Internal pen testing is performed by having the tester begin inside the network. It is done by simulating an attack that already succeeded. The tester will then perform actions that a malicious actor would do while inside to best understand the risk posture.
What is internal penetration testing?
Internal penetration testing evaluates the security posture of the systems that are not publicly available. This is any computer, server, application back-end, or other systems that requires someone to be internal to access them. The access is often via VPNs, jump boxes, bastion hosts, or simply being onsite. The pen testers will also need this kind of access to conduct their testing.
Internal penetration testing is when you test an environment that is not internet-facing. This is what lies behind the firewalls, load balancers, and front-end applications. Testing internal controls is important because attackers are still getting into environments from the outside. If you don’t test the internal network and systems, you leave yourself exposed to a breach that could run rampant.
The penetration testers will simulate a malicious insider, such as a disgruntled employee or a compromised system.
They can do this by simply bringing their workstation onsite or connecting to the corporate network remotely.
Other, more constrained tests may require the tester to start from a standard workstation then attempt to move laterally.
Why internal penetration testing?
According to Mandiant https://content.fireeye.com/m-trends/rpt-m-trends-2021, in 2020, malicious actors in 2020 had been inside the internal environment for an average of 24 days. In these cases, only 12% of these breaches were discovered by the company’s internal team. This is the reason internal pen testing is a must.
The goal of internal pen testing is to simulate a malicious actor inside your environment. Often this is overlooked as it is considered improbable, impossible, or otherwise not a big concern.
The internal pen test looks for weaknesses in the systems that an attacker would have access to once inside. These can be a lack of security controls, out-of-date software, weak passwords, or other problems that companies ignore since they are not publicly available.
Having the penetration test done will detect these problems, keeping your company, customers, and data safe. It can also reduce your cyber insurance premium and future liability if you are adhering to industry standards.
How to conduct an internal penetration test?
Internal penetration testing can be conducted by an internal team or a third party. We recommend using a third party at least annually (annual article link).
If using an internal team, they should not be involved in the setup or maintenance of existing controls; otherwise, they may be biased.
Once the team is selected, they should be given access to the internal environment, whether it be through remote access setup or onsite visits.
The testers should either use a preconfigured testing machine, often Kali Linux, or be given access to a standard user workstation that they can start from.
If this is your first test, giving the team IP address ranges and other information will yield the most valuable results. We recommend only conducting black-box tests once you are already conducting regular pen tests.
Should you also perform external pen testing?
External pen testing should also be performed. External testing is often considered more of a priority than internal, but we think they should be weighted equally.
Testing both can be done simultaneously or spread over two tests. However, we recommend starting with the external testing first to simulate an attacker that does not have access, followed by an internal test to work under the assumption the attacker managed to breach the exterior.