Overview

Penetration testing is the activity of conducting security testing with the aim of identifying and exploiting vulnerabilities to identify strengths and weaknesses. I include strengths because I believe it’s important for security testing to promote both positive and negative findings. I also think that there is a huge mis conception with what penetration is, what it helps with and how to best get value from a penetration test.

My definition isn’t too far from the NCSC one: https://www.ncsc.gov.uk/information/check-penetration-testing

A penetration test is a security assurance activity, but it’s one of many activities that I recommend people conduct. This is however largely only adopted by the few, for many a penetration test is a compliance tick box, either from a regulatory or contractual requirement.

When looking at a system a penetration test is not usually the most efficient starting point, especially if it’s from a black box perspective.

Penetration Test Position and Perspectives

A penetration test can be conducted from a range of positions and perspectives, you can also conduct testing where the tester/s move positions. These include:

• External ( e.g. internet)
• DMZ
• Internal (Network Adjacent)
• Internal (Assume Breach)
• Code Reviews
• Product Review

Penetration testing techniques can also be employed in other areas such as:

• Control On/Off Testing
• Configuration Validation
• Incident Response Simulations
• Purple Team Activities
• Red Team Engagements

Penetration Test Types

• Black Box
• Grey Box
• White/Crystal Box

The types of tests determine the level of knowledge and access the tester/s have on the environment. A black box may have 0 or near 0 knowledge. A grey box will have partial knowledge and may include authenticated access. A white box test will give the tester full access to the systems, people, and documentation.

The most efficient way of testing is white box, however you should vary approach, position and perspective as a test is just a point in time view that has limitations, it’s not a garentee that nothing is vulnerable. 100% security does not exist.

Penetration Testing Phases

There are a range of phases of a penetration test, as with all things they can be customised, or in some cases not conducted, however a typical engagement would include the following:

• Scoping
• ROE Agreement
• Recon
• Enumeration
  • Passive
  • Active
• Vulnerability Identification
• Exploitation
• Privilege Escalation and Lateral Movement
• Actions on Target
• Exfiltration
• Clean up
• Reporting

Penetration Test outcomes

A common output from a penetration test is a formal penetration test report, however that is not a given, outputs can include:

• Knowledge Sharing Sessions
• Videos
• Finding and Recommendation Lists
• Service Desk/Bug Logs
• Demos

Typically, a penetration test report will include the following:

• Executive Summary
• Scope Details
• Test Methodology
• Summary of Findings
• Recommendations
• Security Posture Summary
• Detailed Findings
  • Identification of vulnerability
  • Details of exploitation routes and impact
  • Remedial Guidance

Summary

A penetration test can have several drivers, however the outcomes from a penetration test could include:

• Identifying or validating risks
• Understanding specific technical findings
• Surfacing second story or root causes for findings
• Understanding likely or potential impact to service and systems operations

Penetration testing is a specialist area of cyber security, it is a key activity for understanding control strength and assuring controls operate as intended. It is however just one branch of activity that organisations should be leveraging to ensure their digital services have a strong security posture. If your first activities for security assurance are penetration testing you should look at secure development lifecycles and security governance and management practises, even a configuration or design review during the development process will go a long way.