Four Critical Areas for Planning a Penetration Test
By: Kevin O’Connor, Adlumin – Director of Threat Research
What is Penetration Testing?
Penetration Testing (Pen Testing) is evaluating the security of a system by attempting to breach the system’s confidentiality, integrity, or accessibility. In other words, it is known as ethical hacking. Standard penetration testing puts a Red Team, one built of skilled mock-attackers, which takes arms against a network and its assets, attempting to achieve an objective such as access to a company’s internal emails. These simulated attacks are completed while hopefully remaining undetected by network administrators and security staff. The security objective of a penetration test is to check the system’s security and uncover potential weaknesses that real attackers might exploit to compromise the business and its assets.
Pen tests can be a valuable tool in a security professionals toolkit and can show how components of a layered security defense work – or fail together
Other penetration testing types include black box security testing, where attackers attempt to access a single system without forewarning information about its design, interfaces, and security. Black Box testing scales through Grey Box, where some information is known or provided, to White Box testing, where all documentation about the system and its security is given to the attackers. The ways a penetration test can be conducted are as varied as the network architectures, services, and systems implemented in a network.
I have been involved in dozens of penetration tests and similar activities. From my experiences, I have learned that there are a few focus areas where putting in extra care during planning can make the penetration test more successful and applicable to the business.
A successful penetration test will inform stakeholders, such as system owners, administrators, security staff, and management, if there are paths under the current business operating environment that might lead to potential exploitation and compromise. The penetration test results should specify which systems were tested, how they were tested, and what assumptions or dependencies were required when completing the test. An effective penetration test will allow the business to implement technical solutions to mitigate threats and show vulnerabilities in their operations, administrative, and security processes, which can be enforced or updated to lower the risk or damage of compromise.
4 Critical Focus Areas
The goal of a penetration test should be established before scoping out the test’s boundaries, although there is often circular feedback between the two activities. Setting a plan for the penetration test is critical in ensuring that the test provides valuable and actionable feedback and is working to testify to the security of a tested system. Without a well-scoped goal, any potential breach by the mock attackers could be considered a successful penetration of the business. However, if the business is trying to test the security of its account credential management system – the attackers gaining access to a single external web application does not speak much about the security of the account credential management system.
Businesses should also ensure that the goal is focused and specific. Broad goals such as ‘access to the business’ or proof of lateral movement capability against a network potentially test multiple systems and environments. The management of these systems may span several internal business groups, some of which may fall outside the test’s scope (see below). While there is value in testing managed security across business groups – this needs to be carefully considered when establishing stakeholders and participants for the test.
A good pen test goal would be trying to answer a specific security question such as; is some external web application secure, can we catch during logging, auditing, and accounting the creation of new malicious accounts in the domain, or can an attacker move laterally from an external DMZ to internal account management systems?
A penetration test’s scope is complimentary to its goal. Defining the scope can be a circular process involving a review of interdependent systems needed to reach the goal potentially. During scoping of the penetration test, it’s essential to try and identify which systems and teams may be involved in the test so that all potential stakeholders are aware, buy-in, and will act on the test’s results.
A well-defined scope is also critical for ensuring that the penetration test isn’t disruptive to business activities. Considerations such as:
- Is the test performed against live business function support systems or against development and testing systems?
- Is it within scope for the mock-attackers to interact or interface with a certain business or security-critical systems?
- Can attackers modify data or configurations on compromised hosts to cover their tracks or better enable completion of the test’s goal?
- Can the attackers leverage and exploit physical access to network assets to assist in compromise?
These questions are important areas to outline during penetration test scoping and will impact the value of your test results.
To help with scoping out the penetration test SANS has a worksheet that covers the basic areas to help with scoping.
Something not often considered in penetration testing is the need and benefits of Adversary Simulation. Adversary simulation conducts the penetration test using the assumed Tactics, Techniques, and Procedures (TTPs) of a known or fictionalized threat actor group. In mimicking the capabilities of a real group or set of threats, the penetration test can be scaled to a level of attacker sophistication that mimics the assumed threat against the system being tested.
Something I am proud of as a security professional at Adlumin – is that our penetration testing capabilities allow us to select defined and known Threat Actors, such as APTs or specific e-Crime groups, and then mimic their capabilities during our testing. Adlumin can also define custom threat actor profiles, mapping the capabilities and TTPs used in a pen test to the MITRE-ATTCK framework and specific techniques such as sets of exploits, malware, lateral movement strategies, and communication types. This allows us to conduct a tailored exploitation campaign that factually represents real and current threats.
Part of IT Risk Management is the concept that the risk to an information system is directly related to the threats against the system. In the case of pen testing, it helps to symbolize the threat as the set of known threat actors and their associated capabilities. If a business isn’t in an industry known or expected to be targeted by a specific APT group, that group isn’t considered a significant threat against the business network. Such groups would lack the motive in the Motive, Opportunity, and Means (MOM) analysis methodology, and the value of mimicking such a group’s TTPs in the pen test is more limited. We can extract the most value from a pen test by simulating applicable threats and only mixing TTPs utilized between threats when we’ve acknowledged that such an exploitation path isn’t currently known, used, or likely—for example, assessing the threat against compromising a business’s internal email system.
Understanding the results of the penetration test and its findings is key to accomplishing the well-scoped goal. Integrating the test’s findings needs to go beyond patching leveraged vulnerabilities or systems and expand to understand why the vulnerability wasn’t known, why exploitation wasn’t observed, and if it was, why wasn’t an alert triggered or taken? What steps in the organization’s IT Security process need to be adjusted, better adhered to, monitored, or controlled with automation and fail-safes?
When reviewing a penetration test, you should consider questions such as:
- Did the attackers complete their objectives, and how far did they get?
- What vulnerabilities, exploits, and paths of access were used?
- Were any related events logged in any security systems?
- Does the business have observability of the events?
- Why didn’t logged events generate a security alert?
- Why wasn’t any alerting escalated to help prevent a further attack?
As you can see, a lot goes into setting up and planning for a successful penetration test. Pen tests can be a valuable tool in a security professionals toolkit and show how layered security defense components work – or fail together. Adlumin offers penetration testing services and can work with your organization to help create well-scoped goals and help you understand where in the gap between exploitation and data exfiltration your security – and, importantly, processes, can be improved to strengthen business security.
Ken van Wyk, C. C. M., & Radosevich, W. (2013, July 31). Black Box Security Testing Tools. CISA. Retrieved September 10, 2022, from https://www.cisa.gov/uscert/bsi/articles/tools/black-box-testing/black-box-security-testing-tools
Poston, H. (2021, June 17). What are Black Box, grey box, and white box penetration testing? [updated 2020]. Infosec Resources. Retrieved September 10, 2022, from https://resources.infosecinstitute.com/topic/what-are-black-box-grey-box-and-white-box-penetration-testing/
Wright, J. (2020, November 6). Joshua Wright. SANS Worksheet. Retrieved September 12, 2022, from https://www.sans.org/posters/pen-test-scope-worksheet/