Learn about Penetration Testing
Penetration Testing: FAQ
- What is Penetration Testing?
- What is Red Teaming and Purple Teaming?
- What is Vulnerability Assessment?
- What are the types of security assessments?
- How are Pen Tests usually conducted?
1 What is Penetration Testing?
Penetration Testing or “pen test” is an emulation of what a bad actor could do when targeting an organization. Its goal is to find vulnerabilities affecting assets and find out how to leverage those to breach perimeters, obtain sensitive data, take over hosts, or cause damage.
The depth of testing can vary, from resilience against low skill “script kiddies” to professional nation-state level attackers. The scope can be adjusted to meet the organization’s needs.
Pen tests are performed by specialty security engineers whose focus is essentially breaking and entering with the blessing of the customer in order to improve overall security posture. The scope of testing depends on the type of engagement and goals. The tests can be conducted using a range of prior knowledge, below are the three terms typically used.
- “Black box” - The pen test engineers have no previous knowledge of the organization’s infrastructure
- “Grey box” – The pen test engineers have some prior knowledge
- “White box” – The pen test engineers have access to code, hosts, or other assets
2 What is Red Teaming and Purple Teaming?
Cybersecurity is a war comprised of battles with elements of offense and defense. In a penetration test, team names are given to the attacking team (Red Team) and the defending team (Blue Team.) The Blue Team could be made up IT staff or a SOC.
Red Teaming is a full scope assessment that best mimics what a real attack could do. This is essentially the closest thing to actually being targeted by bad actors. All attacks are allowed, including the pen tester arriving on premises unannounced to employ physical or social engineering tactics.
While this is the closest and most accurate type of testing, it can also be the most expensive, requiring substantially more time and money than other efforts. It is geared toward testing a more mature security program that has some baseline of self-evaluation. It is designed to be campaign driven with goals.
Purple Teaming is an arrangement where the Red Team is in communication with the Blue Team, usually a SOC. As tests are performed, feedback among the groups can help determine blind spots, security assumptions, etc. This is a more collaborative exercise with the goal of improving the Blue Team.
3 What is Vulnerability Assessment?
Vulnerability assessments are quick engagements based on scanning remote hosts for known vulnerabilities. It’s a less thorough method that can often miss major vulnerabilities that can’t be revealed by an external scan.
It’s important to examine scan results after the fact and perform a manual validation of vulnerability discoveries to rule out false positives. Best practice is to perform the scan, validate, then compile a more accurate report. The level of effort needed depends on the number of hosts being scanned.
4 What are the types of security assessments?
There are many different types of assessments that can be made during a penetration test. They can vary based on the organization being tested and the types of assets and services they utilize. While external and internal pen tests get much of the focus, a holistic approach that uses all applicable assessments is recommended to identify blind spots.
Here’s a basic list of assessments:
External Pen Test
Targets external assets from the public internet – a real world attack assessment.
Internal Pen Test
Targets internal assets from inside the organization. This emulates what would happen if a malicious agent (malware, disgruntled employee, etc.) got inside the network. It explores scenarios such as successful phishing attacks and malicious physical media like a found USB drive that could introduce malware.
Web Application Pen Test
In-depth testing of web application(s), examination of functionality with search for vulnerabilities such as the typical ones (XSS, SQLi, CSRF) to the more complex code/logic abuse which are frequently missed by groups.
Web application tests can be performed both authenticated or unauthenticated. Generally, we recommend both.
Applications are also evaluated against frameworks such as the OWASP Top 10 which inventories common attacks on known libraries or CMS platforms, e.g. WordPress, Joomla, Drupal, et al.
Mobile Pen Test
This is the same scope as the Web Application Pen Test, but for native mobile applications that may rely on extensive API-accessible web services.
SCADA Pen Test
SCADA is a purpose-built control system for factories, power plants, utilities (such as municipal water systems), or facilities that require some level of orchestrated automation in processes and data acquisition. The systems can be complex and networked, but also may not benefit from frequent updating or security-oriented maintenance.
IoT and Hardware Pen Test
This is a test of the entire IoT ecosystem in place including web applications, mobile applications, hardware, firmware, wireless communications (Wi-Fi, Bluetooth, Zigbee) and their interactions. Exploits can often be a clever usage of two or more of these elements.
Cloud Configuration and Architecture Review
This is a test of configuration in monitoring/logging, identity and access management, network firewall rules, etc., as well as the architecture of VPC and interactions with any cloud-specific technologies or services. Common services evaluated are AWS, Google Cloud Platform, and Azure.
This is a test of susceptibility to coercive communications with actual humans via a number of avenues such as phishing emails, phone calls, or even in-person requests for sensitive information.
Physical security is often overlooked in the context of cybersecurity, but it can prove to be a complementary weakness all the same. This test evaluates physical controls and policies for access. Banks, train yards, and health institutions with otherwise mature cybersecurity have been compromised by simply walking into the building. It is a bold tactic, but it can be very effective.
DDoS Stress Testing
This tests the resilience of external assets against Distributed Denial of Service Attacks. An in-house attack station is used to simulate all manner of attacks, featuring a library of typical attacks between network layer 4 and layer 7.
Attacks can be crafted to match what would be typical for services in place such as specific web applications or authentication services.
This type of attack has brought global financial institutions to their knees and is an extremely valuable test.
OS Hardening Assessment
This tests the configuration and controls of a specific operating system deployment. A good example is an organization that deploys a specific image for every workstation. This image can be tested and recommendations generated that can apply broadly through the company.
Capture the Flag Events
Fun for the whole team! For organizations who want to make security a focus for their IT teams, a CTF event can introduce the mentality of attackers and encourage a new outlook on what can be vulnerable in a given infrastructure. It’s a fun exercise that stimulates creativity and can be very competitive.
Anything and Everything In Between
The above assessment types are just the most common scenarios. Specific technologies and infrastructures may necessitate less common approaches to penetration testing. Newer technologies or suspected vulnerabilities can benefit from the help of an attack team to improve their security.
5 How are Pen Tests usually conducted??
While it can vary depending on the engagements or the types of assessments requested, in general most will follow this common setup/sequence:
- Setting ground rules and understanding customer needs: Goals should be explicitly communicated by the customer, often with the help of the Pen Test team asking questions or making suggestions not previously considered. Requirements, expectations, and parameters or limitations of the testing should be set at this stage.
- OSINT: Open Source Intelligence Gathering
- Enumeration: Information gathering and enumeration of assets being tested
- Threat modeling: Build an attack plan and map different attack paths
- Exploitation: Execution of the previously determined attack paths to gain a foothold
- Post-exploitation: Once a foothold is gained, data can be gathered, accounts can be compromised, and the business impact of exploited vulnerabilities truly understood.
- Understanding long term security strategy: Once testing is complete, an analysis is made to determine the root of problems found. Are they related to patch management? Active Directory misconfiguration? What are the long-term security strategies in light of new intel?
- Cleanup: Removal of any remaining artifacts of the test and return systems to normal. This shouldn’t be the responsibility of the customer.
- Reporting: Once testing and analysis is complete, a report outlining the results of the penetration test is provided to the customer including insights and action items.
- Remediation validation test: If the customer remediates any issues discovered during pen testing, a follow-up validation can be performed to validate those measures.