A strong penetration testing methodology evaluates the organization’s security posture, is comprehensive, and is not entirely automated. But to be comprehensive, your pen test should cover these seven steps or phases:
- Vulnerability Assessment
- Penetration Test
- Lateral Movement
- Artifact Collection/Destruction
The best pen testing includes targeted reconnaissance and enumeration, uses automated scanning tools to uncover vulnerabilities, and then dives deeper using manual verification and validation. Custom and automated scripts gather in-depth information about the target, all while minimizing business process disruption.
1. Scoping – Determine the rules of engagement for the assessment.
The project or testing scope agreement, typically included in a Statement of Work with the testing vendor, should cover the high-level testing methodology and the exploitation-depth allowed once vulnerabilities are discovered. Penetration testing is a white hat process, meaning the attacker is a tester playing by rules of engagement determined during scoping; therefore, the engagement itself should neither disrupt normal business operations nor should it account for those occasions when it might.
Because the attacker, in this case an ethical testing expert, could gain insight and information critical to the business, a non-disclosure agreement must be signed between both parties before beginning the pen test process.
Things to consider in the agreement:
- Is testing conducted during non-peak business hours?
- Can the tester change data in production servers?
- Is the tester allowed to impersonate an authoritative figure within the enterprise?
2. Reconnaissance – Gathering any information relevant to the assessment goals and enumerating the attack surface.
During this next phase, the tester will use various sources to gather as much information about the target as possible, including researching the organization, generating threat intelligence, and enumerating attractive services within the network. An experienced penetration tester will collect information available publicly, called open-source intelligence, as well as general information about systems provided by the enterprise that might also be available in public.
Web crawlers and statistical gathering services on the internet provide valuable information about targets without the need to query enterprise employees. For example, if a web application is part of the target or testing scope, there are many tools online to report full details about the operating system, web server software, scripts, and more.
3. Vulnerability Assessment – Identifying vulnerabilities and quantifying the risk associated.
This phase of the engagement goes deep to identify the vulnerabilities on the target network. The penetration tester will send probes to the target network, collect preliminary information, and then use the feedback to probe for more input and to discover additional details.
The outcome from this phase can contain the following:
- Directory structure on a specific server
- Open authentication access to some FTP web servers
- Available SMTP access points providing architectural details about the network through error messages
- Remote-code execution possibilities
- Cross-site scripting vulnerabilities
- Internal code-signing certificates that could be used to sign new scripts and inject them into the network
4. Penetration Testing – Actively exploiting vulnerabilities identified.
Once a threat model and attack plan have been developed based on the discovered vulnerabilities, the next phase is to penetrate systems in the targeted network. There is no guarantee that every discovered vulnerability will be exploited; there could be a secure network, DMZ, firewall, server, router, or an old system in the network that remains outside the scope of the test.
The experienced penetration tester will focus on vulnerabilities that can be exploited to gain access to the target system. During this phase, the tester is also focused on collecting more in-depth data across the target network.
5. Lateral Movement – Maintaining access to the environment and continuing to gain access to data or assets.
Once the tester gains access to a system, they will inject agents that maintain access to the system. Maintaining successful access means these agents live in the system and keep that access over a period of time, even if the system is rebooted, reset, or modified by network administrators.
6. Artifact Collection/Destruction – Gathering up any accounts, software, or files left behind from testing.
The phase following exploitation and maintained access ensures that every exploited system is cleaned after gathering data for the testing report. Cleaning removes all agents, scripts, planted executable binaries, and temporary files, etc.
The clean-up process should ensure that all installed backdoors or rootkits have been removed, and it should return the system configuration to its original, pre-engagement state. Any credentials changed should be restored, and any additional usernames created should be removed.
7. Reporting/Debriefing – Communicating the test results.
The vendor then submits a report to the client; this report is the tool that will best communicate your pen test results, and the report will target two different groups: business executives and technical teams.
The pen test report should start with an executive summary explaining your penetration test strategy in business terms, identifying results by risk rating. This section should be brief, and it might be the most important piece the client uses to make decisions: the business team will decide what to fix, and which issues represent an acceptable level of risk.
The second part of the report is technical detail, which should be descriptive and specific, avoiding general or vague statements. The technical team will use this part of the report to take action and fix security issues discovered during the penetration test.
Once vulnerabilities have been remediated, the client can decide whether to retest their systems, ensuring that fixes were successful and determining whether any new vulnerabilities were created as a result of remediation.
Successful, comprehensive pen tests should generate clear, understandable, and actionable results to business leaders, as well as provide clear understanding to the enterprise technical teams about the security risks on their targeted systems.
Want more? Read about...
- threat modeling
- pretty much everything else you'd need to know about pen testing
- 8 Reasons CIOs Value Pen Testing
Featured Image: iStock.com/Tinnakorn Jorruang