As security technology and threat awareness among organizations improves so do the adversaries who are adopting and relying on new techniques to maximize speed and impact while evading detection.
Ransomware and malware continue to be the method of choice by big game hunting (BGH) cyber criminals, and the increased use of hands-on or “interactive intrusion” techniques is especially alarming. Unlike malware attacks that rely on automated malicious tools and scripts, human-driven intrusions use the creativity and problem-solving abilities of attackers. These individuals can imitate normal user or administrative behaviors, making it challenging to distinguish between legitimate activities and cyber-attacks.
The goal of most security practitioners today is to manage risk at scale. Gaining visibility, reducing the noise, and securing the attack surface across the enterprise requires the right people, processes, and security solutions.
With the use of penetration testing services, organizations can proactively combat these new and evolving threats helping security practitioners identify and validate what is normal and what is potential malicious activity. Penetration testing consists of varied technologies, both human-led and automated, and the use of certified pentesting experts, or ethical hackers, to emulate a cyber-attack against a network and its asset(s). Pentesters will use real-world tactics and techniques like those of attackers with the goal of discovering and exploiting a known or unknown vulnerability before a breach occurs.
This type of proactive offensive security approach requires planning and preparation by security leaders to maximize the effectiveness of penetration testing, including choosing the right security provider to meet your security and business objectives.
The following steps are necessary to properly prepare and plan for penetration testing, all of which will be outlined in further detail:
To understand your attack surface, it is important to have complete visibility of your cyber assets. There are three main considerations to understanding your attack surface:
1. Visibility of Your Attack Surface: Identify hidden and unmanaged cyber assets
Attackers are increasingly taking advantage of the attack surface as an organization’s digital footprint grows. This expanded attack surface makes it easier for bad actors to find weaknesses while making it harder for security practitioners to protect their IT ecosystem. Identifying all cyber assets and potential vulnerabilities can be a tough challenge. Without full visibility into every possible attack vector, assessing and communicating an organization’s exposure to risk becomes nearly impossible.
2. Prioritizing Risk: Making decisions based on risk
Keeping track of and evaluating risk without continuous assessments, leave organizations vulnerable. Security leaders need clear visibility into the key factors influencing risk to guide strategic decisions and keep stakeholders informed. By assessing risks regularly, DevSecOps teams gain actionable insights that help strengthen defenses, fix vulnerabilities, and prevent security breaches.
3. Mitigating Risk: Reducing attack surface risk
Security practitioners often find themselves reacting to threats, hindered by limited time and visibility, and without the guidance needed to anticipate risks. A large attack surface requires more than just optimizing threat defense – it demands proactive measure to discover, assess, and address cyber risk before an attacker strikes.
When determining the scope of a penetration test, consider the following before testing begins:
1. Identify What to Test: What areas and assets the organizations would like to test? This involves identifying critical systems, applications, networks, or data that could be vulnerable to attacks.
2. Establish Goals: Security teams will also want to consider the business goals for penetration testing, whether it’s to focus in on human security levels through phishing techniques, or to test endpoints that can be bypassed, it is important to know where there may be potential weak spots in specific areas or to test the entire infrastructure.
3. Compliance Requirements: Some industries have specific regulations that may dictate what needs to be included in your penetration testing. Having knowledge about which regulations the organizations need to comply with along with testing requirements can help narrow the testing scope.
Security practitioners should be armed with this information as well as essential details such as organizational infrastructure, domains, servers, devices with IP addresses, or authorized user credentials (depending upon the pentesting method), and any exclusions.
Web Applications: The most common external asset(s) that benefits from penetration testing services is web applications. External web app pentesting identifies potential attack paths and mitigates specific vulnerabilities depending on the applications’ architecture and technology used. These are often called internet- or public-facing applications that are accessible over the internet. The most common vulnerabilities found are SQL injections, XSS, authentication and/or business logic flaws, credential stuffing, and more.
In addition, penetration testing services for external assets can include, but are not limited to, mobile applications, APIs, Cloud, external networks, IoT, and secure code review.
Network Infrastructure: The most common penetration testing for internal assets is internal networks and systems. Most security practitioners and organizations assume that internal networks are more secure than external-facing systems, but this is no longer true. The goal of attackers who do gain access to an internal network is to move laterally across systems, escalating privileges, and comprising confidential and sensitive data. The most common vulnerabilities found are misconfigured active directories (ADs), weak passwords or poor authentication, and outdated or unpatched software and systems.
Penetration testing services for internal assets can include but are not limited to, internal applications, APIs and API endpoints, workstations and laptops, Thick Client applications, and testing across all phases of the software development life cycle (SDLC).
The are several types of penetration testing methodologies and finding the right approach will be dictated by what has been outlined in your scope. Penetration testing methods have evolved and no longer are companies beholden to traditional penetration testing offered by the big consulting firms. Below are the different pentesting methods available and how they are commonly used to deliver the best results.
1. Traditional Pentesting: This structure, project-based and traditional approach is offered by large global consulting firms. This pentesting is very hands-on and involves a defined scope and timeline, where external security experts perform tests on specific systems, networks, or applications. This type of traditional pentesting can seem more credible by offering a sense of assurance to stakeholders and auditors, can also be very costly as these firms often charge a premium for their services, making it less affordable for small or mid-sized enterprises.
Traditional pentesting usually occurs on an annual or biannual basis and can, therefore, leave gaps in security visibility between assessments. Attack surfaces change rapidly, which means new vulnerabilities may go undetected during this period.
Lastly, these traditional engagements usually take quite some time to get off the ground and the feedback loops can seem slow. Results may take weeks or months to deliver, and by that time some vulnerabilities may no longer be relevant.
2. Autonomous Pentesting: Automated penetration testing uses automated tools, scripts, and AI to perform security assessments without the constant need for human intervention. Like other pentesting methods, it can simulate a variety of attack scenarios, identify vulnerabilities, and provide remediation recommendations. Automated pentesting can perform the same tasks that would require manual testing, but it is performed on a continuous or scheduled basis.
Automated pentesting primarily focuses on networks and network services and can effectively scan large network infrastructures. This type of pentesting can also perform static and dynamic scans of web applications to find common vulnerabilities, as well as APIs and API endpoints, cloud and external-facing assets like public websites, databases, and networks since it can be regularly scheduled and is less prone to human error.
Automated pentesting offers speed, scalability, and cost efficiencies. Autonomous tools can be deployed to run pen tests regularly, providing constant monitoring and enabling the identification of vulnerabilities as they emerge. However, automated tools often focus on common, well-known vulnerabilities and may not uncover complex or more sophisticated weaknesses that a human tester could identify.
3. Penetration Testing as a Service (PTaaS): PTaaS is a mix or a hybrid approach to penetration testing using both autonomous and human-led pentesting, yielding benefits from both such as speed, scale, and repeatability. Manual pentesting is performed by certified and highly skilled ethical hackers who will search for vulnerabilities in a system, application, or network. It is an in-depth, human-driven approach, and unlike automated tools, manual pentesting allows for more expertise, intuition, and flexibility in detecting complex vulnerabilities.
PTaaS covers the entire IT infrastructure, both internal and external, and can be tailored for deeper exploration of specific areas of concern. During manual pentesting, experts can think like attackers, using techniques like those used by malicious actors, and customize specific use cases or uncommon configurations for testing to align with the organization’s IT environment. Manual testers can also adapt their approach if they encounter unexpected scenarios or defenses.
Using a hybrid approach to penetration testing combines the efficiency, scalability, and cost-effectiveness of continuous automated testing with the creativity and adaptability of manual testing, which is essential for discovering complex and advanced vulnerabilities such as business logic flaws. Combining both methods provides the speed and breadth of automated tools with the depth of manual testers to ensure more comprehensive and thorough coverage of the attack surface.
Making a choice between internal and external pentesting resources is an important decision and is often dictated by scope and objectives. Distinguishing between an organization’s own internal pentesting team, an outside pentesting provider who has their own in-house pentesting experts, and external resources such as crowdsourcing, all have their own unique advantages and disadvantages.
When to use: Internal penetration testing is best for identifying and mitigating insider threats, testing internal policies, and ensuring internal systems are secure.
When to use: External pentesting is best used when resources and expertise are limited. It is ideal for assessing both internal and external-facing assets using standardized methodologies for more accurate and consistent results. It also is best used when ensuring regulatory compliance and obtaining an unbiased evaluation of your security posture.
When to use: External pentesters or crowdsourcing is helpful to validate results from internal pentesting for validation. However, the lack of standardization and consistency of results remains a concern.
There are three primary methods used to deliver penetration testing services. Depending upon your requirements, the type of assets being tested, and which approach will yield the outcomes you are looking for, experts can guide you on which method is best to meet the organization’s objectives.
Black Box: This type of penetration testing requires no prior knowledge related to the targeted systems being tested. Pentesting experts will emulate a real-world attack that an attacker might use with no internal information about the system being hacked. The goal is to assess the efficacy of security measures and whether these controls can withstand an external attack.
Gray Box: This pentesting method maintains partial knowledge of the target system(s). More context is provided than Black Box allowing for a more efficient evaluation of the asset(s) being exploited. Gray Box testing can balance the external perspective of Black Box and the internal perspective of a White Box tests.
White Box: Complete knowledge of targets is required for this type of testing including internal and external systems. This method emulates an attack by an insider within the organization or someone with detailed knowledge of the system(s). White Box testing allows for a comprehensive assessment of the internal controls to identify vulnerabilities that might not be readily visible from an external perspective.
Several important standardized guidelines are commonly used in penetration testing to ensure accuracy, consistency, thoroughness, and compliance with industry practices. Here are some of the more common practices:
These guidelines provide practical recommendations for designing, implementing, and maintaining security testing and processes. It is designed for industry, government, and organizations to help reduce cybersecurity risks. It covers various aspects of security testing, including penetration testing, vulnerability scanning, risk assessments. NIST guidelines are widely respected and used by federal agencies and organizations to ensure a standardized approach to security testing.
OWASP provides a comprehensive framework for testing web applications, including methodologies for identifying and mitigating common web application vulnerabilities. OWASP is highly regarded for its focus on web applications – but does include frameworks for mobile apps, APIs, cloud, and more – and guidelines are open-source and regularly updated to reflect the latest threats and best practices.
A not-for-profit accreditation body that set high standards for security testing, including penetration testing, to ensure member organizations adhere to rigorous ethical, legal, and technical standards. CREST outlines a standardized methodology for penetration testing, which includes planning, information gathering, vulnerability analysis, exploitation, and reporting.
Other Notable Guidelines:
Complying with regulatory mandates has become more and more stringent and new regulations continue to be implemented around the world affecting various industries, including prime targets like the financial, healthcare, and critical infrastructure sectors. Below is an overview of the more noteworthy regulations, some with specific guidelines related to penetration testing:
Faced with increasing risks posed by information systems or the IT infrastructure, both internal and external, EU regulators adopted rules and recommendations to identify and remediate potential vulnerabilities. Through DORA, two types of distinct testing were directed at financial institutions to strengthen their cyber resilience as follows:
CAF plays a crucial role for both public sector entities and organizations involved in supporting Critical National Infrastructure (CNI) providing a systematic method for evaluating an organization’s cybersecurity practices, helping to identify and address areas for improvement. It is especially relevant for organizations covered by the Network and Information Systems (NIS) Regulations, which mandate the adoption of appropriate cybersecurity measures. Additionally, the framework serves as a valuable resource for sectors that manage risks to public safety, such as healthcare and transport.
The NIS 2 Directive (Directive (EU) 2022/2555) aims to establish a high common level of cybersecurity across the EU. Member States must ensure essential and important entities implement appropriate measures to manage network and information system risks, minimizing incident impacts, using an all-hazards approach.
This framework is an EU initiative designed to enhance the cyber resilience of entities in the financial sector. TIBER-EU provides a structured approach for conducting controlled, intelligence-led red team tests. These tests simulate real-world cyberattacks to assess and improve the security posture of organizations.
A widely recognized regulatory framework and auditing procedures developed by the American Institute of Certified Public Accountants (AICPA). It is designed to assess the controls and security measures for service organizations to protect customer data and ensure the security, availability, processing integrity, confidentiality, and privacy of data.
This U.S. federal law governs the privacy, safety, and electronic exchange of medical information. Medical and healthcare organizations must perform regular security control validation of their data security and includes guidelines for penetration testing to ensure the security of protected health information.
Provides requirements for conducting penetration tests to ensure the security of cardholder data. PCI DSS 11.3.1 specifically requires external penetration testing at least once every six months and after any significant changes or upgrades to IT infrastructure or application. PCI DSS 11.3.2 requires internal pentesting to be performed at least once every six months. Other requirements within PCI DSS require additional pentesting and can be found on their website.
Preparing and planning for penetration testing services is no small feat and there are many questions that will need to be answered and preparation and planning to be done before the testing begins. But there is no doubt that the benefits of penetration testing services are worth the effort to maintain a strong security posture now, tomorrow, and in the future.