A penetration test (also known as a pentest) is a security assessment that simulates the activities of real-world attackers to identify security holes in your IT systems or applications.
The aim of the test is to understand what vulnerabilities you have, how they could be exploited, and what the impact would be if an attacker was successful.
Usually performed first, an external pentest (also known as external network penetration testing) is an assessment of your perimeter systems. Your perimeter is all the systems that are directly reachable from the internet. By definition, they are exposed and are, therefore the most easily and regularly attacked.
Testing for weaknesses
External pentests look for ways to compromise these external, accessible systems and services to access sensitive information and see how an attacker could target your clients, customers or users.
In a high-quality external pentest, the security professional(s) will copy the activities of real hackers, like executing exploits to attempt to gain control of your systems. They will also test the extent of any weaknesses they find to see how far a malicious attacker could burrow into your network, and what the business impact of a successful attack would be.
Run external pentests first
External penetration testing assumes the attacker has no prior access to your systems or networks. This is different to an internal penetration test which tests the scenario where an attacker already has a foothold on a compromised machine or is physically in the building. It usually makes sense to cover off the fundamentals first and consider internal testing after both regular vulnerability scanning and external penetration testing have been done.
How to perform external penetration testing
So how do you go about getting an external penetration test? Scheduling an external pentest should be as simple as asking your managed service provider or IT consultancy, and pointing them at your perimeter systems (a list of domains and IP addresses/ranges).
An external pen test is normally run on a "Black Box" basis, which means no privileged information (such as application credentials, infrastructure diagrams, or source code) is provided to the testers. This is similar to where a real hacker targeting your organisation would start from, once they've discovered a list of your IPs and domains.
But there are a few important pointers and due diligence that is worth bearing in mind when organising your external penetration test:
- Who's performing your test? Are they a qualified penetration tester? You can find out more about penetration testing certifications and choosing a consultancy in the guide on how to choose a penetration testing company.
- How much will you be charged? Quotes are normally based on a day-rate, and your job is scoped based on the number of days it will take to do the assessment. Each of these can vary between companies, so it might be worth shopping around to see what's on offer.
- What is included? Respectable service providers should offer you a proposal or statement of work that outlines the work to be undertaken. Look out for what's in and what's out of scope.
- What else is recommended? Choose a provider that includes checking your exposed services for re-use of breached credentials, password spraying attacks, and web application testing on publicly accessible applications.
- Should you include social engineering? It can be a good value-add, though this type of testing is almost always successful when attempted by an attacker with enough determination, so it shouldn't be a hard requirement if your budget is limited.
External penetration testing vs. vulnerability scanning
If you're familiar with vulnerability scanning, you'll notice that an external pentest shares some similarities. So, what's the difference?
Typically, an external penetration test includes a full external vulnerability scan, but that's just where it gets started. All output from scanning tools will be investigated manually by a pentester to remove false positives, run exploits to verify the extent/impact of the weakness, and "chain together" multiple weaknesses to produce more impactful exploits.
Where a vulnerability scanner would simply report that a service has a critical weakness, a pentest would try to exploit that weakness and gain control of the system. If successful, the pentester will use their access to go further, and compromise further systems and services.
Pentests deep dive into vulnerabilities
While vulnerability scanners often identify potential issues, a penetration tester would explore those fully and report on whether the weakness needs attention or not. For example, vulnerability scanners routinely report on 'Directory Listing', which is where web servers offer a list of all the files and folders on the server. This is not necessarily a vulnerability on its own, but it does need investigation.
If a sensitive file (like a backup configuration file containing credentials) is exposed and listed by directory listing, a simple informational issue (as reported by a vulnerability scanner) could be quickly turned into a high impact risk to your organisation. The pentester's job includes carefully reviewing output from a range of tools, to make sure that no stone is left unturned.
What if I need more rigorous testing?
Some further activities which a real attacker would perform which are not performed by vulnerability scanners may also be included, but these vary between testers. Check the proposal or ask questions before scheduling the pentest if you'd like these to be in scope. For example:
- Sustained password-guessing attacks (spraying, bruteforce) to try to compromise user accounts on exposed VPNs and other services
- Scraping the dark web and breach databases for known breached credentials of your employees, and stuffing them into administrative panels and services
- Web application testing where a self-registration mechanism is available
- Social engineering attacks such as phishing your employees
Pentests can't replace regular vulnerability testing
Remember that new critical vulnerabilities are discovered daily, and attackers usually exploit the most serious weaknesses within a week of their discovery.
Whilst an external penetration test is an important assessment to take deep look into the security of your exposed systems, it's best used as an extra service to complement regular vulnerability scanning – which you should already have in place!
Intruder is a cyber security company that helps organisations reduce their attack surface by providing continuous vulnerability scanning and penetration testing services. Intruder's powerful scanner is designed to promptly identify high-impact flaws, changes in the attack surface, and rapidly scan the infrastructure for emerging threats. Running thousands of checks, which include identifying misconfigurations, missing patches, and web layer issues, Intruder makes enterprise-grade vulnerability scanning easy and accessible to everyone. Intruder's high-quality reports are perfect to pass on to prospective customers or comply with security regulations, such as ISO 27001 and SOC 2.
Intruder offers a 30-day free trial of its vulnerability assessment platform. Visit their website today to take it for a spin!