Another entry into our penetration testing series, today we’re going to be covering the penetration testing steps and phases your pen test should cover. The key to a strong penetration test is a reliable methodology that is comprehensive but also not completely automated.
For a methodology to be comprehensive, it should cover all of the phases documented here:
- Project Scope
- Assessing of Vulnerabilities
- Pen Test
- Lateral movement
- Artifact Collection/Destruction
You’ll find most good penetration testing services include targeted recon and enumeration with the incorporation of automated tools which scan and detect vulnerabilities automatically, while digging further into the network using manual verification and validation.
Some business processes can be disrupted during the penetration testing phases, which is why the use of custom and even some automated scripts can minimise business process disruption while also gathering much more in-depth data about the target system.
1. Project Scope – Assessing the rules
Usually situated within a Statement of Work issued by the testing vendor is the project scope. This scope more often than not covers the testing methodology being used, and once any vulnerabilities are identified there will also be an exploitation-depth included.
Pen testing is considered to be a ‘white-hat’ process, which is the term given to attackers playing by predetermined rules of engagement which are laid out during the project scope and the engagement itself shouldn’t account for any disruption within business operations.
Since the intruder, an ethical testing expert in this case, may obtain insight and knowledge vital to the organisation, before starting the pen test process, a non-disclosure agreement must be signed by all parties.
Food for thought as to things which should be considered within the agreement:
- Allowing the conduction of testing during non-peak business hours wherever possible
- Whether or not testers can change data which is in production servers
- Whether or not the tester has permission to impersonate an authoritative figure within the business.
2. Recon – Gathering data pre-attack
During this next step, the tester will use multiple sources to obtain as much information as possible about the target, including operational analysis, threat intelligence generation, and appealing network services enumeration. A skilled penetration tester can gather publicly accessible information, called open-source intelligence, as well as general information about enterprise-provided systems that may also be publicly available.
Without the need to ask company staff, web crawlers and internet statistical collection systems provide useful knowledge about targets. For starters, there are many online resources to disclose full information about the operating system, web server applications, scripts, and more, whether a web application is part of the aim or testing scope.
3. Assessing of Vulnerabilities – The process of discovering potential vulnerabilities
This phase of the engagement goes deep to identify the vulnerabilities on the target network. The penetration tester will send probes to the target network, collect preliminary information, and then use the feedback to probe for more input and to discover additional details.
The outcome from this phase can contain the following
- Directory structure on a specific server
- Open authentication access to some FTP web servers
- Available SMTP access points providing architectural details about the network through error messages
- Remote-code execution possibilities
- Cross-site scripting vulnerabilities
- Internal code-signing certificates that could be used to sign new scripts and inject them into the network
4. Pen Test– Exploiting identified vulnerabilities
The next step is to infiltrate networks in the targeted network once a threat model and attack strategy have been established based on the discovered vulnerabilities. There is no assurance that any loophole found would be exploited; there may be a protected network, a DMZ, a firewall, a browser, a router, or an obsolete network device that exists outside of the test spectrum.
In order to achieve access to the target device, the professional penetration tester will concentrate on bugs that can be abused. The tester is also focusing on gathering more in-depth data around the target network during this process.
5. Lateral Movement – Maintain access while gaining further access
Once the tester receives access to a device, agents who hold access to the system will be injected. And if the system is rebooted, reset, or updated by network administrators, retaining effective access ensures these agents remain in the system and retain their access for a period of time.
6. Artifact Collection/Destruction – Gather up any data left over from testing
The phase following exploitation and maintained access ensures that after gathering data for the testing report, every exploited system is cleaned. Cleaning eliminates all agents, scripts, executable binaries and temporary files that are expected, etc.
The clean-up process should ensure that all the backdoors or rootkits installed have been removed and the configuration of the system should be returned to its original, pre-engagement state. Any changed credentials should be restored, and any additional created usernames should be removed.
7. Reporting/Debriefing – Report the results of the test
The seller then submits a consumer survey; this report is the instrument that better expresses the findings of your pen evaluation, and the report addresses two distinct groups: corporate leaders and technical teams.
The pen test report should begin with an executive summary outlining in business terms your penetration test plan, defining outcomes by risk ranking. This section could be short, because it may be the most critical piece that the consumer uses to make decisions: what to fix can be determined by the business staff, and which concerns pose an appropriate amount of risk.
The second section of the study consists of technical information, which should be descriptive and precise, and which should avoid generic or abstract claims. This section of the study will be used by the engineering staff to take measures and address security vulnerabilities found during the penetration test.
Optional Step: Test Again
Once vulnerabilities have been remediated, the client can decide whether to retest their systems, ensuring that fixes were successful and determining whether any new vulnerabilities were created as a result of remediation.
Successful, comprehensive pen tests should generate clear, understandable, and actionable results to business leaders, as well as provide a clear understanding to the enterprise technical teams about the security risks on their targeted systems.