Penetration testing is a critical component of any information security program. It’s not just about finding vulnerabilities but also being able to exploit them in the event that you are targeted by an attacker. This blog post discusses all types of penetration testing methodologies and tactics so that you can find one that fits your needs.
Penetration Testing is very similar to ethical hacking. This will give you an idea of what’s possible so that you can have a conversation about how the threats apply to your environment and prioritize mitigation strategies accordingly.
A penetration test should begin with a list of goals or objectives in mind, these may include:
- Verify a vulnerability exists.
- Exploit a vulnerability or specific type of flaw.
- Access data that is only available to privileged users, such as application developers and system admins.
- Gain access to information from other organizations through third party services without being detected by the service owner (i.e.: penetration into client networks during red team engagements).
Penetration Testing Categories
Penetration testing methodologies can be broken down into two major categories: black box and white box testing methods/approaches.
In both cases, testers have full knowledge about the environment they’re targeting including all network components, operating systems, software versions etc… The difference between these types of tests lies in how much prior knowledge the tester has gone into an engagement – black box testing assumes no prior knowledge while white-box testing presumes a high level of access and trust.
Black Box Testing:
In this methodology, testers have absolutely zero information about the environment they’ve been tasked to conduct a penetration test against other than an external IP address or domain name. The idea behind black box testing is to mimic real world attacks so that you get true visibility into how your network would hold up during such engagements. Black box tests are also useful when auditing non technology companies who often don’t understand what’s possible in terms of attack vectors which makes it even more important for them to undergo thorough security assessments of their networks/infrastructure since there may be critical vulnerabilities present without anyone knowing until it’s too late (i.e.: not having anti-virus software installed on their machines, weak password policies etc…).
White Box Testing:
Penetration tests that are conducted using a white box approach assume the tester has significant knowledge about the environment they’re targeting which allows them to more accurately simulate real world attacks and exploit vulnerabilities faster than in an open engagements where there is no prior context with regards to what’s possible/impossible given certain network configurations or security controls present (i.e.: firewalls, IDS/IPS systems etc…). This method of penetration testing can be useful when auditing high level executives within large corporations who may have access to information you wouldn’t normally see during other forms of security assessments such as application developers or system admins.
Phases of Penetration Testing
Penetration testing methodologies are underpinned by several key phases which typically occur during a specific order but this isn’t always true for every engagement. For example, some engagements require extensive domain knowledge before any other work begins while others do not focus on pre-engagement interactions at all because they simply want to assess their security posture against modern adversaries without much prior knowledge beyond IP addresses and user accounts.
- The first phase is the security and network analysis which involves gathering IP addresses, netblocks, DNS information.
- The second phase requires a deep dive into target enumeration by using a variety of methods to gather as much data about systems on the networks including: Whois record lookups, DNS brute forcing, mobile app pentesting and network scanning.
- The third phase of the engagement focuses on target exploitation which typically involves attacking systems to gain access at various privilege levels (i.e.: user level, admin/root etc..). This type of testing is often referred to as “lateral movement” where testers will utilize compromised credentials to move around the network and probe additional systems for vulnerabilities.
- The fourth phase of penetration testing is focused on post exploitation which mainly involves performing actions that are not authorized by the system owner (i.e., installing backdoors, retrieving sensitive data etc…). It’s important to note that these steps may require you to elevate your privileges so you can gain access to different machines on the network which may result in certain security controls being triggered.
- The fifth phase of penetration testing is focused on covering tracks and maintaining access where testers will use methods to ensure they’re not leaving any evidence behind that could give away their activities (i.e.: removing web logs, hiding files created etc..).
- The final phase of a penetration test is the reporting which typically involves writing up an executive summary and creating detailed reports with relevant information about systems on the network, vulnerabilities identified etc… The main goal here is to provide business owners/C-level executives with actionable recommendations so they can improve their security posture. It’s important to note that these reports are not technical in nature because the target audience likely doesn’t have a deep understanding of security concepts.
Summing Up…
A penetration test is a method of evaluating the security of an organization’s IT infrastructure by simulating a hacker attack. It can be done manually or through automated tools, and it often includes both white-box testing (testing from within) as well as black box testing (testing from without). Penetration tests help organizations to identify weaknesses in their systems that would allow unauthorized access, provide valuable insight into how malicious actors might attempt to infiltrate your network, and ultimately protect against real cyber attacks.
