What is penetration testing?
Definition: Penetration testing is a process in which a security professional simulates an attack on a network or computer system to evaluate its security—with the permission of that system’s owners.
Don’t let the word “simulates” fool you: A penetration tester (or pen tester, for short) will bring all the tools and techniques of real-world attackers to bear on the target system. But instead of using the information they uncover or the control they gain for their own personal enrichment, they report their findings to the target systems’ owners so that their security can be improved.
Because a pen tester follows the same playbook as a malicious hacker, penetration testing is sometimes referred to as ethical hacking or white hat hacking; in the early days of penetration testing, many of its practitioners got their start as malicious hackers before going legit, though that is somewhat less common today. You might also encounter the term red team or red teaming, derived from the name given to the team playing the “enemy” in war game scenarios played out by the military. Penetration testing can be carried out by teams or individual hackers, who might be in-house employees at the target company, or may work independently or for security firms that provide specialized penetration testing services.
How does a penetration test work?
In a broad sense, a penetration test works in exactly the same way that a real attempt to breach an organization’s systems would. The pen testers begin by examining and fingerprinting the hosts, ports, and network services associated with the target organization. They will then research potential vulnerabilities in this attack surface, and that research might suggest further, more detailed probes into the target system. Eventually, they’ll attempt to breach their target’s perimeter and get access to protected data or gain control of their systems.
The details, of course, can vary a lot; there are different types of penetration tests, and we’ll discuss the variations in the next section. But it’s important to note first that the exact type of test conducted and the scope of the simulated attack needs to be agreed upon in advance between the testers and the target organization. A penetration test that successfully breaches an organization’s important systems or data can cause a great deal of resentment or embarrassment among that organization’s IT or security leadership, and it’s not unheard of for target organizations to claim that pen testers overstepped their bounds or broke into systems with high-value data they weren’t authorized to test—and threaten legal action as a result. Establishing in advance the ground rules of what a particular penetration test is going to cover is an important part of determining how the test is going to work.
Types of penetration testing
There are several key decisions that will determine the shape of your penetration test. App security firm Contrast Security breaks test types down into a number of categories:
- An external penetration test simulates what you might imagine as a typical hacker scenario, with an outsider probing into the target organization’s perimeter defenses to try to find weaknesses to exploit.
- An internal test, by contrast, shows what an attacker who’s already inside the network—a disgruntled employee, a contractor with nefarious intentions, or a superstar hacker who gets past the perimeter—would be capable of doing.
- A blind test simulates a “real” attack from the attacker’s end. The pen tester is not given any information about the organization’s network or systems, forcing them to rely on information that is either publicly available or that they can glean with their own skills.
- A double-blind test also simulates a real attack at the target organization’s end, but in this type of engagement the fact that a penetration test is being conducted is kept secret from IT and security staff to ensure that the company’s typical security posture is tested.
- A targeted test, sometimes called a lights-turned-on test, involves both the pen testers and the target’s IT playing out a simulated “war game” in a specific scenario focusing on a specific aspect of the network infrastructure. A targeted test generally requires less time or effort than the other options but doesn’t provide as complete a picture.
App security firm Synopsis lays out another way to think about varying test types, based on how much preliminary knowledge about the target organization the testers have before beginning their work. In a black box test, the ethical hacking team won’t know anything about their targets, with the relative ease or difficulty in learning more about the target org’s systems being one of the things tested. In a white box test, the pen testers will have access to all sorts of system artifacts, including source code, binaries, containers, and sometimes even the servers running the system; the goal is to determine how hardened the target systems are in the face of a truly knowledgeable insider looking to escalate their permissions to get at valuable data. Of course, a real-world attacker’s preliminary knowledge might lie somewhere between these two poles, and so you might also conduct a gray box test that reflects that scenario.
Penetration testing steps
While each of these different kinds of penetration tests will have unique aspects, the Penetration Test Executing Standard (PTES), developed by a group of industry experts, lays out seven broad steps will be part of most pen testing scenarios:
Official guidelines help ensure security and compliance for government data and systems in the cloud.
- Pre-engagement interactions: As we’ve noted, any pen test should be preceded by the testers and target organization establishing the scope and goals of the test, preferably in writing.
- Intelligence gathering: The tester should begin by performing reconnaissance against a target to gather as much information as possible, a process that may include gathering so-called open source intelligence, or publicly available information, about the target organization.
- Threat modeling: In this phase, the pen tester should model the capabilities and motivations behind a potential real attacker, and try to determine what targets within the target organization might attract that attacker’s attention.
- Vulnerability analysis: This is probably the core of what most people think about when it comes to penetration testing: analyzing the target organization’s infrastructure for security flaws that will allow a hack.
- Exploitation: In this phase, the pen tester uses the vulnerabilities they’ve discovered to enter the target organization’s systems and exfiltrate data. The goal here is not just to breach their perimeter, but to bypass active countermeasures and remain undetected for as long as possible.
- Post exploitation: In this phase, the pen tester attempts to maintain control of the systems they’ve breached and ascertain their value. This can be a particularly delicate phase in regard to the relationship between the pen testers and their clients; it is important here that the pre-engagement interactions in the first phase produced a well-defined set of ground rules that will protect the client and ensure that no essential client services are negatively affected by the test.
- Reporting: Finally, the tester must be able to deliver a comprehensive and informative report to their client about the risks and vulnerabilities they discovered. CSO spoke to a number of security pros about the traits and skills an ethical hacker should have, and many of them said that the communication skills necessary to clearly convey this information is close to the top of the list.
Penetration testing tools
The penetration tester’s suite of tools is pretty much identical to what a malicious hacker would use. Probably the most important tool in their box will be Kali Linux, an operating system specifically optimized for use in penetration testing. Kali (which most pen testers are more likely to deploy in a virtual machine rather than natively on their own hardware) comes equipped with a whole suite of useful programs, including:
- nmap
- Metasploit
- Wireshark
- John the Ripper
- Hashcat
- Hydra
- Zed Attack
- sqlmap
For more details on how all these weapons work together in the pen tester’s arsenal, read about the top penetration testing tools the pros use.
https://www.csoonline.com/article/3643032/penetration-testing-explained-how-ethical-hackers-simulate-attacks.html