What is Penetration Testing? Here’s Why Every Business Needs a Pen Test

A pen test can help your business identify vulnerabilities that are exploitable and provide insight into the current weaknesses in your defenses.  

This type of test can help you pinpoint the gaps that may have gone unnoticed. 

Take, for example, Capital One, who had one of the most extensive security breaches of 2019—when one lone hacker exfiltrated nearly 30 GB of credit application data, impacting 106 million people.

All it took was one entry point for the hacker to access Capital One’s misconfigured WAF (Web Application Firewall) in the bank’s cloud infrastructure. This particular hack was quite intriguing—requiring expert knowledge of AWS Services and IAM, data exfiltration techniques, and WAF vulnerabilities.

According to Brian Krebs, the misconfigured WAF had been “assigned too many permissions, i.e., it was allowed to list all of the files in any buckets of data and to read the contents of each of those files.”

Capital One’s data breach provides some takeaways that other organizations can learn from, such as resource separation. PII data should not be accessible directly from any other account and should always minimize risk by using the principle of least privilege. Capital One used the account that had permission to change the WAF—which had access to PII data. (This is not a good security practice).

The Internet Society says this type of attack could have been prevented by proper diligence and penetration testing.

What is Pen Testing?

Pen testing, also known as penetration testing, involves an attack against a network performed by cybersecurity professionals. The primary purpose of a pen test is to assess network security, locate exploitable vulnerabilities, and identify security weaknesses—before any real-world malicious hackers do. 

As described in our previous blog post, a Pen Test is a simulated cyberattack meant to highlight weak points in your company’s computer infrastructure—hacking you before the criminals do to determine what needs fixing and how to fix it. 

Types of pen testing

• Black Box Testing
• White Box testing
• Gray Box Testing

Black Box Testing – the penetration tester has no internal knowledge of the target company and no background information. This type of testing is not necessarily external (though most common). Black box testing focuses on a lack of information, employing the tools and techniques a hacker would use to penetrate security. This type of test is also known as a blind test or real-world hacking simulation test.

White Box Testing – the penetration tester obtains full access to information about the network infrastructure or applications to be tested, including network diagrams and protocols, the IP address schema, source code, etc. This type of test is also known as clear box testing or glass box testing.

Gray Box Testing –  the penetration tester is provided with partial knowledge of the internal network or web application. The main advantage of this type of test allows the tester to focus initial efforts on identifying the areas that present the most significant security risks to the business. This type of test combines both white box and black box testing techniques. 

Pen Testing Team Exercises

The EC-Council describes the Red team and the Blue team in terms that have a strong association with the military.”These terms are commonly used to describe teams that use their skills to imitate the attack techniques that “enemies” might use, and other teams that use their skills to defend. In cybersecurity, there isn’t much difference and have clearly adopted the same wordings since cybersecurity is no better than a war strategy on its own.”

Red Team – the attackers,  consists of a group of highly trained ethical hackers who emulate an adversarial attack. Red teamers use multi-layered simulated attacks to break through a company’s defense perimeter to uncover vulnerabilities and measure how well the company can withstand a real-world cyber-attack.

Blue Team – the defenders, consists of a group within the business that is responsible for defending against real-world or simulated attacks. This group is proactive (rather than reactive)  with a focus on continuous improvement in detection and response.

In a nutshell, a Red Team exercise is a pen test with a few added features:

• Active Blue Team (good guys/internal team) – they will try to stop the hack
• Detection Avoidance, Evasion, and Stealth are employed by the red team to prevent the above.
• Social engineering is employed concurrently
• Physical testing is used concurrently
• Data exfiltration is a goal, alongside active Command and Control (C2) establishment.
• The Red team is always Black Box

Types of Security Pen Testing

There are various types of pen tests—not all are equal. Here are six of the most common types: 

• Network Services
• Web Application
• Client-Side
• Wireless
• Social Engineering
• Physical Penetration Testing

Network Services – the tester conducts a simulated attack that reveals vulnerabilities that attackers may exploit to take over company systems or networks. This test helps a business understand their level of risk and aspires to address and remediate security flaws. 

Web Application – Web Application – the tester simulates an internal or external unauthorized attack to get access to sensitive company data. 

Internal pen testing – this test is performed over the LAN and seeks to locate vulnerabilities that may exist within the company firewall. This type of test also includes intranet web applications, secure code reviews, and mobile applications.

External pen testing –  this simulated attack operates outside the company network (the tester does not know the companies internal network). The tester obtains the IP of the target system and attempts to locate vulnerabilities in the IDS, firewalls, servers, and company Internet web applications and services.

Client-Side – the tester attempts to discover vulnerabilities in client-side applications. These could be applications such as email, web browsers, Macromedia Flash, Putty, SFTP, PDF files, and others.

Wireless –  the tester identifies the companies wireless network vulnerabilities, establishes risk levels, and exploits any identified vulnerabilities to assess any sensitive company data or assets that are at risk. 

Social Engineering – Social Engineering – the tester attempts to exploit human error using either on-site or off-site social engineering techniques. 

On-site social engineering techniques include:

• Access privileges – impersonation via disguises such as a delivery person, job candidate, or tech support worker
• Disposal of sensitive data – dumpster & office trash can diving
• Device compromise – Portable storage media drops (USB)

The attacker’s goal is to obtain physical access to the target company. 

Off-site social engineering techniques include:

• Email phishing – attempt to get an employee to click on a link so the tester can get corporate-sensitive data
• Vishing – calling a targeted employee to obtain sensitive information (such as an account password)
• SMS phishing – texting using the same intent as vishing above 

The attacker’s goal is to obtain information intended for internal use only.

Physical Penetration Testing – the tester simulates real-world attempts to compromise the company’s physical barriers (i.e., locks, RFID systems, network jacks, dumpster diving, server room, telephotography), allowing the attacker unauthorized physical entrance.   

Why Do I Need It?

If you want your applications, networks, and systems secure, hiring ethical hackers can up the ante. Ethical hackers are equivalent to getting your best detectives together to think like criminals and to solve a case—before there is a case. 

Every business could use the mindset of a cybersecurity expert who knows how to think like the bad guys. If you come armed with the potential damages an opponent (malicious hacker) could inflict upon your business—you will be taking a proactive stance against the possibility of an in-the-news data breach tomorrow.   

“Really critically and importantly, what [penetration testing] has done is given us a much better sense of what are the things we need to focus on and where are the control areas that we really have weaknesses.” –Adrian Monza, Deputy CISO, Chief Cybersecurity Architect at Homeland Security, USCIS

Discover Vulnerabilities

As cyber attacks increase daily featuring known, emerging, evolving, and unknown threats—the current cyber threat landscape multiplies like a prodigious deluge of running bamboo. 

Though pen testing is not a silver bullet—it can illuminate vulnerabilities in infrastructure and applications and demonstrate the effectiveness of business security controls.  Other advantages include:

• Evading financial setbacks
• Increasing business continuity
• Maintaining customer loyalty
• Meeting regulatory requirements
• Preserving business reputation

Simulated Attacks

Pen testing can overlap with Red team exercises. Having cybersecurity professionals simulate an attack against your network (before a malicious hacker does) avoids the cost of a real-world cyber-attack.

Pen Testing for Compliance

Pen testing helps financial organizations minimize security risks and meet compliance guidance security standards by the Federal Deposit Insurance Corporation (FDIC), Financial Institutions Examination Council (FFIEC), HIPAA, PCI-DSS, and others.

Improves Security Posture

Pen Testing can help your business reveal exploitable vulnerabilities, validate security defenses, and measure how effective your security posture is. 

Methodologies

Over the last decade, pen testing has grown to be a significant part of many companies’ security assessments. Due to the quick and recent growth, there have been several independent developments of how one conducts a pen test. One of the first things that people come across is the Pen Testing Methodology. While numerous organizations have different steps, at the end of the day, they are all the same.

Below are some of the most common methodologies you will come across:

Penetration Testing Execution Standard (PTES)

7 Phase Model:

• Pre-engagement Interactions
• Intelligence Gathering
• Threat Modeling
• Vulnerability Analysis
• Exploitation
• Post Exploitation
• Reporting

5 Phase Model:

• Preparation
• Information Gathering and Analysis
• Evaluation and Risk Analysis
• Active Exploitation
• Final Analysis

Core security Phases

• Planning and preparation
• Discovery
• Penetration Attempt and Exploitation
• Analysis and Reporting
• Clean Up and Remediation
• Retest

Redteam Secure Methodology

based on the NIST Special Publication 800 Series guidance and OSSTMM but goes beyond the initial framework itself

• Information gathering
• Threat modeling
• Vulnerability analysis
• Exploitation
• Post exploitation
• Reporting

CYBRI Methodology

• Pre-Engagement Walkthrough
• Passive and Active Intelligence Gathering
• Vulnerability Assessments
• Credential Harvesting and Cracking
• Exploitation and Privilege Escalation
• Specialty Testing (Bluetooth, Wireless, HVAC and IoT Control System(s), Physical)
• Reporting and Documentation
• Post-Test Review
• Remediation and Retesting

While this list varies quite a bit in terms of the number of steps and naming conventions, it really boils down to a few core steps that have subcomponents. They are typically done in this order and can sometimes not include every step. 

The Core Steps

Pre-Engagement Planning

• Contracts
• Scoping
• Terms of testing

Information Gathering and Reconnaissance

• Passive Recon
• Active Recon

Vulnerability Assessment

• Credentialed vs. non-credentialed
• Network and System or Application
• Risk Analysis
• Threat Modeling

Exploitation

• Manual Testing
• Credential harvesting and cracking
• Specialized and custom exploits
• Privilege escalation
• Post-exploitation
• Data exfiltration
• Command and Control
• Lateral Movement

Reporting

• Formal Delivery
• Certification
• Dashboards
• Executive Summary

Remediation

• Clean-up
• Patching
• Risk mitigations

Retesting

Since every company is unique—pen tests are customized to meet the client’s needs, environment, and budget.

Reporting

The report is everything and should reflect the value of the companies security investment. 

CybraryIT Best practices

What you should have in your report:

• Introduction/Overview:  High-level description of the project, dates, and company/infrastructure being tested.
• Scope and Objective: This section should outline the IP ranges, URLs, and applications that are to be tested. It should also explain the purpose of the test.
• Deviations from the Statement of Work: Many tests have changed from the original requirements, such as having to stop testing on a host, to stop scanning, and/or make changes to the testing windows.
• Methodology: A high-level description of the testing process and standards.
• Significant Assessment Findings: This section should be dedicated to critical findings.
• Positive Observations: This part is just as important as significant findings. No one likes to see a whole report where their company is negatively portrayed. Talking about what the company did well helps lessen the blow on where fixes need to be made.
• Findings Summary: This should have an overall view of the findings broken down by severity. The conclusion of the summary explains if the environment was found to be vulnerable for any opportunities for exploitation.
• Detailed Findings: This should include severity, vulnerability definition, issue/detailed description/risks, asset, recommendation, snapshots/logs/how to exploit walkthrough
• Appendix: Listing of all assets and ports. Additional information and snapshots.

Lessons Learned

Capital One’s hack was an unusual threat combined with a server misconfiguration, insider knowledge, and a hacker who allegedly struggled with gender identity, unemployment, and persistent suicidal thoughts. After publicly bragging on GitHub about her exploits, it was ironic that an ethical hacker reported the breach.

Though financial gain is frequently a primary motivation that drives cybercriminal activities—other hacker motivations include cause, ego, entertainment, entrance to a social group, and status. Attackers can also exhibit combined motives.

Since companies do not think like hackers, some hire in-house penetration testers in hopes they will be able to strategize and fortify their offensive security posture. 

After the colossal 2019 hack—Capital One beefed up its Offensive Security group in its Cyber Operations & Intelligence program. They actively sought penetration testing professionals to join their Penetration Test team (to coordinate ethical hacking and penetration testing scenarios). 

Cybersecurity expert, Daniel Miessler argues: 

“It is important that Red Teams maintain a certain separation from the organizations they are testing, as this is what gives them the proper scope and perspective to continue emulating attackers. Organizations that bring Red Teams inside, as part of their security team, tend to (with few exceptions) slowly erode the authority, scope, and general freedom of the Red Team to operate like an actual attacker. Over time (often just a number of months) Red Teams that were previously elite and effective become constrained, stale, and ultimately impotent.”

If a company relies solely on an in-house testing team, the internal team could lose objectivity over time. 

Summary

Regardless of business size, an attacker only needs to find one entry point of access. In the realm of manual penetration testing, there is no one-size-fits-all process. Every business is unique. 

According to IBM’s 2019 Data Breach Report, the global average cost of a data breach has increased by 12% over the past five years to $3.92 million. In the U.S. the cost of a data breach was significantly higher at $8.19 million and twice the global average.

The report also noted the time it takes to identify and contain a data breach was 279 days globally and 245 days in the United States. 

Between the average cost of a data breach and the time it takes to identify and contain one—the interim should focus on attack surface reduction.

F5 Networks’ Tristan Liverpool believes “ethical hackers can play a fundamental role in helping security teams consider every single possible attack vector when protecting applications.”  He further elaborated, “whilst security architects have a wealth of knowledge on industry best practise, they often lack first-hand experience of how attackers perform reconnaissance, chain together multiple attacks or gain access to corporate networks.” 

An ethical hacker can easily slide into the mindset of an attacker. They know how to think outside the box, can anticipate potential cybercriminal moves in advance, and understand the techniques the bad guys use to breach security. 

Yes, every business needs an ethical hacker strategy in place to help crack open undiscovered security gaps. The wisdom of Chinese military general Sun Tzu rings true today, “To know your Enemy, you must become your Enemy.”

Add penetration testing and red teaming to your cyber toolbox—before the bad guys find an entry point into your companies defenses. 

SOURCES:

• https://resources.infosecinstitute.com/the-types-of-penetration-testing/
• https://www.cybrary.it/blog/0p3n/penetration-testing-report/