Penetration Testing: Your Online Guide

‍

TENUMBRA are experts in the field of Penetration Testing and have been for decades, in fact it is one of our most popular business lines. Maybe you aren’t quite familiar with what pen testing really includes, and all the moving parts associated with it. This article is to inform you as to what pen testing entails and why you should strongly consider having it performed.

What is Penetration Testing?

As part of a holistic security strategy, Penetration Testing (Pentesting) involves Ethical Hackers (also sometimes referred to as White Hat Hackers)

conducting authorized and planned attacks against a company's security infrastructure to identify and exploit vulnerabilities and providing recommendations to mitigate them. The purpose of this Emulated Attack is to identify any holes in the defenses deployed to protect system’s, apps, networks, and other assets, which threat actors could exploit.

Penetration Testing can also help organizations comply with data security and privacy regulations by finding control gaps that expose sensitive data or impact availability requirements.  

Pentesting helps organizations keep their data secure, ensuring no one who shouldn’t see sensitive data does and even is often required for regulatory purposes.

Although the terms "Ethical Hacking" and "Penetration Testing" are sometimes used interchangeably, there is a difference.  

Ethical Hacking is a broader Cybersecurity field consisting of hacking skills to improve network security while Penetration Tests are just one of the activities Ethical Hackers use from their arsenal. Ethical Hackers also conduct other services such as Malware Analysis, Vulnerability Research, Exploit Development and Risk Assessments to name a few.

‍

Why You need it?

Here are the main reasons why companies conduct Pentests.

Pentests are more comprehensive than vulnerability Assessments. Although both Penetration Tests and Vulnerability Assessments help security teams to name weaknesses in apps, devices, and networks, these methods serve rather different purposes, which is why many companies rely on implementing them together.  

When Pentesters discover vulnerabilities, they exploit them in Emulated Attacks that mime the behaviors of malicious hackers providing the security team with an in-depth understanding of how actual hackers might exploit vulnerabilities to access sensitive data or rattle operations.

Instead of trying to guess what hackers might do, the security team can exercise this knowledge to design network security controls for real-world cyberthreats. Pentesters use both automated and manual processes as they uncover known and unknown vulnerabilities. Due to the greater depth of testing over the use of Vulnerability Assessments,  Pentesters are likely to produce less false positives. And better yet, considering Pentesters are focused on Offensive Operations who attack from the view of a hacker, they often catch vulnerabilities that in house security experts might overlook. Third-party Penetration Testing teams also provide a layer of objectively, very useful from a regulatory compliance standpoint.

Penetration Testing is highly recommended and as recent as 2021, the U.S Government stressed the importance that companies should conduct Pentests to defend against growing ransomware attacks (more on that another time).  

Types of Pen Tests

Although all Penetration Tests involve an Emulated Attack against a company's environment, there are different types of Pentests.  

The following are examples of types of Pentetst that target different enterprise assets,  

• Application  

Application pen tests look for vulnerabilities in apps and related systems, including web applications and websites, mobile and IoT apps, cloud apps, and application programming interfaces (APIs).

• Network  

The company's entire computer network is attacked through Network-level Pentests. There are two broad types of network pen tests: external tests and internal tests.

1. External Tests, Pentesters mimic the behavior of External Hackers to discover security issues in internet-facing assets like servers, routers, websites, and employee computers.  

2. In internal tests, Pentesters mimic the behavior of malicious insiders or hackers with stolen credentials.

• Hardware  

These security tests watch for vulnerabilities in hardware devices and their firmware that are connected to the network. (i.e. laptops, mobile and IoT devices, and operational technology (OT)).

• Personnel

This type of testing looks for weaknesses in employees' cybersecurity hygiene and compliance to organizational security policies. Basically, these security tests assess how vulnerable a company is to various forms of Social Engineering Attacks (i.e. physical security testing, phishing, spear phishing, USB/cell phone drops, etc.).

The steps before,

Before a Pentest begins the Pentesters identify a scope and testing strategy to determine how much information the Pentesters will have ahead of time. The scope draws which systems will be tested, when, and the strategy embodies the overall approaches.

Listed below,

1. In a black-box test, Pentesters have no information about the target environment. They rely on their own research to develop an attack plan, as a real-world hacker would.

2. In a white-box test, pen testers have complete transparency into the target field. The company shares details like network diagrams, source codes, credentials, and more.

3. In a gray-box test, Pentesters get a bit of information but only a little such as the company's IP ranges for network devices, but the pen testers must probe those IP ranges for vulnerabilities by themsele. Sometimes, information is provided to the Pentesters at key times during the test.

Testing takes place once these decisions have been made and a high-level test plan has been developed,

‍

‍

1. Reconnaissance

The Testing Team retrieves information about the target system, app or environment. Pentesters use different recon methods depending on the target such as if the target is an app, pen testers might study its source code. If the target is an internal network, pen testers might use a packet analyzer to inspect network traffic flows and if it’s external, DNS and other sources of information. They also conduct OSINT (Open-Source Intelligence) to supplement these techniques.

2. Target discovery and development

Pentesters use their gained knowledge in the recon step to spot exploitable vulnerabilities in the system. Pentesters might use a port scanner like Nmap to look for open ports, offering accessible attack surfaces they can compromise deploy malware/software implants.  

3. Exploitation

The testing team begins the simulated attack. Pentesters may try a variety of attacks depending on the target system, the vulnerabilities they found, and the scope of the test. The most tested attacks include:

• SQL injection: Pentesters try to get a webpage or app to disclose sensitive data or execute code by entering malicious code into input fields.
  
  

• Cross-site scripting: The testers try planting malicious code inside a company's website.
  
  

• Denial-of-service attacks: Pentesters try to take servers, apps, and other network resources offline by causing traffic or exploiting protocol, resource and application flaws.
  
  

• Social engineering: Involving phishing, baiting, pretexting, or other tactics to trick employees into sharing information or executing attacker-friendly actions, compromising network security.
  
  

• Brute force attacks: Pentesters attempt to invade the system by running scripts that generate and test potential passwords, looking for one that succeeds.

• Man-in-the-middle attacks: Pentesters intercept traffic between two devices or users to steal sensitive information, gain access or plant malware/software implants.

4. Escalation

After the pen testers have exploited a vulnerability and obtain a foothold in the system/environment, they try to access even more of it. This phase is referred to as lateral movement and often demands "vulnerability chaining" because pentesters employ a chain of vulnerabilities to get further into the network. They might start by planting a keylogger on an employee's computer. Using that keylogger, they can capture the employee's credentials which provides access to sensitive database.

5. Cleanup and reporting

At the end of the simulated attack, pentesters clean up any traces/artifacts they've left behind, such as output files, back door trojans/software implants they planted, backdoor users, or configurations they changed. That way, real-world hackers can't use the pentesters' exploits/artifacts to breach the network.

Followed, the pentesters prepare a report on the attack. The report generally outlines discovered vulnerabilities, the exploits that were used, details on how the pentesters avoided security features, and descriptions of what they did while inside the system.  More important though, the report provides recommendations to address the discovered vulnerabilities and sometimes how to detect offensive activities in real-time or post-incident.

To learn more in depth about each type of penetration test and which one may be right for organization, reach out to us: inquiry@tenumbra.com

‍