As security technology and threat awareness among organizations improves so do the adversaries who are adopting and relying on new techniques to maximize speed and impact while evading detection.
Ransomware and malware continue to be the method of choice by big game hunting (BGH) cyber criminals, and the increased use of hands-on or "interactive intrusion" techniques is especially alarming. Unlike malware attacks that rely on automated malicious tools and scripts, human-driven intrusions use the creativity and problem-solving abilities of attackers. These individuals can imitate normal user or administrative behaviors, making it challenging to distinguish between legitimate activities and cyber-attacks.
The goal of most security practitioners today is to manage risk at scale. Gaining visibility, reducing the noise, and securing the attack surface across the enterprise requires the right people, processes, and security solutions.
With the use of penetration testing services, organizations can proactively combat these new and evolving threats helping security practitioners identify and validate what is normal and what is potential malicious activity. Penetration testing consists of varied technologies, both human-led and automated, and the use of certified pentesting experts, or ethical hackers, to emulate a cyber-attack against a network and its asset(s). Pentesters will use real-world tactics and techniques like those of attackers with the goal of discovering and exploiting a known or unknown vulnerability before a breach occurs.
This type of proactive offensive security approach requires planning and preparation by security leaders to maximize the effectiveness of penetration testing, including choosing the right security provider to meet your security and business objectives.
The Steps to Successful Penetration Testing
The following steps are necessary to properly prepare and plan for penetration testing, all of which will be outlined in further detail:
- Establish team: Determine the security leaders that will be involved in the penetration testing initiative, including establishing a main POC or central organizer. Outline roles and responsibilities and provide clear objectives.
- Stakeholders: Identify the key stakeholders and decision-makers. What are their roles and when will their approvals be needed and at what stage of the penetration testing.
- Create a project plan: Ensure that a clear project plan is created that outlines the scope of the testing, specific systems and assets to be tested, timeline, objectives, and expected outcomes.
- Choose a testing methodology: Select the right testing methodology to fit the scope. Common methodologies include Black Box, White Box, and Gray Box testing. Also consider the specific techniques your organization would like to deploy whether it is social engineering, API Fuzzing, external-facing web app testing, etc.
- Support for the security team: Consider what support the security team will need and whether the organization has the right expertise, resources, and budget. Determine whether the project will be handled internally or if an external pentesting service provider is needed. If selecting an external service provider, ask about the type of support and expertise that they offer.
- Engaging with the vendor: After doing some investigating, be sure to ask the right questions when choosing a vendor. Questions may include, but are not limited to:
- Is penetration testing part of your core business?
- Do you hold professional liability insurance?
- Can you provide references or testimonials?
- Do you hold the right pentesting certifications such as ISO 9001 or CREST?
- What are the qualifications of your pentesters?
- How do you stay current with the latest vulnerabilities and exploits?
- What is your pentesting methodology and pricing structures?
- Debrief of Report: Preparing a comprehensive report of the pentesting findings and recommendations for remediation will be important. Debrief with your team, and pentesting service provider if using one, to analyze the findings and potential risk associated with them. Collaborate closely with stakeholders to ensure the results are properly understood and a timeline is agreed upon for timely remediation.
- Remediation action steps: Prepare a report of detailed findings and provide clear guidance on the prioritization of vulnerabilities based on severity, identifying action steps to mitigate these risks. Maintain effective communication, accountability, and quick resolution.
- Retest and validate: Additional retesting may be needed to validate the effectiveness of the remediation efforts, and they have been successfully addressed. Ensure that no new issues have arisen during the pentesting process.
Preparing for Penetration Testing Services
Understand Your Attack Surface
To understand your attack surface, it is important to have complete visibility of your cyber assets. There are three main considerations to understanding your attack surface:
1. Visibility of Your Attack Surface: Identify hidden and unmanaged cyber assets
Attackers are increasingly taking advantage of the attack surface as an organization's digital footprint grows. This expanded attack surface makes it easier for bad actors to find weaknesses while making it harder for security practitioners to protect their IT ecosystem. Identifying all cyber assets and potential vulnerabilities can be a tough challenge. Without full visibility into every possible attack vector, assessing and communicating an organization's exposure to risk becomes nearly impossible.
2. Prioritizing Risk: Making decisions based on risk
Keeping track of and evaluating risk without continuous assessments, leave organizations vulnerable. Security leaders need clear visibility into the key factors influencing risk to guide strategic decisions and keep stakeholders informed. By assessing risks regularly, DevSecOps teams gain actionable insights that help strengthen defenses, fix vulnerabilities, and prevent security breaches.
3. Mitigating Risk: Reducing attack surface risk
Security practitioners often find themselves reacting to threats, hindered by limited time and visibility, and without the guidance needed to anticipate risks. A large attack surface requires more than just optimizing threat defense – it demands proactive measure to discover, assess, and address cyber risk before an attacker strikes.
Determine the Scope
When determining the scope of a penetration test, consider the following before testing begins:
1. Identify What to Test: What areas and assets the organizations would like to test? This involves identifying critical systems, applications, networks, or data that could be vulnerable to attacks.
2. Establish Goals: Security teams will also want to consider the business goals for penetration testing, whether it's to focus in on human security levels through phishing techniques, or to test endpoints that can be bypassed, it is important to know where there may be potential weak spots in specific areas or to test the entire infrastructure.
3. Compliance Requirements: Some industries have specific regulations that may dictate what needs to be included in your penetration testing. Having knowledge about which regulations the organizations need to comply with along with testing requirements can help narrow the testing scope.
Security practitioners should be armed with this information as well as essential details such as organizational infrastructure, domains, servers, devices with IP addresses, or authorized user credentials (depending upon the pentesting method), and any exclusions.
What are Some of the Common Assets to Test?
External Assets
Web Applications: The most common external asset(s) that benefits from penetration testing services is web applications. External web app pentesting identifies potential attack paths and mitigates specific vulnerabilities depending on the applications' architecture and technology used. These are often called internet- or public-facing applications that are accessible over the internet. The most common vulnerabilities found are SQL injections, XSS, authentication and/or business logic flaws, credential stuffing, and more.
In addition, penetration testing services for external assets can include, but are not limited to, mobile applications, APIs, Cloud, external networks, IoT, and secure code review.
Internal Assets
Network Infrastructure: The most common penetration testing for internal assets is internal networks and systems. Most security practitioners and organizations assume that internal networks are more secure than external-facing systems, but this is no longer true. The goal of attackers who do gain access to an internal network is to move laterally across systems, escalating privileges, and comprising confidential and sensitive data. The most common vulnerabilities found are misconfigured active directories (ADs), weak passwords or poor authentication, and outdated or unpatched software and systems.
Penetration testing services for internal assets can include but are not limited to, internal applications, APIs and API endpoints, workstations and laptops, Thick Client applications, and testing across all phases of the software development life cycle (SDLC).
What Type of Penetration Testing Is Right For You?
The are several types of penetration testing methodologies and finding the right approach will be dictated by what has been outlined in your scope. Penetration testing methods have evolved and no longer are companies beholden to traditional penetration testing offered by the big consulting firms. Below are the different pentesting methods available and how they are commonly used to deliver the best results.
1. Traditional Pentesting: This structure, project-based and traditional approach is offered by large global consulting firms. This pentesting is very hands-on and involves a defined scope and timeline, where external security experts perform tests on specific systems, networks, or applications. This type of traditional pentesting can seem more credible by offering a sense of assurance to stakeholders and auditors, can also be very costly as these firms often charge a premium for their services, making it less affordable for small or mid-sized enterprises.
Traditional pentesting usually occurs on an annual or biannual basis and can, therefore, leave gaps in security visibility between assessments. Attack surfaces change rapidly, which means new vulnerabilities may go undetected during this period.
Lastly, these traditional engagements usually take quite some time to get off the ground and the feedback loops can seem slow. Results may take weeks or months to deliver, and by that time some vulnerabilities may no longer be relevant.
2. Autonomous Pentesting: Automated penetration testing uses automated tools, scripts, and AI to perform security assessments without the constant need for human intervention. Like other pentesting methods, it can simulate a variety of attack scenarios, identify vulnerabilities, and provide remediation recommendations. Automated pentesting can perform the same tasks that would require manual testing, but it is performed on a continuous or scheduled basis.
Automated pentesting primarily focuses on networks and network services and can effectively scan large network infrastructures. This type of pentesting can also perform static and dynamic scans of web applications to find common vulnerabilities, as well as APIs and API endpoints, cloud and external-facing assets like public websites, databases, and networks since it can be regularly scheduled and is less prone to human error.
Automated pentesting offers speed, scalability, and cost efficiencies. Autonomous tools can be deployed to run pen tests regularly, providing constant monitoring and enabling the identification of vulnerabilities as they emerge. However, automated tools often focus on common, well-known vulnerabilities and may not uncover complex or more sophisticated weaknesses that a human tester could identify.
3. Penetration Testing as a Service (PTaaS): PTaaS is a mix or a hybrid approach to penetration testing using both autonomous and human-led pentesting, yielding benefits from both such as speed, scale, and repeatability. Manual pentesting is performed by certified and highly skilled ethical hackers who will search for vulnerabilities in a system, application, or network. It is an in-depth, human-driven approach, and unlike automated tools, manual pentesting allows for more expertise, intuition, and flexibility in detecting complex vulnerabilities.
PTaaS covers the entire IT infrastructure, both internal and external, and can be tailored for deeper exploration of specific areas of concern. During manual pentesting, experts can think like attackers, using techniques like those used by malicious actors, and customize specific use cases or uncommon configurations for testing to align with the organization's IT environment. Manual testers can also adapt their approach if they encounter unexpected scenarios or defenses.
Using a hybrid approach to penetration testing combines the efficiency, scalability, and cost-effectiveness of continuous automated testing with the creativity and adaptability of manual testing, which is essential for discovering complex and advanced vulnerabilities such as business logic flaws. Combining both methods provides the speed and breadth of automated tools with the depth of manual testers to ensure more comprehensive and thorough coverage of the attack surface.
Planning for Your Penetration Testing
Choosing the Right Pentesting Services and Provider
Making a choice between internal and external pentesting resources is an important decision and is often dictated by scope and objectives. Distinguishing between an organization's own internal pentesting team, an outside pentesting provider who has their own in-house pentesting experts, and external resources such as crowdsourcing, all have their own unique advantages and disadvantages.
Internal Penetration Testing Within the Organizations
- Insider Perspective: Simulates an attack from within the organization and provides an insider perspective.
- Internal Systems: Can provide a thorough assessment of internal systems, including lateral movement and privilege escalation.
- Cost-effectiveness: If the expertise and resources are intact within the organization, pentesting can often be more cost-effective, reducing the need for unnecessary external fees.
- Continuous Improvement: Internal teams can perform continuous testing and monitoring leading to more frequent updates and improvements.
When to use: Internal penetration testing is best for identifying and mitigating insider threats, testing internal policies, and ensuring internal systems are secure.
External Pentesting with Service Provider and In-house Certified Experts
- Specialize Expertise: In-house pentesting experts employed by a penetration testing service provider are highly trained certified ethical hackers and maintain the most relevant industry certifications such as CREST, OSCP, OSCE, CEH, CISA, CISM, SANS, and others.
- Unbiased View: External pentesters can provide an unbiased view, often identifying vulnerabilities internal teams might miss.
- Standardization: Use standardized practices and guidelines aligning with NIST, OWASP, CREST, and MITRE ATT&CK methodologies.
- Support and Customization: Pentesting providers also provide the guidance necessary to choose the right pentesting method, offering support throughout the entire testing process, with the ability to tailor and customize security testing to meet your business requirements.
When to use: External pentesting is best used when resources and expertise are limited. It is ideal for assessing both internal and external-facing assets using standardized methodologies for more accurate and consistent results. It also is best used when ensuring regulatory compliance and obtaining an unbiased evaluation of your security posture.
External Pentesters or Crowdsourcing
- External Resources: This involves external pentesting resources either through a security service provider that uses crowdsourcing or the use of external pentesting experts
- Lack of Standardization and Consistency This methodology will lack standardization and consistency of the use of pentesting tools, which often results in varied results in which to measure progress
- Increased Cost: External pentesters can be more expensive due to consultancy fees and the need for specialized services
- Limited Frequency: External pentesting is typically performed periodically rather than continuously, leaving gaps between testing.
When to use: External pentesters or crowdsourcing is helpful to validate results from internal pentesting for validation. However, the lack of standardization and consistency of results remains a concern.
What is the Right Penetration Testing Methodology?
There are three primary methods used to deliver penetration testing services. Depending upon your requirements, the type of assets being tested, and which approach will yield the outcomes you are looking for, experts can guide you on which method is best to meet the organization's objectives.
Black Box: This type of penetration testing requires no prior knowledge related to the targeted systems being tested. Pentesting experts will emulate a real-world attack that an attacker might use with no internal information about the system being hacked. The goal is to assess the efficacy of security measures and whether these controls can withstand an external attack.
Gray Box: This pentesting method maintains partial knowledge of the target system(s). More context is provided than Black Box allowing for a more efficient evaluation of the asset(s) being exploited. Gray Box testing can balance the external perspective of Black Box and the internal perspective of a White Box tests.
White Box: Complete knowledge of targets is required for this type of testing including internal and external systems. This method emulates an attack by an insider within the organization or someone with detailed knowledge of the system(s). White Box testing allows for a comprehensive assessment of the internal controls to identify vulnerabilities that might not be readily visible from an external perspective.
Why Standardization Is Important in Pentesting
Several important standardized guidelines are commonly used in penetration testing to ensure accuracy, consistency, thoroughness, and compliance with industry practices. Here are some of the more common practices:
1. NIST (National Institute of Standards and Technology)These guidelines provide practical recommendations for designing, implementing, and maintaining security testing and processes. It is designed for industry, government, and organizations to help reduce cybersecurity risks. It covers various aspects of security testing, including penetration testing, vulnerability scanning, risk assessments. NIST guidelines are widely respected and used by federal agencies and organizations to ensure a standardized approach to security testing.
2. OWASP (Open Web Application Security Project)OWASP provides a comprehensive framework for testing web applications, including methodologies for identifying and mitigating common web application vulnerabilities. OWASP is highly regarded for its focus on web applications – but does include frameworks for mobile apps, APIs, cloud, and more – and guidelines are open-source and regularly updated to reflect the latest threats and best practices.
3. CREST (Council of Registered Ethical Security Testers)A not-for-profit accreditation body that set high standards for security testing, including penetration testing, to ensure member organizations adhere to rigorous ethical, legal, and technical standards. CREST outlines a standardized methodology for penetration testing, which includes planning, information gathering, vulnerability analysis, exploitation, and reporting.
Other Notable Guidelines:
- MITRE ATT&CK: A global knowledge base of adversary tactics and techniques based on real-world observation used to develop specific threat models and methodologies in the private sector, government, and cyber community. Unlike traditional penetration testing frameworks, MITRE ATT&CK provides a comprehensive matrix of techniques used by attackers during various stages of an attack.
- PCI DSS (Payment Card Industry Data Security Standard): Provides requirements for conducting penetration tests to ensure the security of cardholder data.
- OSSTMM (Open-Source Security Testing Methodology Manual): Offers detailed methods for security testing, covering various aspects of operational security.
- HIPAA (Health Insurance Portability and Accountability Act): Includes guidelines for penetration testing to ensure the security of protected health information.
Regulatory Compliance with Penetration Testing
Complying with regulatory mandates has become more and more stringent and new regulations continue to be implemented around the world affecting various industries, including prime targets like the financial, healthcare, and critical infrastructure sectors. Below is an overview of the more noteworthy regulations, some with specific guidelines related to penetration testing:
DORA: Threat-Led Penetration Testing (TLPT)
Faced with increasing risks posed by information systems or the IT infrastructure, both internal and external, EU regulators adopted rules and recommendations to identify and remediate potential vulnerabilities. Through DORA, two types of distinct testing were directed at financial institutions to strengthen their cyber resilience as follows:
- Digital Operational Resilience Testing: Mandatory for all entities regulated by DORA and to be carried out at least once a year for systems and applications supporting critical or important functions, and
- Thread-Led Penetration Testing (TLPT): Mandatory for most important financial entities, designated by competent authorities in each country with TLPT carried out at least every three years.
NCSC Cyber Assessment Framework (CAF)
CAF plays a crucial role for both public sector entities and organizations involved in supporting Critical National Infrastructure (CNI) providing a systematic method for evaluating an organization's cybersecurity practices, helping to identify and address areas for improvement. It is especially relevant for organizations covered by the Network and Information Systems (NIS) Regulations, which mandate the adoption of appropriate cybersecurity measures. Additionally, the framework serves as a valuable resource for sectors that manage risks to public safety, such as healthcare and transport.
NIS2 Directive
The NIS 2 Directive (Directive (EU) 2022/2555) aims to establish a high common level of cybersecurity across the EU. Member States must ensure essential and important entities implement appropriate measures to manage network and information system risks, minimizing incident impacts, using an all-hazards approach.
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming)
This framework is an EU initiative designed to enhance the cyber resilience of entities in the financial sector. TIBER-EU provides a structured approach for conducting controlled, intelligence-led red team tests. These tests simulate real-world cyberattacks to assess and improve the security posture of organizations.
SOC 2 (System and Organization Controls 2)
A widely recognized regulatory framework and auditing procedures developed by the American Institute of Certified Public Accountants (AICPA). It is designed to assess the controls and security measures for service organizations to protect customer data and ensure the security, availability, processing integrity, confidentiality, and privacy of data.
HIPAA (Health Insurance Portability and Accountability Act)
This U.S. federal law governs the privacy, safety, and electronic exchange of medical information. Medical and healthcare organizations must perform regular security control validation of their data security and includes guidelines for penetration testing to ensure the security of protected health information.
PCI DSS (Payment Card Industry Data Security Standard)
Provides requirements for conducting penetration tests to ensure the security of cardholder data. PCI DSS 11.3.1 specifically requires external penetration testing at least once every six months and after any significant changes or upgrades to IT infrastructure or application. PCI DSS 11.3.2 requires internal pentesting to be performed at least once every six months. Other requirements within PCI DSS require additional pentesting and can be found on their website.
In Conclusion
Preparing and planning for penetration testing services is no small feat and there are many questions that will need to be answered and preparation and planning to be done before the testing begins. But there is no doubt that the benefits of penetration testing services are worth the effort to maintain a strong security posture now, tomorrow, and in the future.