Six Stages of Penetration Testing

Through penetration testing, you can proactively identify the most exploitable security weaknesses before someone else does. However, there’s a lot more to it than the actual act of infiltration. Penetration testing is a thorough, well thought out project that consists of several phases. Read on to learn about what it takes to complete a successful pen test.

Planning and Preparation

Many old adages proclaim the import of preparation, and when it comes to penetration testing, planning is indeed the key to success. There are multiple ways to approach a pen test and figuring out your goals and scoping accordingly is key to ensuring that you’re going to get the most out of the process. Consider these questions to ensure your expectations are aligned with the testers and you get the information you’re looking for.

• Do you want an external test, which simulates an attack from an outside individual or organization, or an internal test, which simulates an attack from an insider, or an attacker that has a foothold within the organization?
• Would you prefer your security team to know a pen test is about to be performed, or would you rather it be performed covertly to identify their effectiveness in detecting the activity?
• How much information do you want to share with the pen testers beforehand?
• How aggressive are the pen testers allowed to be?

Discovery

Once the scope has been established, pen testing teams can get to work. In this discovery phase, teams perform different types of reconnaissance on their target. On the technical side, information like IP addresses can help determine information about firewalls and other connections. On the personal side, data as simple as names, job titles, and email addresses can hold great value. Attackers can use this data to send phishing emails or figure out who may have privileged credentials, with which they can get full access to the environment. Additionally, before exploiting a system, pen testing teams must look for weaknesses within the environment. Often referred to as footprinting, this phase of discovery involves gathering as much information about the target systems, networks, and their owners as possible without attempting to penetrate them. An automated scan is one technique that can be used to search for vulnerabilities that can be used as a doorway.

Penetration Attempt and Exploitation

Now informed about their target, pen testers can begin using these newly discovered entry points, testing all of the weaknesses they discovered. They will attempt to enter the target through these identified entry points. But pen testers will do far more than just attempt to gain access. Once inside a compromised system, they will try to elevate their access privileges within the environment, allowing them to take any number of additional actions. Gaining administrative privileges enables pen testers to identify security weaknesses in other areas and resources, like poor configuration, unguarded access to sensitive data, or ineffective management of accounts and passwords.   
Additionally, multiple types of assets can be tested. In addition to the on-premise network infrastructure and workstations you’d expect could be vulnerable to attack, mobile devices, web applications, and even IoT devices like security cameras, can also be put to the test.

Analysis and Reporting

Pen testers should carefully track everything they do during the discovery and exploitation process.  From there, they can create a report that includes all of these details, highlighting what was used to successfully penetrate the system, what security weaknesses were found, and any other pertinent information discovered. These reports should also include analysis to help map out next steps once the test has concluded. Pen testing teams can help determine the highest priority items that an organization should take care of as soon as possible, as well as suggestions for remediation methods.

Clean Up and Remediation

Just as with a real attack, pen testers can leave “footprints.” It’s critical to go back through systems and remove any artifacts used during the test, since they could be leveraged in the future by someone with nefarious intentions. Once this is completed, an organization can go about the business of fixing the security weaknesses discovered and prioritized during the testing phase. This may include putting compensating controls in place to protect weaknesses that cannot be easily remediated, or even investing in new solutions that can streamline security and improve efficiency.

Retest

Penetration tests can and should be utilized frequently, especially when new applications or infrastructure are being deployed. Even if your organization believes they resolved every weakness listed in a previous report, the best way to ensure your remediations are effective is to test again. Additionally, IT environments, and the methods used to attack them, are constantly evolving, so it is to be expected that new weaknesses will emerge.

With so many breaches dominating the news, it’s more critical than ever to reduce the chance that an incident could put your organization’s reputation and trustworthiness at stake. Organizations should do everything they can to understand and avoid behaviors that put them at risk. Pen testing is an essential part of a risk assessment strategy and helps ensure that your organization is reducing the chance of a damaging breach occurring within your environment.