There is no doubt how regular penetration tests are an essential part of the vulnerability management process to reduce risks. It is important to ensure penetration tests are efficient and to do so, the use of correct penetration testing methodologies is an essential component. A methodology in this context defines the logic using which various test cases are carried out to assess an asset’s security.
Let’s start with the basics first and then move on to the topic that’s amongst the penetration testing essentials for any IT security decision-maker or a business owner.
Feel free to watch a condensed version of this article here:
What is pentesting?
Penetration testing is an ethical hacking exercise aimed at identifying and safely exploiting weaknesses in internal and external networks, applications or systems of an organisation. It involves helping organisations remediate the identified risks to provide secure electronic assets. Penetration testing is sometimes confused with a vulnerability assessment. Both assessments vary in scope, depth, focus and price. A penetration test is in-depth, focusing on the manual approach and includes safe exploitation of identified vulnerabilities to measure the extent of exploitation.
Why your business needs a penetration test?
As a standard, the majority of the organisations conduct yearly penetration tests unless any major changes. Penetration tests are a significant part of cyber assurance needed for various reasons:
- Mergers & Acquisitions
- Regulatory or compliance requirements (GDPR, ISO27001, PCI DSS, etc.)
- Customer Requirements
- Product launches
What is penetration testing methodology?
To perform a pen test, it is important to understand the context of electronic assets in the engagement scope. Penetration testing methodologies are important for selecting the right assessment techniques because the selection of test cases and threat models can influence security assessments. To simulate threat actors, it is important to consider various threat scenarios that act as input to create test cases used during testing.
Multiple penetration testing standards and frameworks have been released in the past. Penetration testing methodologies play an important role in benchmarking practices. For example, OWASP Top 10 application security risks are the go-to standard for web application assessment. The US Commerce Department’s popular cyber framework from NIST, Open Source Security Testing Methodology Manual and the Pentesting Execution Standard are other methodologies and standards followed by businesses worldwide. OWASP, CIS benchmarks and SANS Top 20 Critical Controls are often the most popular benchmarks for testing security risks.
Comprehensive penetration testing methodology is beyond this article’s scope due to the depth of testing areas and the required documentation. This approach is blended with different phases of an assessment in the engagement lifecycle approach detailed below.
Read about the various penetration testing types based on the asset categories to understand how focus, depth and estimation differ for various engagements.
Our Penetration testing methodology
Our proven approach to security assessments is based on more than a decade of experience, industry practices and effective ways to exceed customer expectations. Cyphere’s pen testing steps are broken down into five stages:
1. Initial Scoping and Objectives Agreement
This is often an overlooked area; however, it is one of the most important aspects. No one knows a network better than their caretakers, that is, THE customer. It is important to gain insight into their understanding and then suggest various options advising them with each option’s pros and cons.
Defining an accurate scope of the work ensures understanding and clarity of objectives, exclusions, and what to do if something happens. We ensure that a proven project management approach is put to work, ensuring all parties are aware of authorisation forms & legalities, in-scope elements, any fragile components and out of scope components before commencing an engagement.
Once legal and project formalities are out of the way, the reconnaissance phase starts with the sole objective of information gathering. This intel (e.g., network layouts, domains, servers, infrastructure details) helps understand how a network works, including its assets (applications, systems, devices, anything with an IP).
This phase is performed to find vulnerabilities within the defined targets. It involves scanning the target for listening services/open ports, fingerprinting and analysing the running services to prepare a rough attack layout of target systems.
Attempts are made to exploit common vulnerabilities to simulate and check how far a threat actor can achieve privileged access. For instance, during unauthenticated tests within a company network, many times starting with zero access leads to the entire network compromise. Default passwords or commonly used username/password combinations are also tried against various services.
It is this step in penetration testing methodologies that differentiates pen testing from vulnerability assessments.
Once access is gained to the systems, further efforts are undertaken to escalate privileges to the highest levels. This also includes hopping around the network to find vulnerable servers within the customer business. This technique, often known as lateral movement, helps identify vulnerable systems within a network that is not exposed to the internet.
Specific assessments and specific target based scenarios are defined under ‘white box’, ‘black box’ or ‘grey box’ methodologies. It defines test cases based on how much information is available to the consultants before starting the assessment.
No unsafe checks are carried out during the assessment. These include low-level attacks such as ARP spoofing, SYN flood or the likes. Denial of service attacks is explicitly deemed out of scope.
5. Cleanup, data analysis and reporting
After the execution phase, any data or information placed or used on the customer systems is removed or returned. Any accounts or privileges handed over to the consultants are communicated with status updates to the customer to inform the completion of assessment so that test accounts, privileges can be revoked, changed or deleted.
The assessment phase is followed by the data analysis and reporting phase. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. Our reports address business and the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.
Cyphere also provides a remediation consultancy where we help customers define and execute the risk mitigation plan. This is an optional service and charged separately to pen tests. A risk-focused approach is utilised to ensure a prioritized plan is followed to ensure maximum impact on increasing defensive controls.
Should you chose not to opt for this service, you can also take our help in preparing a remediation plan and tasking your IT or managed services provider for implementation of controls.
Discuss your concerns today
Pentest engagement approach
Our engagement approach remains focused on service quality. Three principles underpin our engagement approach: We engage, We listen, and We deliver. The following five steps define our pen test process:
Customer Business Insight & Requirements Capture
The first step remains our quest to gain insight into drivers, business, pain points and relevant nuances. As part of this process, we understand the assets that are part of the scope.
It is important to gain grips with reality. Therefore, we always stress walkthroughs or technical documentation of the assets. After asset walkthroughs, a tailored proposal is designed to meet your business’s specific requirements.
All our proposals are tailored to include the customer business context and supplied information during scoping discussions. Pricing is kept in mind and broken down to provide flexibility and transparency on our estimation.
Cyphere’s approach to all work involves excellent communication with a technical skill-set. See our pen test methodology below for detailed information. See the previous section on how our methodology is executed to ensure thorough assessments.
The execution phase is followed by the data analysis and reporting phase. Cyphere performs analysis on the testing output, evaluates the risk impact and likelihood of exploitation in realistic scenarios before providing action plans to remediate the identified risks. Our reports address business and the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.
Debrief & After-care Support
As part of our engagement process, customers schedule a free charge to debrief management and technical teams. This session involves a remediation plan, assessment QA to ensure that customer contacts are up to date in the language they understand.
What tools are used for penetration testing?
The toolkit is prepared according to the test plans covering threat scenarios utilised based on the assessment scope. For instance, a web application penetration test would require a testing suite that allows intercepting traffic between a user’s browser and the server. This allows a security consultant to mimic a threat actor by changing input, testing the application code routines, checking for OWASP Top 10, SANS Top bugs, and other tests as part of the web application pentesting methodology. For low-level assessment, such as hooking into windows services, APIs, or other specific, specialised web proxies, protocol analysers and fuzzing tools are utilised by the security consultants.
In case of a network penetration test, various pen testing tools and scripts are utilised to help scan the network, enumerate services, vulnerability analysis, exploitation, and post-exploitation phases. Although it’s a combination of applications, utilities, multiple scripts and proprietary tools, the most popular tools utilised for port scanning, enumeration, exploitation is Nmap, Metasploit framework, and toolsets Kali Linux distribution that is specifically meant for pen testers use.
Similarly, for wireless assessment, different tools and approaches are used on top of the network and application-level tools used during the assessment.
When to conduct penetration testing?
It’s safe to say there are multiple types of pen tests, which is why it’s so important to speak with a cybersecurity professional to see what is the best fit for your needs.
From our knowledge and experience, businesses conduct a technical security assessment at any of the following events:
- Introduction of new infrastructure & applications
- After major changes or upgrades
- Business As Usual (BAU) work
- Annual assessments
- Product Launches
A business may be at risk if new services have been rushed into production without security assessment and mitigation risks. This could leave an organisation open to cyber attacks. Therefore, it is important to measure the attack surface of underlying assets before releasing them in production. Some compliance requirements such as PCI, DSS, sector-based commission technical audits, vendor assurance requirements, mandate regular penetration tests.
Get in touch to discuss your primary security concerns.