelligence Provided
Another way to categorize penetration tests is by how knowledgeable the third party is about insider knowledge at the beginning of the test. Pen tests can be black box, white box, or gray box.
● Black Box Pen Test
In a black box penetration test little to no insider knowledge is shared with ethical hackers. This type of tests usually takes more time than the others because of the fact that pen testers need to go out there and gather information about their targets. The organization does not provide any useful information about its inner working or architecture which broadens the scope and compel the attacking team to simulate real world threat activities.
● White Box Pen Test
A white box penetration test proves to be more effective than a black box one in the sense that ethical hackers have complete insider knowledge and access to the entire network &/or the application they are testing. By sharing confidential information that is otherwise not available to the public with ethical hackers, an organization guarantees the efficient use of everyone’s time. If penetration testers have access to all this knowledge, it will be easier for them to find vulnerabilities as they have a good idea of what is to be tested, and they will also cover the whole network.
● Gray Box Pen Test
Just like the gray color is a mixture of black and white, a gray box pen test is a hybrid of two previous types. Pen testers have at least SOME knowledge about their target assets and what they are testing when performing a gray box assessment. As an example, organizations share minimal knowledge to guide testers on what to test, such as IP addresses, but they keep operating systems and other info confidential.
The Phases of Pen Testing
Regardless of category, penetration tests typically have 7 steps.
The first step that both sides need to take is defining the scope of the penetration test. It makes sense that before the engagement, both the tester and the organization recognize the legal aspects and sign the logistics. This involves preparing for the assessment by setting terms, discussing details, signing contracts, defining targets, setting goals, and appointing objectives. This is the only phase that is considered pre-engagement and it is a stage that would dictate how the rest of the test will take effect.
2. Information gathering
Also known as reconnaissance, information gathering is the first engagement between the tester and the company. The only purpose here is to gather as much information on the organization as possible, actively or passively. In this strategic step, testers will also identify potential targets and plan out their attacks based on the information they gather. Information can be obtained from search engines, WHOIS lookup, dumpster diving, or through social engineering.
As an continuing of the previous step, scanning is a form of information gathering but it stands out for being strictly technical. Ethical hackers will use automated and manual tools to enumerate targets, discover hosts, and fingerprint the IT infrastructure of the target organization. At the end of this phase testers will have a good idea about the services running in the target machines or devices.
4. Vulnerability Identification
Vulnerability identification is heavily based on the results of the previous step. Depending on what services running and on what device, pen testers determine and classify vulnerability based on their exploitability and criticality. They will be done through a systematic approach and before the next step pen testers would have identified, enumerated, and classified vulnerabilities based on their operational framework.
Exploitation, in other words the real ‘hacking’ phase, takes place after pen testers have successfully mapped their vulnerabilities and started testing them. The one and only goal of this phase is to gain access, no matter how minor-privileged it is, and maintain it. If successful, pen testers will operate based on the initial scope and act according to their predefined framework.
6. Post Exploitation
After gaining access, the most important phase of the assessment is initiated. This is when testers can have good idea of how much a real life intrusion will do in damages to the organization by assessing what they would have access to. It is also requisite to escalate privileges, gather evidence of exploitation, and handle sensitive data with care. To conclude a successful post-exploitation phase, digital artifacts that prove there was an intrusion (such as IDS log entries) need to be destroyed.
Crafting a detailed report to sum up the 6 previous phases will be a plausible conclusion to the pen test engagement. A typical report will have an executive summary, an overall risk score, a summary of the phases along with introductory definitions, a technical analysis of the findings, proof of successful attacks and compromised systems, a summarized risk assessment, and a conclusion. These findings, along with other written recommendations, will offer the organization insights about its overall security posture, what risks are more imminent, and how to deal with them.