Penetration testing methodologies, steps in pen testing & frameworks

There is no doubt that regular penetration tests are an essential part of the vulnerability management process to reduce risks. It is vital to ensure penetration tests are efficient, and to do so, using correct penetration testing methodologies is essential. A method in this context defines the logic of various test cases to assess an asset’s security. 

There are many different penetration testing methodologies available, but some of the most popular include:

• OSSTMM
• OWASP
• PTES 
• ISSAF

Let’s start with the basics and then move on to the topic that’s amongst the penetration testing essentials for any IT security decision-maker or a business owner.

To view a concise version of this article, we invite you to watch our video on the same topic.

What is pentesting?

Penetration testing is an ethical hacking exercise aimed at identifying and safely exploiting weaknesses in an organisation’s internal and external networks, applications or systems. It involves helping organisations remediate the identified risks to provide secure electronic assets.

Penetration testing is sometimes confused with a vulnerability assessment. Both assessments vary in scope, depth, focus and price.

A penetration test is in-depth, focusing on the manual approach and includes safe exploitation of identified vulnerabilities to measure the extent of exploitation. 

Why your business needs a penetration test?

 As a standard, most organisations conduct yearly penetration tests unless there are any major changes. Penetration tests are a significant part of cyber assurance needed for various reasons:

• Mergers & Acquisitions
• Regulatory or compliance requirements (GDPR, ISO27001, PCI DSS, etc.)
• Customer Requirements 
• Product launches

What is penetration testing methodology?

To perform a pen test, it is important to understand the context of electronic assets in the engagement scope. Penetration testing methodologies are essential for selecting the right assessment techniques because the selection of test cases and threat models can influence security assessments. To simulate threat actors, it is important to consider various threat scenarios that act as input to create test cases used during testing.

Multiple penetration testing standards and frameworks have been released in the past. Penetration testing methodologies play an important role in benchmarking practices. For example, OWASP’s Top 10 application security risks are the go-to standard for web application assessment. The US Commerce Department’s popular cyber framework from NIST,  Open Source Security Testing Methodology Manual and the Pentesting Execution Standard are other methodologies, and standards businesses follow worldwide. OWASP, CIS benchmarks and SANS Top 20 Critical Controls are often the most popular benchmarks for testing security risks.

Comprehensive penetration testing methodology is beyond this article’s scope due to the depth of testing areas and the required documentation. This approach is blended with different phases of an assessment in the engagement lifecycle approach detailed below. 

Read about the various penetration testing types based on the asset categories to understand how focus, depth and estimation differ for various engagements.

Penetration testing Steps

Our proven approach to security assessments is based on more than a decade of experience, industry practices and effective ways to exceed customer expectations. Cyphere’s penetration testing steps are broken down into five stages:

1. Initial Scoping and Objectives Agreement

This is often an overlooked area; however, it is one of the essential penetration testing steps. No one knows a network better than its caretakers, that is, THE customer. It is necessary to gain insight into their understanding and suggest various options advising them on each option’s pros and cons. 

Defining an accurate scope of the work ensures understanding and clarity of objectives, exclusions, and what to do if something happens. We provide that a proven project management approach is put to work, ensuring all parties are aware of authorisation forms & legalities, in-scope elements, any fragile components and out of scope components before commencing an engagement.

2. Reconnaissance

Once legal and project formalities are out of the way, the reconnaissance phase starts with the sole objective of information gathering. This intel (e.g., network layouts, domains, servers, infrastructure details) helps understand how a network works, including its assets (applications, systems, devices, anything with an IP).

3. Scanning

This phase is performed to find vulnerabilities within the defined targets. It involves scanning the target for listening services/open ports, fingerprinting and analysing the running services to prepare a rough attack layout of target systems.

4. Exploitation

Attempts are made to exploit common vulnerabilities to simulate and check how far a threat actor can achieve privileged access. For instance, during unauthenticated tests within a company network, starting with zero access often leads to a complete network compromise. Default passwords or commonly used username/password combinations are also tried against various services.

This step in penetration testing methodologies differentiates pen testing from vulnerability assessments.

Once access is gained to the systems, further efforts are undertaken to escalate privileges to the highest levels. This also includes hopping around the network to find vulnerable servers within the customer business. This technique, often known as lateral movement, helps identify vulnerable systems within a network that is not exposed to the internet.

Specific assessments and specific target-based scenarios are defined under ‘white box’, ‘black box’ or ‘grey box’ methodologies. It defines test cases based on how much information is available to the consultants before starting the assessment.

No unsafe checks are carried out during the assessment. These include low-level attacks such as ARP spoofing, SYN flood or the likes, and denial of service attacks that are explicitly deemed out of scope.

5. Cleanup, data analysis and reporting

After execution, any data or information placed or used on the customer systems is removed or returned. Any accounts or privileges handed over to the consultants are communicated with status updates to the customer to inform the completion of the assessment so that test accounts and privileges can be revoked, changed or deleted. 

The assessment phase is followed by the data analysis and reporting phase. Cyphere analyses the testing output and evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. Our reports address business and the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.

6. Remediation

Cyphere also provides a remediation consultancy where we help customers define and execute the risk mitigation plan. This is an optional service and is charged separately to pen tests. A risk-focused approach is utilised to ensure a prioritised plan is followed to ensure maximum impact on increasing defensive controls.

Should you choose not to opt for this service, you can also take our help in preparing a remediation plan and tasking your IT or managed services provider to implement controls.

Also Read: Penetration Testing Tools

Pentest engagement approach 

Our engagement approach remains focused on service quality. Three principles underpin our engagement approach: We engage, We listen, and We deliver. The following five steps define our pen test process:

Customer Business Insight & Requirements Capture

The first step remains our quest to gain insight into drivers, business, pain points and relevant nuances. As part of this process, we understand the assets that are part of the scope.

Services Proposal

It is vital to gain grips with reality. Therefore, we always stress walkthroughs or technical documentation of the assets. After asset walkthroughs, a tailored proposal is designed to meet your business’s specific requirements. 

All our proposals are tailored to include the customer business context and supplied information during scoping discussions. Pricing is kept in mind and broken down to provide flexibility and transparency in our estimation. 

Execution

Cyphere’s approach to all work involves excellent communication with a technical skill-set. See our pen test methodology below for detailed information. See the previous section on how our methodology is executed to ensure thorough assessments. 

Delivery

The execution phase is followed by the data analysis and reporting phase. Cyphere analyses the testing output and evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. Our reports address business and the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.

Debrief & After-care Support

As part of our engagement process, customers schedule a free charge to debrief management and technical teams. This session involves a remediation plan and assessment QA to ensure that customer contacts are up to date in the language they understand.

When to conduct penetration testing?

It’s safe to say there are multiple types of pen tests, so it’s essential to speak with a cybersecurity professional to see the best fit for your needs.

From our knowledge and experience, businesses conduct a technical security assessment at any of the following events:

• Introduction of new infrastructure & applications
• After significant changes or upgrades
• Business As Usual (BAU) work
• Annual assessments
• Product Launches

A business may be at risk if new services have been rushed into production without security assessment and mitigation risks, which could leave an organisation open to cyber attacks. Therefore, it is vital to measure the attack surface of underlying assets before releasing them into production. Some compliance requirements, such as PCI, DSS, sector-based commission technical audits, and vendor assurance requirements, mandate regular penetration tests.

Get in touch to discuss your primary security concerns.