Penetration Testing Methodology
What is Penetration Testing?
Penetration testing, also known as Pentest or Ethical Hacking, is an authorized security exercise designed to find and exploit vulnerabilities on a system, network or application. It is a simulated attack performed by cyber-security experts, mimicking real world strategies and techniques, aimed to identify weaknesses on the system and evaluate how an attacker can take advantage of them.
Vulnerability Assessment VS Penetration Testing
While a Vulnerability Assessment also tries to identify vulnerabilities or weaknesses in a system (usually using an automated scanner), Penetration testing goes beyond that and tries to also exploit these vulnerabilities manually. A pentest not only reports these vulnerabilities but also demonstrates how these can be used, leveraged or even chained to compromise the target system. Escalation will also be attempted to demonstrate how deep an attacker can access due to the compromise and therefore better evaluate the overall exposure and security posture of the organization.
Penetration Testing Approaches
Penetration testing can be conducted in one of three ways: Black, White or Grey box testing.
The Black Box testing approach is done from the perspective of an outsider or external adversary with limited knowledge or information of the target system. This approach can be seen as the most authentic, demonstrating how an attacker with no inside knowledge would target and compromise the system. While this approach most closely mimics real world attackers, the process of discovering vulnerabilities takes significantly longer than other testing approaches due to the lack of internal knowledge. As a result, time spent by tester is not fully maximized and some components may not get tested.
The White Box testing approach is done with full knowledge of the target. This knowledge includes technical and functional specifications, architecture/network diagrams, access matrix, source codes and other relevant information. This approach allows for the tester to discover all attack vectors possible and perform a more comprehensive analysis on the system. However, this approach requires much more effort to conduct and may even require more sophisticated tools.
The Gray Box testing approach is a bit of a combination or a compromise of Black Box and White Box. In this approach the tester has some knowledge of and some level of access on the target system. This eliminates much of the time spent doing reconnaissance and allows for more time to do security testing.
Penetration Testing Process
In general, a penetration test can be structured in 6 phases and that is:
- Vulnerability Analysis
In the Planning phase, the details of the pentest exercise are discussed and agreed upon. These includes agreement on the Scope and limitations on the test, the testing approach as well as timelines and rules of engagement. Logistical requirements are also detailed on this phase such as test accounts, VPN access, IP whitelisting, etc. The goal of this phase is to ensure the exercise runs smoothly and that the objectives of the exercise are fully achieved.
In the Reconnaissance phase, the tester gathers as much information about the target as possible and mapping out the full attack surface of the target. This is done through a combination of passive and active methods.
Passive methods do not involve direct interaction with the target. This includes gathering of information from Open-Source Intelligence sources (ie DNS records, google search, etc). While Active Methods involves direct interaction with the target to get relevant information. This includes port scanning, application mapping/spidering, internal DNS queries, etc.
All the information gathered is then analyzed and use to draw attack vectors that can be used in the next phases.
In the Vulnerability Analysis phase, tester uses different techniques to discover flaws in the target system or infrastructure. Discovery can be done through manual testing or automated means (using a vulnerability scanner). These flaws are then evaluated to determine accuracy and potential exploitability based on the scope and the objectives of the engagement.
In the Exploitation phase, vulnerabilities that have been evaluated are then exploited to attempt to validate its potential risk. The aim of the exploitation is to establish some level of access on the system for post-exploitation and demonstrate the compromise. Demonstration can be done through a Proof-of-Concept or through an actual compromise on the system.
The Post-Exploitation phase covers activities that can be done after a successful exploitation on the target. This includes privilege escalations, later movements, data exfiltration and others. The aim of this phase is to determine the extent of the compromise that can be done, and its value based on the sensitivity of data, purpose of the asset, effect to overall operations, etc.
Lastly, the Reporting phase involves documentation and presentation of results of the pentest engagement. The report will detail the scope and objectives of the pentest, the vulnerabilities found, the risk they bring to the organization and recommendations that the organization can take to fix these vulnerabilities and mitigate the risks.
The Report is the arguably the most important part of the engagement. This should be communicated in a way that it can be easily understood and be acted upon by the stakeholders both executive and technical.