An Introductory Guide to Penetration Testing in 2023: What Your Company Should Know about Pentesting
Half the battle of cybersecurity is knowing where your strengths are, where you’re most vulnerable, and where your team should spend its valuable time. But how do you identify these factors and decide how to prioritize the work ahead of you? This answer is made much clearer by conducting regular penetration tests.
The penetration test, often referred to simply as a pentest, is a staple of the offensive security workflow, whether working for an enterprise team, as a service provider or MSSP, or as a consultant. This test — which features many interconnected elements and components — sets a strong foundation for your security team and does a great job identifying focus points and initiatives for your team to work on as you move forward. But what is penetration testing? Why is penetration testing important? We’ll answer these questions and more in the sections that follow.
And speaking of penetration testing, PlexTrac streamlines the pentest reporting process, saving your team valuable time and empowering them to be more efficient, effective, and proactive.
What Is Penetration Testing?
Put simply, pentesting is defined as a method of offensive testing targeted at a defined application, network, or other asset in order to identify, exploit, and report on vulnerabilities present in said asset at the time of testing. Penetration testers take note of the tactics, techniques, and procedures (TTPs) they use to circumvent an organization’s defenses and show how exactly they were used for a successful breach (or other goal, such as gaining access to data). After the report comes the final deliverable, a penetration test report, which outlines these vulnerabilities, scores vulnerabilities based on criticality, and offers remediation steps to ensure vulnerabilities are patched before they can be exploited in the real world.
In summary, penetration testing involves vital exercises conducted by offensive security professionals in order to test the strength of their organization’s security posture against inevitable future breach attempts made by bad actors and other adversaries.
Why Is the Penetration Test Important?
Penetration tests are important because they provide valuable data and context that help CISOs, managers, and other practitioners understand the strength of their security posture as well as identify important focus areas for scarce resources to be devoted. Additionally, finding exploits and vulnerabilities before criminals do helps save the company time and money, while also protecting valuable intellectual property and trade secrets that give organizations competitive advantages.
The average cost of a security breach is expected to surpass $5 million in 2023, further underlying the importance of penetration tests and the massive consequences waiting for companies who don’t prioritize pentests and other offensive security exercises. Large security breaches can be fatal for businesses, especially small ones. Truly, the proactive nature of a penetration test fills a vital role for security teams by ensuring their organization is both aware of the threats they’re facing and protected from said threats.
Common Company Types That Should Consider Penetration Testing
It’s hard to find a company out there that shouldn’t at least consider a penetration test, especially in today’s technological age. Penetration testing should be a vital part of most any business’ cybersecurity strategy, whether big or small. However, there are some industries where it’s especially important to conduct regular penetration tests, and at times, pentests are required by regulatory bodies, due to the sensitive nature of data companies in these industries work with. These industries include
- Critical infrastructure / utilities
- Financial services
The Benefits of Penetration Testing
Now that we’ve set the stage with a crash course on penetration testing, it’s time to get into the real advantages you can source by conducting the exercise. These are just some of the many benefits your team and organization can reap with consistent pentesting and other proactive security measures.
- Identify the viable attack surface by inventorying assets
- Identify a wide range of real vulnerabilities previously unknown to your security team
- Likewise, determine your highest and most critical vulnerabilities and risks
- Use data from pentests to prioritize efficient and effective remediation efforts
- Test security defenses put into place by other members of your security team
- Ensure protection of your organization’s most valuable assets
The Disadvantages of Penetration Testing
While penetration testing is a great exercise to jumpstart your offensive security strategy, it’s not without its disadvantages. The penetration test, especially if only done annually, is a great jumping off point. However, it’s not a one-stop shop. Here are some of the disadvantages to penetration testing.
- Limited in scope compared to more advanced offensive exercises, like breach and attack simulations (BAS) and adversary emulation
- Expensive to conduct, leading to restrained parameters that fail to cover the full attack landscape
- Can be misleading depending on the statement of work (SOW) and TTPs used
- Provide point-in-time data only that is not comprehensive in nature
- Potential for collateral damage if penetration tests are not done in an isolated, controlled environment
- Varied levels of skill and expertise of testers
Penetration Testing and Compliance
While some in cybersecurity may simply view compliance as a check box for their security team, others take the time to leverage these frameworks and their components to help jumpstart their program and provide a valuable path for their work. However, regardless of the framework being used, most compliance frameworks require an annual penetration test at the very least.
Here are some of the industry’s most popular compliance frameworks and how they relate to penetration testing.
Payment Card Industry (PCI) Compliance
One of the most popular frameworks for compliance is the Payment Card Industry (PCI) framework, largely due to its requirement by all companies taking payment information from customers. This framework was created to ensure that payments made worldwide are both safe AND secure, and it does this by conducting a yearly evaluation of a corporation to ensure they’re following proper security standards.
If interested, you can learn more about the 12 requirements for PCI compliance here.
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Much like PCI, the Health Insurance Portability and Accountability Act, or HIPAA, is a widely known compliance framework for the healthcare industry, but is relevant for organizations of all sizes and industries. This framework aims to protect personal information of every individual in order to prevent unlawful discrimination on the basis of race, color, national origin, disability, age, or sex in health and human services.
Learn more about the history and importance of HIPAA compliance here.
General Data Protection Regulation (GDPR) Compliance
The last of the major compliance frameworks is General Data Protection Regulation, or GDPR for short. GDPR is a compliance framework with the primary purpose of giving EU citizens more power over their personal data, especially on the internet. These regulations, which have slowly made their way into the United States with laws like the California Consumer Protection Act (CCPA), try to curb the predatory and invasive nature of many organizations and their data sourcing techniques.
Learn more about the importance of the GDPR compliance framework here.
Types of Penetration Testing
While there’s little doubt about the importance of penetration testing, the type of pentesting your organization needs is largely dependent on your tech stack and the products and services you offer. With that being said, there are various types of penetration testing, and each offers a unique area of focus for your team.
Web Application Tests
Web application security testing, which can be dynamic or static, consists of a hybrid approach of both automated and skilled manual analysis for built and hosted applications. Once a complete understanding has been obtained of both the scope and architecture of the target application(s), automated tools can be carefully configured and monitored in an effort to comprehensively test the enabled security controls meant to protect the application’s exposed user interface. Subsequent to automated analysis, targeted manual attack techniques are employed in order to augment and validate the automated results and effectively evaluate the real-world impact of discovered vulnerabilities through proof-of-concept demonstrations.
In many cases organizations will provide testers with a demonstration of the application, to aid the tester in understanding the use case of the app, which can assist in providing more depth in a test.
Network Security Tests
Network penetration testing can be performed from an internal or external perspective. External testing focuses on internet facing and perimeter zones, while internal testing focuses on internal networks. This type of adversarial threat simulation usually takes the data gathered during a vulnerability assessment and uses it to further demonstrate the real-world effects of system vulnerabilities. An attacker’s perspective is employed and vulnerabilities are exploited or otherwise used to show the genuine risk to an organization that the findings represent.
These types of tests help assess the effectiveness of security controls and systems that are in place and present a clear picture of an organization’s security posture at a point in time. These tests also assist organizations in identifying key areas in their security program that require enhancement, refinement, or reconfiguration. A penetration test is also frequently an effective way to test network monitoring and incident response based on whether the organization is able to identify and successfully respond to the threats presented.
Cloud Security Tests
Cloud centric testing leverages similar methodologies to more traditional tests, with a focus on cloud technologies. An emphasis on identity and access management (IAM) is typically applied because the tech stack exposed by cloud systems is most often abused by API keys or user accounts. Also, business logic flaws introduced by the complexity of the many interconnected cloud services may expose vulnerabilities. Cloud infrastructure is also assessed; however, most flaws are commonly observed within micro-services and API’s. Cloud testing looks like a mash-up of network pentesting and application testing. It is important that the nuances of the specific cloud environment be taken into account as well. Providing cloud security testing is best done when the security assessor has a deep understanding of the specific cloud environment in use.
Containers have become a ubiquitous method for deploying applications and systems across a huge portion of the technology ecosystem. Security assessment and testing take into account both the container image security itself, to include isolation from the host operating system, as well as the underlying system that is hosting the container. Flaws within a container can look and feel similar to those in applications, and some of the same concerns exist: unauthorized access to systems or data. However, the container image itself may also introduce vulnerabilities that can be leveraged to “break out” of the container and be used to further gain access to the host system, which can have a huge impact. This type of testing is specialized, and deep expertise in the underlying container architecture and technologies in use is helpful for those wishing to perform advanced assessment — similar to cloud testing.
Some of the types of assessment in container security testing include the following:
- Image scanning — Analyzing the contents of container images to identify vulnerabilities and misconfigurations in the software packages and libraries they contain.
- Runtime security testing — Analyzing the container runtime environment to identify vulnerabilities and misconfigurations in the configuration and deployment of the container.
- Host/guest network testing — Analyzing the host and container networking configurations to identify vulnerabilities and misconfigurations that could be exploited to gain unauthorized access to the container or host infrastructure.
IoT Security Tests
Internet of things (IoT) refers to the interconnected network of physical devices, vehicles, buildings, and other items embedded with sensors, software that enables them to collect and exchange data. These devices can be connected to the internet and communicate with other devices and systems, allowing them to be controlled and monitored remotely. Some examples of IoT devices are smart homes, industrial automation, transportation, and healthcare devices. Everything from a heart monitor to a pressure pump system to a washing machine falls under the IoT banner.
IoT testing typically involves aspects of many of the previously mentioned types of testing. The network communication, firmware security, application fidelity, and interaction with cloud systems are all at play, and each of these technologies requires attention. IoT tests may also be broken into subsets and assessed separately. For example, perhaps the firmware undergoes assessment, then separately the network stack is tested. End-to-end testing is the most comprehensive means of gauging the fidelity of an IoT setup; however, this testing can be complex and take a significant amount of time and expertise.
Application programming interfaces (APIs) are a subset of web application testing but require specific focus themselves. APIs many times do not have direct graphical user interfaces to interact with. Many modern applications leverage the underlying API to provide the user experience. Some applications abstract a public facing API for automation with a back-end API for administration and business logic processing. Application testing techniques focusing on APIs include common web appsec testing methods, but specific flaws within APIs can be nuanced to test and usually require a high degree of manual effort and intervention. Flaws that would typically be equated with appsec testing are many times present in APIs; however, uncovering those flaws without prior deep understanding of how applications work can be challenging.
In most cases, to assist in providing a comprehensive test, API testing is aided by providing example requests and then mapping out the API or by providing deep API documentation to the tester. Also, credentialed testing typically yields the most beneficial results.
End users are a common target for malicious threat actors. Organizations spend a considerable amount of time and money securing their logical assets; however, end users are oftentimes the weakest link in a security program.
Social engineering (SE) assessments use real-world scenarios and tactics to try to demonstrate the level of end users’ awareness of coercion attacks. These engagements can also highlight areas wherein organizational security policies and technical controls can be enhanced or used more efficiently to detect and prevent SE attacks.
A brief synopsis of two fo the most common SE attacks, remote or onsite, are detailed below:
- Remote — Phishing engagements are one of the most common types of SE assessment. These projects simulate malicious threat actors that send emails to personnel in an attempt to gather information, gain control of end systems, and otherwise gain unauthorized access to systems and data. Phishing engagements can be tailored to fit the needs of the organization. Everything from simply measuring the number of clicks on a phishing URL to capturing user credentials — and even so far as attempting to gain command and control of end user systems — are all available options for remote SE engagements. Another remote scenario for SE engagements is engaging in phone or SMS text based coercion attacks. Malicious actors can use phone calls or text messages and attempt to coerce end-users into performing actions that could aid an attacker.
- Onsite — These engagements are used to assess personnel’s awareness regarding onsite interaction with unauthorized persons. The typical goal of onsite SE engagements is to gain unauthorized access to facilities, systems, and data by actively engaging personnel. Examples of onsite SE scenarios include impersonating service personnel or employees, scheduling meetings to gain access to facilities, or otherwise actively engaging personnel to grant access to buildings, systems, or data. These engagements are useful for ensuring visitor access procedures are followed and for gauging personnel’s willingness to report or awareness of suspicious persons.
Penetration testing stages
While there are many different types of penetration tests, they all follow a similar set of stages for the pentester to follow. Below is an example of stages a typical penetration test would follow, though there are variations and editions that may vary on a tester-by-tester basis.
Planning and Preparation
The first step of a penetration test is the Planning and Preparation stage. In this stage the penetration tester identifies targets, scopes out those target(s), and begins mapping out relevant TTPs for the test at hand. The tactics, techniques, and procedures you choose here are vital as they must align with the scope of the pentest and the SOW determined before the engagement. Once you clarify your goals and the methods to employ to achieve them, you’re ready to move on to the next phase of the penetration test.
Scanning, Assessment, and Discovery
Once your planning is complete, it’s time to begin the Scanning, Assessment, and Discovery stage. Think of the stage as base level reconnaissance as you aim to learn more about your target and the roadblocks that exist to stump your hacking efforts. In this stage you will often use a mixture of vulnerability scanners and manual testing methods to poke and prod at your targets’ defense to find weak spots and vulnerabilities to exploit with more advanced tactics later. Once you conduct and document these tests, it’s time to move on to the next phase.
Penetration Attempt and Exploitation
Once you’ve set your goals, identified your testing methods, and done baseline testing, it’s finally time to flex your penetration tester muscles! The Penetration Attempt and Exploitation phase is all about taking the knowledge you’ve gained and using it to attempt a breach of your target. This can be done with a whole host of attack vectors, including weak or compromised credentials, insider threats, poor encryption, phishing, or many other tactics. In simple penetration tests these attack vectors are usually outlined ahead of time so the scope of the test remains steady and consistent for all members of the team.
Detailed Analysis and Reporting
Once you’ve exploited vulnerabilities and made off with the valuable loot, now comes the important part, the Detailed Analysis and Reporting phase of the penetration test. After all, the primary purpose of a penetration test is the awareness of vulnerabilities across your assets and the methods to patch said vulnerabilities. It’s important to document your findings in a detailed, yet organized manner. Likewise, it’s important to share code snippets, photos, videos, and other artifacts to show the exploitation of findings. The final deliverable at this stage is a penetration test report. This pentest report will house all of the information you’ve gathered to this point, as well as recommendations for the team and instructions for remediation after the fact.
Clean Up and Destruction of Artifacts
After the report comes the work to extract value from the report with the Clean Up and Destruction of Artifacts phase of a penetration test. In this phase the penetration tester cleans up their mess, including the destruction of recovered assets, cleaning of files and agents, and more. The penetration tester then must wait for the defense (often called the blue team) to remediate vulnerabilities and issues found during the pentest. These remediation efforts are a vital part of the penetration test — and often make or break the efforts made by the penetration tester. Once the security team believes their remediation work is done, it’s time for the final penetration test phase.
If your penetration test doesn’t trigger any improvements, why did you test at all? In the Retest phase of a pentest, a penetration tester repeats similar exploitation attempts as they did last time. In a successful penetration, test the efforts by pentesters in this phase are largely unsuccessful. However, it’s important to capture any workarounds and unresolved vulnerabilities in this phase so your security team can ensure proper defense against threats. The Retesting phase of a penetration test is often repeated several times as the two parties work together to identify and remediate findings in a comprehensive manner.
Penetration Testing Frameworks
Much like the compliance types and the steps of penetration testing, there are also several frameworks to guide penetration testing and other methods for conducting cybersecurity that organizations should be aware of. These frameworks include NIST, OSSTMM, OWASP, and PTES, among many others.
The National Institute of Standards and Technology (NIST) is one of the most popular sources for cybersecurity standards, guidelines, framework, and best practices. NIST provides robust resources helpful for successful pentesting by clearly defining the steps and overall process for testing.
Learn more at www.nist.gov/cybersecurity.
OSSTMM stands for Open Source Security Testing Methodology Manual. This resource comes from the Institute for Security and Open Methodologies (ISECOM), an organization focused on building security resources through an open research community. The OSSTMM is a comprehensive guide to conducting operational security.
Learn more at www.isecom.org/
The Open Web Application Security Project or OWASP is a non-profit organization devoted to improving software security through community-based projects. OWASP has a number of resources helpful for pentesting including OWASP Top Ten and the Web Security Testing Guide (WSTG).
Learn more at https://owasp.org/.
The Penetration Testing Execution Standard (PTES) was developed to assist penetration testing consultancies and organizations seeking the services in building a common language and expectations around penetration testing. The standard is a robust breakdown of all parts of a penetration test.
Learn more at www.pentest-standard.org.
Common Example of Penetration Testing
One scenario where a company might want to conduct a penetration test is before launching a new product or service that will be accessible over the internet. For example, if a company is launching an e-commerce website, they might want to conduct a penetration test in a QA or dev environment to identify vulnerabilities in the system before launch. Further, many organizations require regular testing of systems and applications when new upgrades or features are released.
Another scenario where a company might want to conduct a penetration test is as part of their overall cybersecurity strategy, as required by their governance processes, or perhaps legislated or required by industry bodies or governments. In this case, the company may conduct regular penetration testing to ensure that any new vulnerabilities that are discovered are known and mitigated. For example, the internal network IP space of an organization may be the target of testing, trying to identify flaws that attackers could leverage if they gained unauthorized access to internal resources, either via phishing or otherwise gaining an initial foothold from an external vantage point to the internal network. This type of testing is also called “assumed breach” testing.
Who Executes Penetration Testing?
There are many different ways to structure security teams within organizations. Some have large teams that are segmented into different responsibility areas. In this case, there is a dedicated team of employees who are considered the pentest team. These teams typically will have a management structure and support the overarching security organization within the company. Other companies do not have dedicated staff, but some of the security team are tasked with penetration testing duties as “another duty as assigned” role.
If organizations do not have the expertise, workforce, or time to conduct pentesting they will hire a third-party company to perform pentesting as a part of a contract or project. Usually an internal project sponsor is the champion and point of contact for the testing. Many times a project manager will serve on both sides of the equation (provider of services and receiving entity) who can help with timelines, requirements gathering, and final wrap-up. Or, sometimes the lone employee at the company receiving the test wears all of the hats.
Many types of project sponsors exist but typically fall into the following buckets:
- Internal Audit or Risk Departments — These teams want to verify and validate the purported security posture of their entity by bringing in a third-party (in most cases) to get a picture of their environment. This activity validates existing processes and internal reporting and helps identify gaps that can be closed.
- Internal Security Team — These teams are tasked with securing the organization and want to ensure that their defenses are operating at peak efficiency and that their detection mechanisms are also operating as expected. They are either executing the testing themselves or acting as liaisons with third-party testers.
- CISO/Board/Leaders — Those tasked with shepherding, leading, or who are otherwise responsible for organizational security posture at times will spearhead pentesting efforts. These leaders want to get a bead on their genuine security posture and also verify the data that has been presented to them. Often, this occurs when a leader is new to a position.
- M&A Groups — During mergers and acquisitions (M&A) pentesting will often be leveraged for due diligence. The acquiring entity may require that identified issues are fixed before acquisitions are made, typically these tests are done by a third-party pentesting company. In this case both sides of the M&A activity may have technical resources and project managers involved.
Penetration Testing Cadence — How Often Should You Test?
Testing frequency is driven by many factors. There is often a tension between how often organizations would like to test and how often they can. Based on the personnel available and the budget, many find themselves unable to test as frequently as they’d like. Historically, a typical pentesting cadence across many industries is, at a minimum, to perform an annual pentest test. This annual test provides a once a year baseline of insight into the gaps in protections and the efficacy of build standards and vulnerability updating programs.
The more often that testing can be performed the better. With the advent of PTaaS (pentesting as a service) and continuous assessment strategies, organizations have more cost-effective options that may be able to increase their testing cadence. A recent trend is an increase in the minimum testing cadence to quarterly pentesting, especially for organizations that are trying to show demonstrable progress within their security programs.
While more often is generally better with pentesting, when it comes down to it, individual organizations must decide how frequently they can test based on resources. Using a hybrid approach of specialized tests, in conjunction with internal staff, as well as partnering with experts outside of their entity is a means to ensure comprehensive coverage of their attack surface.
Penetration Testing Tool Types
When carrying out a penetration test, you have many types of tools at your disposal to get the job done. Here are a few of the most popular pentest tool categories.
Reconnaissance tools are used to gather information about a target. These tools could be network based, application, or even used to gather open source intelligence (OSINT) data about an asset, application, network, or organization. The more information that is gathered about a target, the more fine tuned vulnerability identification is. Examples of recon tools include port scanners, network and application service banner grabbing, and DNS information gatherers.
For example, a network mapping tool may be used against a network address which is tied to an organization. The network mapping tool may issue probes towards other IP addresses to determine if those IP addresses have a system listening, and then to determine what applications exist on the IP, based on responses to the various probes. Or, a DNS recon tool may issue DNS queries to determine sub domains or naming conventions, or to gather historical information about DNS names associated with IP addresses. All of this data is important to identify viable attack surfaces, as well as catalog what systems or applications exist that are tied to a target organization.
Vulnerability scanning tools typically use similar probe and response, or request and response, techniques to find known vulnerabilities within information systems (e.g. networks or applications). These systems have a database of checks and use conditional logic to determine if a vulnerability exists by examining the response generated from a target. This is done by either comparing a reported version number or the value seen in an application or network response. Either way, vulnerability scanning tools will gather these findings and then flag targets as containing vulnerabilities.
Proxy tools allow you to proxy network or application traffic through them, either for inspection, or to change the source of your traffic. The source of the traffic will appear to be the egress of the proxy system. Application proxy tools allow you to see and interact with data that would many times be hidden from view from a user-interface perspective. For example, an HTTP(s) proxy tool would show all of the requests and responses. Network proxy tools are typically used to mask or hide the original source of TCP/IP based traffic.
Exploitation frameworks and systems are used to more easily execute initial access operations and take advantage of vulnerabilities. Some tools are highly specialized in providing command and control (C2) frameworks, wherein you have to create the exploits and implants outside of the C2 framework. Other exploitation suites are designed to be a staging platform to create exploits, or use and customize canned exploits contained within the framework. The exploitation systems are useful and have menu driven systems and interfaces that are created to make navigating exploitation and initial access easier.
Many exploitation frameworks contain built-in post-exploitation capabilities already. Some of the most common post-exploitation tools are community built scripts or single use applications that provide the ability to establish persistence, gather information, and aid in pivoting from initial access systems to other hosts or applications within a target environment. It should be noted that a significant number of built-in operating system or application utilities can be abused when performing post-ex activity; many times it’s simply having the knowledge in how to leverage these tools in an advantageous fashion.
Collaboration and Management
Performing penetration testing produces a significant amount of data. Common outputs from pentests include raw scan results, output from tooling, the results of manual analysis or scripting, and more. The job of professionals who perform penetration testing is to make sense of this data, curate it, and present the findings and scenarios accurately and clearly. Using a platform or set of systems that helps wrangle this data and allows for easy curation, collaboration, and reporting is common. Many organizations attempt to use traditional project management systems, or rely on most manual activity within word processing and spreadsheet applications. PlexTrac is an example of a platform that is purpose-built as a single pane of glass where all the data from penetration testing ends up. PlexTrac users are able to simply, efficiently gather all the requisite data, triage and work with findings directly in the platform, and generate reports.
So, there we go. The who, what, when, where, and why of penetration testing. The key takeaway to remember here is that pentesting is an important offensive security activity that utilizes many compliance frameworks, types, steps, and tools in order to accomplish a seemingly simple goal — finding and reporting on found vulnerabilities in a target’s security posture.
PlexTrac is an important tool for penetration testers, as it allows these uniquely skilled workers to stay focused on the fun hacking work by empowering a faster, more efficient, and easier solution for data aggregation and reporting. Book your free demo of the PlexTrac platform today.
Nick PopovichPlexTrac Hacker in ResidenceNick Popovich’s passion is learning and exploring technology ecosystems, and trying to find ways to utilize systems in unexpected ways. His career has focused on adversarial threat simulation, offensive and defensive security, and advanced technical security assessments. Nick’s mission is to help individuals and organizations involved with defensive security operations to have an opportunity to observe the mechanics and methods of the attackers they’re defending against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of three and a husband to one.