INTERNAL NETWORK PENETRATION TESTING
Know your unknowns to assess, quantify the infrastructure vulnerabilities and prepare a risk mitigation approach meant to reduce attack surface.
What is an internal network penetration test?
Internal network penetration test simulates an insider attack on organisational applications, systems and data. This insider could be an employee, contractor or partner who has access to the internal network.
“Internal” pen tests are also known as “Internal Infrastructure” or “Internal Network” penetration tests. This exercise in other terms establishes the true picture of an organisations’ risk posture. It helps CTOs/CISOs assess cultural practices around information storage, secure hardening, patch management, passwords analysis, active directory group policy, network equipment hardening and many more elements.
This is your assurance exercise to establish a secure and robust infrastructure for your organisation.
Internal pen test methodology
01. Initial Scoping & Objectives
Our network penetration testing experts work with you to define the assets in scope covering primary security concerns and any regulatory requirements. Specific assessments defined against certain targets are defined under ‘white box’, ‘black box’ or ‘grey box’ methodologies to define test cases before starting the assessment.
04. lateral movement & exploitation
Initial foothold is gained by exploiting weaknesses identified in the previous phase. Privilege escalation attempts and lateral movement actions are carried out to infiltrate into the internal network(s). Further vulnerabilities are exploited in a safe manner to measure the extent of exploitation, leading up to domain administrator account compromise.
02. reconnaissance & intelligence gathering
Reconnaissance phase works with the single objective – information gathering and analysis to provide relevant information for later stages. Based on project scope, intelligence gathering is mostly infrastructure related (e.g., network layouts, domains, servers, infrastructure details) unless it is a red team pentesting where personnel are in scope.
05. data analysis & reporting
This includes analysis on the test output, evaluation of the risk impact and attack likelihood before providing action plans to remediate the identified risks. All our reports address business as well as the technical audience with supporting raw data, including mitigation measures at strategic and tactical levels.
03. active scanning & vulnerability analysis
Using manual approaches and penetration testing tools, our security experts identify security weaknesses and prepare an attack layout to target vulnerable systems.
06. debrief & support
Our engagement process includes delivering a free of charge debrief to management and technical teams. This session involves help to prepare a remediation plan and Q&A to ensure that customer contacts are up to date. Cyphere also provide a remediation consultancy where we define and execute the risk mitigation plan.
More than 'report and run' consultancy
Vulnerabilities discovered by our internal penetration testing service
Frequently Asked Questions about Internal Network Penetration Testing
An internal penetration test is aimed at internal network from an insider attacker perspective i.e. an employee, contractor or a partner. An external pen test is aimed at internet exposed devices and/or systems only simulating a threat actor on the internet (unauthenticated).
Internal penetration tests can be scoped based on the requirements. For instance, if an organisation has never opted for network wide assessment and is aiming to improve security, it makes a business sense to assess the gaps and perform risk remediation to set internal benchmarks. If an organisation holds maturity in its security processes, targeted assignments are scoped such as network segmentation, specific internal security testing projects.
A thorough internal network penetration test measures the information security culture at ground level. This includes password cracking & analysis, patching audit, grou policy security, active directory design and architecture risks, encryption configuration, authentication, authorisation, information storage practices and network device hardening.
Where multiple physical sites and network segregations are a challenge remotely, onsite assessment is preferred. With post covid19 measures, we utilise a number of methods (SSL VPN, VM deployment or shipping hardware to client site) to carry out remote penetration testing of internal networks.
Communication plays an important role during security assessments. We explicitly request a list of fragile components during proposal and project initiation meetings. Low level attacks, Denial of Service attacks are explicitly deemed out of scope for all assessments.
Cyphere’s internal pen test reports are world class deliverables containing raw data to support proof of concept and risk remediation measures.
Risk remediation is sometimes a complex process due to the specialist security skill-set needed for IT teams. As part of our aftercare support, we provide help in preparing remediation plan to all our customers.
Optionally, we provide remediation consultancy to ensure all agreed findings are mitigated in line with best network security practices.
Benefits of Internal Penetration Testing
A secure infrastructure provides safe, secure environment
Infrastructure Penetration Testing Methodology
In order to perform an infrastructure security assessment, it is important to understand the context of assets in scope for the engagement. Our proven approach to network security assessments is based on more than a decade of experience, industry practices and effective ways to exceed customer expectations.
Cyphere’s pentesting engagement lifecycle methodology is broken down into five phases as demonstrated in the penetration testing methodology diagram.
- Initial Scoping & Objectives Agreement
- Remediation (Optional remediation consultancy to help mitigate risks identified during penetration testing)
Infrastructure Pen Test Approach
Recent Blog Entries
Read about 3 principles of information security and difference between information and cyber security. Further details include basics around security policies and their importance.
With APIs meteoric rise, most of our important data is consumed by API endpoints. It is important to ensure security is not an after thought. Read about top API security risks, attack examples and prevention measures.
Healthcare troubles have worsened in 2020, facing two-pronged attack – Pandemic and Cyber Threats. Read our article detailing cyber security threats and best practices to follow in the healthcare sector in 2021. Discover more.
eCommerce platforms such as BigCommerce, Magento, Shopify are an attractive target for attackers. Learn what are the cyber threats facing eCommerce sector and best security practices to secure these businesses.
OWASP API Security Top 10 are the go to standard for API security. This article presents attacks, examples and how to prevent API security attacks. Discover more on thecyphere.com.
OWASP Top 10 Web Application Security Risks are the go to benchmark against web application attacks. This article presents attacks, examples and how to prevent these web application attacks. Discover more on thecyphere.com.
Office 365 security best practices with actionable tips to improve your organisations’ security posture. We highly believe that with products, it’s more important to get the best out of product features first before investing into high end consultancies or shopping new products. We hope this article offers a useful advice for your organisation.
With cyber threats increasing at exponential rate, defensive techniques must evolve at the same rate. Red Team vs Penetration Testing – Which one is the right choice for your business? Both have pros and cons, but what’s best for your environment. Whether you should do it, when not to do it, benefits, costs and vendor selections.