What is Penetration Testing and Why Is It Important?
A penetration test, also known as a pen test, pentest, or ethical hacking is a type of security assessment that simulates cyberattacks against a computer system and is performed to evaluate how weak (or strong) the security of the system is. Penetration testing enables a full risk assessment to be completed because it checks not only for potential vulnerabilities but also strengths of a systems security.
Penetration testing is an important and valuable exercise that all organizations should run on a consistent cadence because insights from pen tests can be used to examine whether an organization’s security policies are genuinely effective and fine-tune and strengthen these policies to prevent future cyberthreats.
External Vs. Internal Penetration
Penetration testing happens in two phases which starts with an external pen test and ends with an internal pen test. The difference between the two is as follows:
External Penetration Testing
An external pen test is designed to test the effectiveness of perimeter security controls to prevent and detect attacks, while at the same time, identify weaknesses in internal-facing assets. Think websites, email, file shares, etc.
During an external pen test the simulated attacker performs reconnaissance on assets, collecting intelligence on things like open ports, vulnerabilities, and other general information about a “target” organization’s users (for password attacks). Once the simulated attacks successfully breaches the network, internal pen testing begins.
Internal Penetration Testing
An internal pen test is performed to help decipher what a threat actor could achieve, or to put it another way, how far a threat actor can laterally move, with initial access to a network. Internal pen tests can simulate insider threats, such as employees intentionally or unintentionally performing malicious actions, and other methods and vectors of entry.
Once domain admin access is achieved, or the simulated attacker can gain control of the organization’s most valuable information, the test is generally ended.
Often, penetration testing is considered a form of ethical hacking, as both internal and external pen tests revolve around an authorized attempt (hack) to gain unauthorized access to a network. Carrying out an ethical hack involves duplicating strategies and actions seen in a typical cyber kill chain.
Penetration Testing Vs. Vulnerability Assessment
Vulnerability Assessment and Penetration Testing are both valuable testing methods and are often combined to achieve a more complete analysis. They perform two different tasks with different results, within the same area of focus. Vulnerability Assessment intends to identify the vulnerabilities in a network, and is used to estimate how susceptible the network is to said vulnerabilities. Often, this assessment involves the use of automated network scanning tools. In contrast, Penetration Testing involves both identifying vulnerabilities and attempting to exploit them to penetrate into the system. The purpose of pen testing is to determine if the vulnerability is actually genuine.
In short, the key difference between the two is breadth vs. depth, whereas a vulnerability assessment focuses on uncovering as many weaknesses in a network, while penetration testing is used to decide if already “strong” security defenses are, in fact, hack-proof.
How Penetration Testing is Done
Penetration Testing is often conducted in 5 phases, although many groups approach pen testing with differing strategies and additional phases as needed.
Penetration Testing Phases
The 5 main phases in the average penetration test (similar to the Cyber Kill Chain):
- Reconnaissance: This step consists of gathering as much intelligence on the target organization as possible and potential targets for exploits. Pen testers will collect information about the system, network components, active machines, open ports etc.
- Scanning: This phase is tool-oriented – pen testers will run one or more scanner tools to gather more information about the target. This will mostly be collecting and noting as many vulnerabilities that the network has.
- Gaining Access: In this phase, the pen tester will try and establish a connection with the target and exploit the vulnerabilities found in the previous phase. Exploitations may be buffer overflow attack, denial of service (DDoS) attack, etc.
- Maintaining Access: Here is where the tester tries to create a backdoor into the network, which helps discover any hidden vulnerabilities in the system.
- Covering Tracks: The final phase consists of attempting to remove all logs and footprints, erasing any indicators of the testers presence in the network.
Although these are the 5 most common phases in a penetration test, many companies also add additional phases with the goal of reviewing and analyzing the findings from the pen test and discussing future strategy to fix vulnerabilities.
Penetration Testing Methods
White Box Testing
White box testing, also known as crystal or oblique box testing, is a method that shares full network and system information with the pen tester. This type of testing not only saves time and reduces overall costs of an engagement, it also is useful for simulating an attack on a specific system, revealing any number of attack vectors.
Black Box Testing
Black Box testing is a method that provides no information to the tester, forcing the tester to follow approaches of a threat actor that has no inside knowledge of the target. This means the pen tester goes through the entire attack lifecycle, from initial access and execution all the through to exploitation. This approach is most often considered the most authentic, however is often the most expensive as well.
Grey Box Testing
A grey box penetration test, sometimes referred to as a translucent box test, provides the tester with only limited information about the target. This method is the most helpful in understanding the level of access a privileged user could gain and the damage they could cause. Because of the balanced nature of this method (efficiency and authenticity), this is the most preferred type of penetration testing.
What You Can Do With the Results of a Penetration Test?
Once the results of a penetration test are made available, it’s important to go through the results, discuss plans going forward, and revisit the organization’s security posture overall.
Pen testers will provide thorough reports with information that consists of several elements. Specifically, detailed information on each phase of their test. Once the results are discussed, a good approach is to develop a remediation plan and validate implementation with a retest, and incorporate the findings into the long-term security strategy.
Types of Penetration Testing
Network Service Penetration Testing
Network service penetration testing, or infrastructure testing, is one of the most common types of tests performed. The main purpose of it is to identify the most exposed vulnerabilities and security weaknesses in a network.
A network infrastructure can include:
This type of test can help organizations prepare and protect themselves from common network based attacks (Router attackers, database attacks, etc.)
Web Application Penetration Testing
This type of testing is used to find vulnerabilities or security weaknesses in web-based applications. The scope often includes web-based applications, browsers and components like Plugins, Scriplets, Applets, etc.
Web Application Penetration Testing is considered to be a more complex test and requires a fair amount of time and effort in planning and executing the test.
Physical Penetration Testing
A physical penetration test is exactly what it sounds like, it’s a test to expose weakness and vulnerabilities in physical controls such as locks, barriers, cameras, sensors, etc. Although an organization’s physical security posture is often an afterthought, as it’s hard to imagine a threat actor gaining physical access, it’s important nonetheless.
Social Engineering Penetration Testing
Social Engineering Penetration Testing is where testers attempt to persuade or trick users into giving them sensitive information, such as usernames and passwords. Pen testers will use a handful of social engineering attacks, the main one often being Phishing.
It’s important for organizations to actively do social engineering penetration testing as recent studies from PurpleSec state that 98% of all cyber attacks rely on social engineering. Knowing this, social engineering tests and awareness programs are a key security measure for any and all organizations.
Cloud Penetration Testing
Although cloud providers offer robust security controls, an organization is ultimately responsible for securing their assets/workloads in the cloud. Which is why cloud penetration testing is so important. This is when testers attempt to infiltrate a system that’s hosted in the cloud, think Amazon’s AWS or Microsoft’s Azure. The main goal of this test is to find weaknesses and/or strengths of the systems.
As with all penetration testing methods, this test gives organizations a better understanding of the attack surface that your cloud systems could be exposed to and can help to improve cloud security.
IoT Penetration Testing
IoT pen testing or a connected device security audit is a test on an organization’s entire object ecosystem. That being the electronic layer, communications protocols, servers, web and mobile interfaces, embedded software, etc.
An IoT penetration test usually consists of three specific types of simulated attacks.
- Software Attack
- Non-Invasive Hardware Attack
- Invasive Hardware Attack
Each of these simulated attacks will discover weaknesses in the entire IoT ecosystem and provide details on how organizations can fortify their defenses.
Penetration Testing Tools
There are a handful of different types of tools that can be used, each for different stages in a penetration test.
Tools for Exploitation and Collecting Information
- Zmap: This lightweight network scanner is capable of scanning everything from a home network to an entire internet. It’s free, and pen testers often use this to gather baseline details about a network.
- Xray: Xray is a networking mapping tool that uses the OSINT framework to help guide its tactics.
- SimplyEmail: This is an email recon tool used to gather associated information found on the internet based on someone’s email. This is used by pen testers during the reconnaissance phase.
- PowerShell-Suite: PowerShell-suite is a collection of PowerShell scripts that can extract information about processes, DLLs, and other aspects of Windows machines. With this tool pen testers can quickly check which systems on a network are vulnerable to exploit.
Tools for Vulnerabilities
- NMAP/ZenMap: This network security mapping tool gives pen testers a look at the open ports on any given network and allows testers to dive into the feasibility of specific network-level vulnerabilities.
- sqlmap: This is an open-source penetration tool that brings validity to possible SQL injection flaws that might affect database servers. This is best used for tests focusing on exploiting databases.
- MobSF: A great tool for mobile platform vulnerability discovery. It’s an all-in-one platform for pen testing and vulnerability discovery via static and dynamic analysis.
- Linux-Exploit-Suggester: As the name suggests, this tool is best used for security testing on Linux systems without dealing with other robust vulnerability scanners.
Many Other tools
The lists above are just a small handful of penetration tools. There are many more and by doing a quick google search, you can find helpful tools for any stage of a penetration test.
How Often Should Organizations Do a Penetration Test?
As new technology advances and new threats present themselves, new (or old) vulnerabilities can be exploited. Organizations should be doing penetration testing at least once a year to ensure consistent IT and network security management.
In addition to a regularly scheduled penetration test, organizations should also run tests whenever a new network infrastructure or applications are added, significant upgrades or modifications are applied to applications, if a new office is established, and security patches are applied.
The SentinelOne Singularity Platform
It is imperative for organizations of all sizes to implement not only an annual cadence of penetration testing, but also make sure that they have a strong endpoint protection and XDR solution. With the SentinelOne Singularity Platform, organizations can prevent, detect, and undo known and unknown threats. See for yourself – Book a demo now.