When it comes to cybersecurity, penetration testing is a critical component of any strategy. Unlike many think, pentest is almost never the first thing you need to do once you start caring about your cybersecurity.
Artem Mykhailov, ISSP Enterprise Solutions Director, explains how organizations must define the scope of the test in order to ensure the correct assets are tested and relevant techniques are applied.
Think of it as some sort of an exam — you spend some time preparing Defence and then you check how good it actually is. So it doesn’t make much sense to have the test before you hardened your infrastructure and minimized the attack surface.
But if you already did some homework and know for sure that you need a pentest, knowing how to scope the test can be difficult and complicated, which often leads to an absolute disaster in the financial expectations (the test get’s expansive) or at the reporting stage (you can’t really use the results of the test). If not managed properly, the customer’s and provider’s expectations become extremely different.
Understanding the pentest
Penetration testing is one of the most effective methods for evaluating an organization’s security posture. It involves simulating attacks on systems, networks, and applications in order to identify vulnerabilities that could be exploited by malicious actors in the real world.
Penetration testing is a very technical type of security assessment that is used to identify and exploit weaknesses in an organization’s systems, networks, applications and even people.
In short, you ask a white hat hacker to hack you. It helps organizations find the vulnerabilities that exist within their security infrastructure.
Vulnerabilities always exist at any given time, the chance your IT systems are getting more vulnerable each day is tremendous.
in 2022 a minimum of 60 new vulnerabilities were discovered daily
So our goal is to find the actual vulnerabilities, which can be addressed before malicious actors have an opportunity to exploit them.
Don’t start with a pentest
Small organizations often think that pentest is perhaps the only right way to kick-off their cybersecurity. Unfortunately, in most cases, this isn’t accurate and could be a waste of money. If you never even did a comprehensive vulnerability scan and patch management depends on the rare constellation, the pentest would show so many critical findings, which exist due to silly mistakes or as a result of NOT caring about cybersecurity for too long. Which means you need to prepare for the pentest.
Finding the vulnerabilities that exist in an organization’s systems is great. It’s important, but good penetration testing also provides valuable insights into how attackers could potentially gain access to sensitive information or disrupt operations. This is what makes the pentest different from a vulnerability scan. This can help organizations better prepare for cyber threats as they become increasingly sophisticated. Moreover, penetration testing can provide insight into which types of cyber threats are most likely to target an organization so they can tailor their cybersecurity strategies accordingly.
Plan your pentest
Penetration testing requires careful planning and precise execution in order to yield meaningful results. Otherwise, you risk paying a fortune for a service, which results you would be barely capable to use.
Organizations must define the scope of the test in order to ensure the correct assets are tested and relevant techniques are applied. The scope should also include specific objectives such as determining the level of access attackers may be able to gain if successful or identifying indicators of compromise (IOCs) that could indicate a compromise has occurred.
As for the latter don’t overestimate the pentest capabilities — a much better alternative to define IoCs would be a compromise assessment.
Identifying the scope should always start from the definition of the asset group, which hackers could aim to target, thus knowing your assets (inventory) and knowing which are critical is an essential first step.
Eventually, you should answer many questions in regard to the scope of a pentest:
Decide if you want to test your web apps?
Do you want related API covered as well?
Do you have mobile apps which should be tested?
Should the pentester use social engineering technics or you better focus on purely technical assessment without interaction with your users?
Do you have a production environment with OT networks?
Do you want to test your externally published IPs?
Do you want to include an internal pentest?
If you have an access to the source code of your apps, why not have a source code analysis also called a Whitebox pentest? Effectively, this is the cheapest way to mitigate your vulnerabilities.
All of the above tests are different and utilize completely different methodologies and frameworks. In addition, white hackers usually have a specialization and are good at limited target types. This means if the scope you designed includes very different targets, you would need to assemble a pentesting team with several experts, who have different expertise.
Selecting the appropriate attack vectors, tools & techniques
Once the assets and services to be tested have been identified, organizations must then select the appropriate techniques to use during the test. This requires careful planning and consideration of the organization’s security posture and IT infrastructure specifics, as well as an understanding of how attackers operate. It is important to determine which types of attacks are most likely to succeed against your organization’s systems, networks and applications, as this will help you select the right test vectors.
Determining which tools and techniques to employ can be difficult for small businesses, particularly if you’re uncertain of what goals a potential attack could have. Consider your most likely perpetrator: is it a competitor or partner with access to certain systems? Or it is a customer or dishonest employee? Defining adversary types will give you a little bit more clarity needed to effectively plan the penetration test project.
Fortunately, this task is usually taken care of by the provider — so you don’t have to spend a lot of time and energy into understanding the attacker's technics, however, you need to know what threat and attack vectors you are going to test.
Manual vs Automated Tests — Pros & Cons
Selecting tools and techniques for a penetration test is usually a pentesters duty so it is a penetration testing team’s discretion what tools to use. There are many great free tools to use, but there are also lots of very sophisticated paid tools. A pentest team you hire should already have a balanced toolset. But what you can consider is whether you give a try with automated penetration testing methods which eliminate the necessity to have a real person on the loop, or not. The point is that manual testing involves an experienced tester performing targeted tests against specific systems or services with a variety of tools. And let’s be honest, so far this is the only way to have a qualitative vulnerability discovery.
Vulnerability scanning tools are a great example of automated vulnerability discovery to supplement penetration testing efforts.
Vulnerability scanners are automated programs that scan a system for known vulnerabilities and generate reports on their findings. These reports can help organizations identify potential weaknesses in their security infrastructure and are widely used by pentesters to narrow down the attack vector discovery process.
The Vulnerability Scanning report is often demanded by various regulators and sometimes is even treated as the pentest report by the latter. Don’t get misled into thinking that a vulnerability scanning tool could eliminate the necessity to run a pentest. Automated testing uses automated scripts to scan a target system in order to identify potential vulnerabilities that can then be exploited manually by a tester. Automated tools are often faster than manual testing but may not provide as thorough coverage or produce false positives that require manual validation. Either way, the results should be cross-checked by an expert to avoid having a list of hundreds of false-positive findings.
There is also the Breach and Attack Simulation (BAS) type of tool, which try to do more than a simple vulnerability scanner can offer. These tools are trying to exploit the detected vulnerabilities and design real attack scenarios, but just like ChatGPT could provide you silly answers, BAS tools do not always provide good results. The best results BAS tools demonstrate for internal Penetration Tests in large distributed infrastructures. For every dollar paid, small businesses would benefit more from manual penetration test engagements.
Black, grey, white
So the famous box colors. There are three types of pentest Blackbox, Greybox and Whitebox.
The difference between them is in the amount of information provided.
In a Blackbox pentest only very basic info about the target system is known before the test, while in the Greybox Pentest there are some internal details known (usually a pentester gets an active user account to see how far it could go using the particular user type access) and finally Whitebox Pentests include full system control and access. Sometimes a source code analysis is considered within the Whitebox penetration test engagement — but you need to have access to the source code of the app, which you would also provide to the assessors and this should be defined explicitly with the penetration testing team.
The more information you provide to the Penetration Testing team, the easier it will be for them to plan an effective attack simulation.
Finally, it is important for organizations to decide which information should be collected during the test in order to ensure successful outcomes. This includes collecting detailed logs of all activities conducted during the test, such as network traffic data, file contents, system configuration information and more. Collecting this data can provide valuable insights into how attackers attempt to gain access to sensitive information or disrupt operations within an organization’s environment so they can better prepare for future attacks
How penetration testing can strengthen your cybersecurity defences
The bad thing about the pentest is that once you start working with the report (mitigating the vulnerabilities) you might change your vulnerability landscape completely. This is a good thing and a bad one at the same time. On one hand, you improve your cybersecurity posture (eventually, this is why you do a pentest), on another the results of the pentest become obsolete very quickly and you need to plan a new pentest.
In general, penetration testing is a critical component of any cybersecurity strategy, and it can be complicated to define the right scope and attack simulation vectors. By understanding what information should be provided before starting the test, as well as which data needs to be collected during the process, organizations can ensure successful outcomes from their penetration tests. Pentesting must also become an ongoing practice for companies who want to stay ahead of attackers — ideally, with each new pentest you should get a smaller number of findings ending up with a “blanc” report somewhere in the future.
So plan regular pentests that are tailored to your organization’s security landscape! We can help. You can learn more and request a quote via the link.