Penetration Testing Methodology
Defining scope is arguably one of the most important components of a Penetration Test, yet it is also one of the hardest. While defining your scope, we will require a technical scoping call between one of penetration testers (usually the tester who will be doing the work) and your technical team. This is so we can understand what you want testing, what you need testing, the boundaries of the testing and what is within scope. It is very important to us to also discover if there is anything that could be adversely affected by the testing.
We will also look to understand what you want out of the test. Is it a test to satisfy your clients or regulators etc. This way we can produce a set of reports following the test that are best suited to your circumstances.
This section defines the Intelligence Gathering activities of a Penetration Test which is usually carried out as the first activity following the placement of an order. The purpose of this is to provide the tester with a working methodology designed specifically for performing the test. This part of the engagement produces a document that most clients never see, detailing the thought process and goals of the penetration test.
The Intelligence Gathering process can be broken down into the below areas:
Compliance Driven Engagement: This is mainly a click-button information gathering process using a series of automated tools and is done to support tests being undertaken for PCI-DSS / FCA / HIPAA etc.
Best Practice Engagement: A good understanding of the business, including information such as physical location, business relationships, organisation charts etc. are gained and added to the test notes. For physical security testing this would involve reconnaissance on opening hours, the comings and goings of staff and possible methods of entry. This is really valuable when conducting a test against a harder target or a business that is looking to take security and defence to the next level.
Continual Cyber Assurance: These Penetration Tests require greater levels of information and build on the previous two with a lot of manual analysis. Detailed information on social networks, heavy analysis of open source intelligence data sets, deeper understanding of business relationships are undertaken over a large number of hours to accomplish the gathering and correlation.
Vulnerability Detection and Analysis
Vulnerability Analysis is the process of discovering flaws in systems and applications which can be leveraged by an attacker or your Penetration Tester. These flaws can range anywhere from host and service misconfiguration through to insecure application design. Although the process used to look for flaws varies and is highly dependent on the particular component being tested, some key principals apply to the process.
When conducting vulnerability analysis the tester will properly scope the testing for applicable depth and breadth to meet the goals and/or requirements documented in the Pre-Engagement scope section of work. Depth values can include such things as the location of an assessment tool, authentication requirements, etc. For example, in some cases it maybe the goal of the test to validate mitigation steps are in place, working and the vulnerability is not accessible. In other instances the goal maybe to test every variable with authenticated access in an effort to discover all applicable vulnerabilities.
Whatever the scope, the testing is tailored to meet the depth requirements to reach your specified goal. Depth of testing is always validated to ensure the results of the assessment meet the expectation (i.e. did all the machines authenticate, etc.). In addition to depth, breadth must also be taken into consideration when conducting vulnerability testing. Breadth values can include things such as target networks, segments, hosts, applications, inventories, etc. The breadth of testing is always validated to ensure we have met your testing scope (i.e. was every machine in the inventory alive at the time of scanning? If not, why).
The exploitation phase of a Penetration Test focuses solely on establishing access to a system or resource by bypassing security restrictions. As a considerable amount of vulnerability analysis will have been performed prior, this phase is well planned and precise. The main focus is to identify the main entry point into the organisation and to identify high value target assets.
During this phase we may take on the persona of the main chaotic actors that could affect your business. This may be an external attacker that has gained access and wishes to proceed quietly and un-noticed or it may be an internal attacker who is not too particular about the amount of noise created. We may even take the persona of malware, simulating a malware attack that was successful in the initial stages following a phishing attack.
The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network. The methods described in this phase are meant to help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time. In cases where these methods differ from the agreed upon Rules of Engagement, the Rules of Engagement must be followed.
This is the most important area for you. This is where we bring together all the information we have gathered into a document. A report is typically split into three parts:
Executive Report: This is a high level non-technical report and delivers the main messages of the test results. This section is heavy on management level terminology, charts and graphs.
Penetration Test Report: This is the critical information around your Penetration Test. Here we document what we did, how we did it and whether or not it was successful.
Technical Report: This is the technical detail on each of the issues found and an overview of how to fix the issue.
Completing the reporting phase can take up to a week as we have a highly robust 3 stage Quality Assurance process.