What is Penetration Testing or Pentesting?
Penetration testing is a methodical activity aimed at identifying, from an attacker’s perspective (with an offensive approach), the entry points to an organization’s assets and understanding the potential impact.
This process involves feedback loops where an initial “attack surface” is determined and progressively expanded as new accesses are gained, “penetrating” through the layers protecting the final target. The objective, defined from the outset, can range from accessing specific sensitive information to taking control of the organization’s systems, involving both digital and physical assets.
Just as the term “pentesting” is short for “penetration testing,” the professional who performs the task is commonly referred to as a “pentester.” This individual must possess specific cybersecurity knowledge and creativity to carry out the tasks.
These practices fall under the umbrella of ethical hacking, a topic further explored in the blog post “All About Ethical Hacking: What It Is, Types, Tools, and Benefits.” It delves into the concept, addresses questions like “Who might I want to protect myself from?” and highlights some tools, best practices, and benefits. This article is a recommended complementary read, as most of it applies to penetration testing.
What Are Penetration Tests For?
https://unsplash.com/es/fotos/camara-cctv-negra-en-la-pared-LkD_IH8_K8k
While the general advantages are covered in the mentioned article, penetration tests have specific benefits.
Log and Monitoring Evaluation:
The pentester will attempt to bypass controls to access the systems within the scope of the job, which will leave traces or activity logs. This phase is crucial for assessing monitoring capabilities, alert triggers, and response actions. Whether or not malicious activity is detected in real-time, there should be records of such events across various devices, allowing for easy analysis in case of an incident. This information is vital for understanding the timeline of events leading to a breach and serves as evidence in judicial proceedings outside the scope of the test.
Policy Compliance
In larger organizations, cybersecurity policies and procedures, such as password policies, incident management, and protection of sensitive data, become essential. Even if these policies exist, they may not always be adhered to. A successful pentest will reveal if these policies are being followed, highlighting any failures.
Depth Over Breadth
In a pentest, the goal is usually to go as far as possible within the time constraints. In organizational pentests, the tester may not explore every possible entry point but will instead find the shortest path to the objective and explain how it was achieved. This is because the work time is limited, and this depth-over-breadth approach is prioritized in this type of task.
Regulatory Compliance
If the organization is regulated by international bodies through certifications, a pentest may be a mandatory periodic requirement. Each certification may impose different specialized requirements, as seen with the Payment Card Industry (PCI) Security Standards Council, which applies to the financial sector.
What Are the Phases of Pentesting?
There are no universal phases since there are multiple internationally recognized methodologies for penetration testing. Examples include NIST 800-115, the Penetration Testing Execution Standard (PTES), or the Open Source Security Testing Methodology Manual (OSSTMM) for general contexts. For specific contexts, such as PCI, other methodologies may apply (e.g., PCI Penetration Testing Guide). If the pentest focuses solely on web or mobile applications and not on infrastructure or the organization as a whole, the OWASP Testing Guide is a suitable resource.
https://www.pexels.com/es-es/foto/manos-comienzo-comenzar-empezar-9035000
However, if abstracted enough, all methodologies have overarching phases. These include information gathering, discovery or reconnaissance, exploitation, post-exploitation actions to advance or pivot (penetration focus), and reporting. Even within this linearity, a cycle occurs, as a successful attack automatically extends the initial attack surface, requiring a return to the reconnaissance phase. While standards include more phases with varying names, the following briefly describes the aforementioned phases with a simplified example leading to a successful hypothetical attack.
Information Gathering
This can be viewed as an intelligence procedure, aiming to collect as much useful information about the target from the Internet. This could include employee names, corporate roles, email addresses, public documents (intentionally or accidentally), exposed passwords from past attacks, and more, a process known as open-source intelligence (OSINT). Sources include social networks, the target organization’s website, search engines, etc. None of these actions involve direct contact with the target and are considered passive information gathering.
Example: A LinkedIn profile lists an employee responsible for internal IT services. Their email appears in a publicly accessible password breach online.
Reconnaissance on the Target
The pentester analyzes all resources within the attack surface to identify the present technologies: IP address blocks, domains and subdomains, operating systems, services, their versions, information provided automatically during communication, anonymous access to services, and more.
Example: The pentester scans the surface and discovers that one of the IP addresses exposes port 3389, revealing a remote desktop service, Windows operating system, and the computer name.
Exploitation
After sufficient research, the pentester attempts to validate and exploit the detected vulnerabilities using public techniques for specific service versions, stolen credentials, phishing emails with malware, or other means. Successful exploitation can involve gaining a foothold in the organization. In some cases, more than one vulnerability may need to be exploited to achieve this.
Example: The stolen credentials of the IT employee are used to access the remote desktop service, allowing the pentester to log in as the employee on the Windows machine.
Post-exploitation
If further progress is part of the scope, situational information is gathered. The pentester must answer several questions to determine the next steps, such as: Who am I? What permissions do I have on this system? What are the system specs? Can I secure my access for future use? What is this system used for? Do I have access to other networks? Are there other services on this system not exposed to the Internet? Are there more credentials or valuable information that would allow me to proceed further? Is this system protected by antivirus or other security software? Can I disable it?
Many tools facilitate the pentester’s ability to pivot to other systems or escalate privileges. This phase loops back to reconnaissance to understand what else is available.
Example: The pentester discovers that the machine is connected to an internal network and is part of a Windows Active Directory domain. Moreover, the current user is a system administrator, capable of disabling antivirus software and running tools to retrieve the credentials of other users who have previously logged into the system. The pentester retrieves the password of a domain administrator and accesses the domain controller on the internal network. The pentester now has total control over the organization’s users, groups, and systems connected to the domain.
Reporting
Evidence of all steps and results must be collected. At least one report is created, describing the weaknesses and vulnerabilities found, how they were exploited within the context of the task, and the associated risks to help prioritize them. Detailed recommendations should be included, although the pentester may not have complete information about the existing controls’ implementation.
The report should not be exclusively technical; an executive summary should also be included for other organizational roles to understand the level of risk, the potential business impact, and how to prioritize remediation efforts.
When to Conduct a Pentest?
https://www.pexels.com/es-es/foto/mujer-de-cultivo-tomando-notas-en-el-calendario-5239917
Organizations typically conduct pentests after a cybersecurity incident or due to regulatory requirements. These cases represent reactive and proactive approaches, respectively.
When it comes to applications, it’s ideal to conduct a pentest before releasing a version, especially the first one, as it ensures the service is consolidated and ready for deployment. Additionally, it benefits from the log and monitoring evaluation mentioned earlier. However, security testing in other forms should be conducted throughout the development cycle, not left until the end.
This differs when assessing an organization’s IT infrastructure, as there is no development cycle with defined stages. Organizations must decide whether to conduct a security review after significant infrastructure changes or periodically, regardless of the level of change.
In terms of frequency, regulations often require cybersecurity reviews at least once a year, with some recommending reviews every 6 or even 3 months. If not regulated, the decision should be based on cost and technological evolution. Increased frequency reduces risk but must also be cost-effective for the organization.
In conclusion, penetration testing is a valuable tool for assessing an organization’s cybersecurity with a perspective not typically held by internal staff. Hiring ethical hackers allows organizations to leverage specialized knowledge and techniques to potentially break their defenses in a controlled and safe environment, anticipating the actions of threat agents that scour the Internet indiscriminately or specifically target their organization.
At GeneXus Consulting, we help you assess the cybersecurity status of your organization by analyzing specific assets such as subnets, IPs, applications, or the entire organization. We provide a report with findings and solutions to proactively enhance security and minimize risks.
This service enables companies to proactively strengthen their cybersecurity, reducing risks before an incident occurs. Learn more.