Penetration Testing

What is penetration testing?

A penetration test is an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in your systems.

Penetration tests usually simulate a variety of different attacks that could threaten your business. A pen test might examine whether a system is robust enough to resist attacks from authenticated and unauthenticated positions, as well as a range of system roles. With the right scope, a pen test can dive into any aspect of a system that you need to assess.

Benefits of penetration testing

Ideally, your organization has designed its software and systems from the start with the aim of eliminating dangerous security flaws. A pen test provides insight into how well you’ve achieved that aim. Pen testing supports the following security activities, among others:

• Finding weaknesses in systems
• Determining the robustness of controls
• Supporting compliance with data privacy and security regulations (e.g., PCI DSS, HIPAA, GDPR)
• Providing qualitative and quantitative examples of current security posture and budget priorities for management

Types of pen testing

Depending on the goals of a pen test, the organization provides the testers varying degrees of information about, or access to, the target system. In some cases, the pen testing team sets one approach at the start and sticks with it. Other times, the testing team evolves their strategy as their awareness of the system increases during the pen test. In the industry, we talk about three types of pen tests:

• Black box. The team doesn’t know anything about the internal structure of the target system. They act as hackers would, probing for any externally exploitable weaknesses.
• Gray box. The team has some knowledge of one or more sets of credentials. They also know about the target’s internal data structures, code, and algorithms. Pen testers might construct test cases based on detailed design documents, such as architectural diagrams of the target system.
• White box. For white box testing, pen testers have access to systems and system artifacts: source code, binaries, containers, and sometimes even the servers running the system. White box approaches provide the highest level of assurance in the least amount of time.

Phases of pen testing

Pen testers aim to simulate attacks carried out by motivated adversaries. To do so, they typically follow a plan that includes the following steps:

• Reconnaissance. Gather as much information about the target as possible from public and private sources to inform the attack strategy. Sources include internet searches, domain registration information retrieval, social engineering, nonintrusive network scanning, and sometimes even dumpster diving. This information helps the pen tester map out the target’s attack surface and possible vulnerabilities. Reconnaissance can vary with the scope and objectives of the pen test, and might be as simple as making a phone call to walk through the functionality of a system.
• Scanning. The pen tester uses tools to examine the target website or system for weaknesses, including open services, application security issues, and open source vulnerabilities. Pen testers use a variety of tools based on what they find during reconnaissance and during the test.
• Gaining access. Attacker motivations vary from stealing, changing, or deleting data to moving funds to simply damaging your reputation. To perform each test case, pen testers must decide on the best tools and techniques to gain access to your system, whether through a weakness, such as SQL injection, or through malware, social engineering, or something else.
• Maintaining access. Once pen testers gain access to the target, their simulated attack must stay connected long enough to accomplish their goals: exfiltrating data, modifying it, or abusing functionality. It’s about demonstrating the potential impact.

Types of pen testing tools

There is no one-size-fits-all solution for pen testing. Instead, different targets require different sets of tools for port scanning, application scanning, Wi-Fi break-ins, or direct penetration of the network. But broadly speaking, the types of pen testing tools fit into five categories:

1. Reconnaissance tools for discovering network hosts and open ports
2. Vulnerability scanners for discovering issues in network services, web applications, and APIs
3. Proxy tools (e.g., specialized web proxies or generic man-in-the-middle proxies)
4. Exploitation tools to achieve system footholds or access to assets
5. Post-exploitation tools for interacting with systems, maintaining and expanding access, and achieving attack objectives

Pen testing versus automated testing

Pen testing is mostly a manual effort. Pen testers do use automated scanning and testing tools in the process. But they also go beyond the tools and think their way through security barriers using their knowledge of the latest attack techniques to provide more in-depth testing than a vulnerability assessment (i.e., automated testing) can provide. Here are a few comparative advantages of manual pen testing and automated testing:

Manual pen testing

Pen testing uncovers vulnerabilities and weaknesses not found in popular lists (e.g., OWASP Top 10) and tests business logic that automated testing can overlook (e.g., data validation, integrity checks). Also, a manual pen testing review can help identify false positives reported by automated testing. Overall, manual pen testers are experts who “think” like adversaries and can analyze data to target their attacks and test systems and websites in ways automated testing solutions following a scripted routine cannot.

Automated testing

Automated testing generates results faster, and needs fewer specialized professionals, than a fully manual pen testing process. Automated testing tools track results automatically and can sometimes export them to a centralized reporting platform. Also, while the results of manual pen tests might vary from test to test, running automated testing repeatedly on the same system will produce the same results.