A penetration test, sometimes called a "pen test," is an authorized simulated attack to check for vulnerabilities that could be exploited by malicious hackers. In order to carry out a pen test, penetration testers (often referred to as ethical hackers) use many of the same tools and techniques as those used by black hat hackers, but with permission from the owner of the target system.
Penetration testing can help organizations identify vulnerabilities in their systems before attackers do. In this article, we'll provide a step-by-step guide for conducting a penetration test. We'll cover everything from planning and scope to execution and reporting. By the end of this post, you'll have a better understanding of how penetration testing works and what it can do for your organization.
Determine why you need a penetration test and what type
A penetration test may be required to fulfill a variety of requirements, ranging from completing a compliance checkbox to reaching internal objectives for bolstering the organization's security posture. You will want to fully understand the reasons for your penetration test before engaging a third party so that you can be certain they can meet your needs. You may also discover that a penetration test is not your first step. For example, a gap analysis or architecture review may yield a better return on investment. Additionally, depending on your industry, a penetration test may be mandated to meet compliance such as those for PCI-DSS or HIPAA.
As a beginner to the world of penetration testing, it is critical that you not only understand why you need a penetration test but also what type works best for your circumstances. Is the target your external network surface, your internal network, an application, a physical building, or something else? Your penetration testing partner will need information about the target's nature and size in order to scope the effort of the test. A great partner will guide you towards the most appropriate solution that meets your needs.
Selecting a penetration test partner
Making sure you select the right partner to conduct a penetration test for your organization is essential in protecting sensitive information and assets. There is no widely accepted certification for penetration testing companies, so when choosing such a partner, ask about their staff's individual qualifications and experience.
Staffing good experienced penetration testers is expensive. Beware of solutions that appear to significantly cut the cost of a penetration test. Here are some key considerations:
- Where are the staff located? Remember, you are hiring people to hack your organization. If you are a US-based company then it is likely you would prefer to work with a US-based penetration testing company. Also bear this in mind if considering any crowd-sourced offerings.
- How much experience will your resources have? Beware of the bait-and-switch, where pen test companies use experienced consultants to sell a job, then switch to under-experienced new hires to complete the work.
- Automated penetration tests aren't real penetration tests. Some vendors will claim they have automated the penetration testing process, but this is simply not possible to do well, and is typically not acceptable for compliance. There is a significant difference between an automated vulnerability scan and a human-driven penetration test.
Make sure to ask as many questions as needed in order to assess the company's knowledge and technical expertise. Additionally, determine what type of service they provide and any associated hidden fees that come with those services before making your decision. Taking the time to research your options will help ensure you are connecting with an experienced and reputable partner who can help keep your sensitive information safe and secure. We would love for you to choose Secure Ideas, but in case you decide to go in a different direction please see our list of the companies we would recommend.
Penetration test scoping and SoW
Penetration tests are typically scoped to evaluate the security posture of a specific system or network. The scope of a penetration test will be determined by the goals and objectives of the test, which are normally established through a scoping meeting between you and the penetration testing team. During the scoping process, you will identify the systems, networks, and applications that are to be tested, as well as any constraints or limitations that need to be taken into account, such as specific testing windows or testing procedures that must be followed. If you are requesting proposals from multiple penetration testing teams then you will repeat this process with each team.
Once the scope of the penetration test has been established, the penetration testing team will generate a statement of work (SoW) that outlines the goals, objectives, and methodology of the test. The SoW will typically include a detailed description of the systems and applications to be tested, as well as the tools and techniques that will be used to conduct the test. The SoW may also include a timeline for the test, as well as any deliverables that will be provided to you. In most cases, the SoW is a contract that lives under a Master Services Agreement (MSA).
Prepare for your penetration test
Preparing for a penetration test is essential to ensure the success of your organization's security assessment. To do this, make sure that you have the appropriate information gathered for the test. For example, for a network pen test, you will need a host inventory which includes IP address ranges, and possibly a network diagram. Additionally, you may need to create test accounts in whatever system you're using.
Your pen test partner will want to schedule a kick-off before the test officially begins. Depending on the partner this is usually anywhere from 1-4 weeks before the start of the test. During this kick-off, your pen test partner should go over the following items:
- Review the scope of the test
- Discuss any sensitive systems that should be treated with special attention or removed from scope
- The schedule, including start/stop times and any blackout times
- Communication plan and points of contact
- Review the rules of engagement, including action on indications of compromise (IoC)
Finally, once the preparation steps are completed, you'll be ready to start your penetration test.
Penetration test execution
A good pen test company will follow a methodology that resembles the one defined in the Penetration Test Execution Standard (PTES). It will typically made up of 4-5 phases as follows:
- Reconnaissance or Intelligence Gathering
- Mapping or Threat Modeling
- Discovery or Vulnerability Analysis
- Exploitation
- Post Exploitation (optional)
Many pen test companies will blur the line between the last phase (Post Exploitation) with the Exploitation phase.
It is essential for organizations to fully understand what methodology the pen testers will be using, and how much effort is expected to go into each phase. Organizations should beware of any penetration testing company that cannot clearly define their own methodology. Depending on the goals of the test, less effort may be required in certain phases. For example, reconnaissance is a larger part of black box tests than white box tests. Emphasis on exploitation activities is less critical for organizations that already have a mature security program that will take steps to remediate many vulnerabilities without a full proof of concept.
The pen test team will start drafting the report during the test and will typically deliver a version for review within two weeks of the end of the test. If it takes any longer than two weeks then it may be time for you to find a new pen test team.
Reviewing the penetration test report
Once the penetration test is completed, it's time to review the findings presented in the report. This is a critical step that should not be rushed. Careful analysis of the findings allows for high-level understanding of the findings, steps to reproduce and gives insight into potential risks. When reviewing a penetration test report, it also helps to prioritize findings and make a plan for remediating any major issues that were discovered.
Tell your pen test team if you find parts of the report unclear or if you disagree with any of it. Clarity is important so that you understand the risk and so that you can reproduce any findings in order to resolve them. You also may have information about your system that the pen test team did not take into consideration during the testing process, which could alter the pen test team's assessment. Communication is very important in this step.
If you are interested in more details about what you should expect in a report, see What is a Penetration Test Report? for more information on what is in a report. Interested in seeing a sample report from secure ideas? See our sample report.
Remediation and Retesting
You have a penetration test report with a detailed risk-ranked list of findings. Now it is time to remediate issues. Always start with immediately tackling any issues marked as critical because these should be indicative of an imminent threat. In most risk-ranking systems, a critical finding is rare and worthy of emergency changes.
All other issues should be prioritized and scheduled for remediation from high to low priority by risk. It is important to note that taking an action on issues does not always mean completely fixing them. Sometimes the ideal security fix is complex or expensive. In these cases, alternative solutions should be explored, such as introducing a compensating control. There may also be situations where a particular risk is low enough that a business chooses to simply accept it. In this situation, the industry best practice is to record the issue in a risk registry for review on an annual basis.
To make sure that remediation has been effective, retesting must be performed shortly after completion. It is a good idea to establish ahead of time with your pen test team if retesting is included in the price. After the retesting is finished, a letter of attestation, if required, should be received from the testing provider to verify that remediation has been successfully implemented.
What's Next?
A penetration test is a valuable tool for any organization looking to shore up its cybersecurity posture. But it can be a daunting task, especially for someone who has never been involved in one before. By understanding the reasons for conducting a penetration test and selecting the right partner, you can set your organization up for success. We hope you consider leveraging the considerable experience of Secure Ideas as your penetration testing partner. Are you ready to take your security to the next level? Schedule a scoping call with us today to discuss your specific requirements!