A Guide to preparing for Penetration Testing
A Cyber-Security post By Olly Pease
As security technology and threat awareness improve, so do adversaries, who continuously adopt new techniques to increase speed and impact while evading detection.
Ransomware and malware remain the preferred methods of big game hunting (BGH) cybercriminals, but the growing use of hands-on, or “interactive intrusion,” techniques is particularly concerning. Unlike automated malware attacks that rely on malicious tools and scripts, human-driven intrusions tap into the creativity and problem-solving abilities of attackers. These individuals can mimic legitimate user or administrative behaviors, making it difficult to differentiate between normal activities and cyber-attacks.
Today, most security practitioners aim to manage risk at scale. Achieving this requires visibility, reducing noise, and securing the enterprise attack surface through the right people, processes, and security solutions.
By utilizing penetration testing services, organizations can proactively address new and evolving threats, helping security teams identify and validate what constitutes normal and potentially malicious activity. Penetration testing involves a variety of technologies—both human-led and automated—and employs certified pen testing experts, or ethical hackers, to simulate cyber-attacks on networks and assets. Pen testers use real-world tactics similar to those of attackers to discover and exploit known or unknown vulnerabilities before a breach occurs.
This proactive, offensive security approach requires planning and preparation by security leaders to ensure penetration testing is effective, including selecting the right provider to meet both security and business objectives.
The Steps to Successful Penetration Testing
The following steps are necessary for properly preparing and planning penetration testing. These will be further outlined in detail:
- Establish a Team: Determine the security leaders involved in the penetration testing initiative, including a main point of contact (POC) or organizer. Outline roles, responsibilities, and clear objectives.
- Identify Stakeholders: Identify key stakeholders and decision-makers. Clarify their roles and when their approvals will be needed during the penetration testing process.
- Create a Project Plan: Develop a clear project plan outlining the testing scope, specific systems and assets to be tested, timeline, objectives, and expected outcomes.
- Select a Testing Methodology: Choose the appropriate testing methodology based on the scope. Common methodologies include Black Box, White Box, and Gray Box testing. Also, consider techniques your organization may want to deploy, such as social engineering, API fuzzing, or external web app testing.
- Support for the Security Team: Consider the support your security team may need, including expertise, resources, and budget. Determine whether the project will be handled internally or if an external pen testing service provider is necessary. When selecting a vendor, inquire about the support and expertise they offer.
- Engage with the Vendor: After researching vendors, ask the right questions, such as:
- Is penetration testing part of your core business?
- Do you hold professional liability insurance?
- Can you provide references or testimonials?
- Do you have certifications like ISO 9001 or CREST?
- What are the qualifications of your pen testers?
- How do you stay current with the latest vulnerabilities and exploits?
- What is your testing methodology and pricing structure?
- Debrief the Report: Prepare a comprehensive report detailing the findings and recommendations for remediation. Debrief with your team and service provider (if applicable) to analyze the findings and associated risks. Collaborate with stakeholders to ensure clarity and set a timeline for remediation.
- Remediation Action Steps: Provide detailed findings with clear prioritization of vulnerabilities based on severity, including action steps for risk mitigation. Maintain effective communication, accountability, and quick resolution.
- Retest and Validate: After remediation, additional retesting may be necessary to validate that vulnerabilities have been properly addressed and no new issues have arisen.
Preparing for Penetration Testing Services
Understand Your Attack Surface
To effectively manage your attack surface, organizations need full visibility of their cyber assets. This involves three key considerations:
- Visibility of the Attack Surface: Identify hidden and unmanaged cyber assets.
As organizations expand their digital footprint, attackers exploit this growing attack surface. This increases the challenge for security practitioners to protect the IT ecosystem. Without full visibility, assessing and communicating an organization’s exposure to risk becomes nearly impossible.
- Prioritizing Risk: Make decisions based on risk.
Without continuous risk assessments, organizations remain vulnerable. Security leaders need clear visibility into key risk factors to guide strategic decisions. Regular assessments provide actionable insights, helping DevSecOps teams strengthen defenses and prevent breaches.
- Mitigating Risk: Reduce attack surface risk.
Security teams often find themselves reacting to threats due to limited time and visibility. A large attack surface requires proactive measures to discover, assess, and address risks before attackers strike.
Determine the Scope
When planning penetration testing, consider the following:
- Identify What to Test: Determine which areas and assets to test, such as critical systems, applications, networks, or data that could be vulnerable.
- Establish Goals: Identify business goals for penetration testing, whether testing for human security levels or finding weak spots in the infrastructure.
- Compliance Requirements: Consider specific regulations that may dictate the testing scope. Understanding which regulations your organization must comply with will help narrow down the testing focus.
Security practitioners should also gather essential details about the organization’s infrastructure, such as domains, servers, devices, or authorized user credentials, depending on the testing method chosen.
Common Assets to Test
External Assets
- Web Applications: Web apps are common external assets tested, often revealing vulnerabilities such as SQL injection, XSS, authentication flaws, and more. External asset testing can also include mobile applications, APIs, Cloud, IoT, and secure code review.
Internal Assets
- Network Infrastructure: Internal network systems are common targets for penetration testing. Vulnerabilities include misconfigured Active Directories (AD), weak passwords, and outdated software.
Types of Penetration Testing
There are several methodologies for penetration testing:
- Traditional Pen testing: Typically offered by large consulting firms, this hands-on, project-based approach involves a defined scope and timeline but can be expensive and slow.
- Autonomous Pen testing: This uses automated tools, scripts, and AI for continuous or scheduled security assessments. It offers scalability and cost efficiency but may not uncover sophisticated vulnerabilities.
- Penetration Testing as a Service (PTaaS): A hybrid approach combining both autonomous and human-led pen testing, offering both speed and depth. PTaaS is ideal for comprehensive coverage of the attack surface.
Planning for Penetration Testing
Choosing the Right Pen testing Services and Provider
Choosing between internal and external pen testing resources depends on your scope and objectives.
- Internal Penetration Testing: Offers a cost-effective, continuous improvement option for insider threats and internal system testing.
- External Pen testing with a Service Provider: Provides specialized expertise and an unbiased view with standardized practices.
- Crowdsourced Pen testers: Lacks standardization and consistency but can be useful for validation testing.
What is the Right Penetration Testing Methodology?
Three primary penetration testing methods exist:
- Black Box: The tester has no prior knowledge of the system, simulating a real-world attack.
- Gray Box: The tester has partial knowledge, allowing a more efficient evaluation.
- White Box: Complete system knowledge is available, allowing for comprehensive assessments of internal controls.
Why Standardization Is Important in Pen testing
Standardized guidelines are crucial in penetration testing to ensure accuracy, consistency, thoroughness, and compliance with industry practices. Below are some commonly used standards:
1. NIST (National Institute of Standards and Technology)
NIST guidelines offer practical recommendations for designing, implementing, and maintaining security testing processes. These guidelines help industries, governments, and organizations reduce cybersecurity risks by covering various areas, including penetration testing, vulnerability scanning, and risk assessments. They are widely adopted by federal agencies and organizations to ensure a standardized security approach.
2. OWASP (Open Web Application Security Project)
OWASP provides a robust framework for testing web applications, focusing on identifying and mitigating common vulnerabilities. It also extends its guidelines to mobile apps, APIs, cloud services, and more. OWASP’s open-source and regularly updated guidelines make it a widely respected resource for addressing the latest threats and best practices.
3. CREST (Council of Registered Ethical Security Testers)
CREST is a not-for-profit accreditation body that sets high standards for security testing, including penetration testing. It ensures that member organizations adhere to strict ethical, legal, and technical standards. CREST’s standardized methodology includes planning, information gathering, vulnerability analysis, exploitation, and reporting.
Other Notable Guidelines
- MITRE ATT&CK: A global knowledge base detailing adversary tactics and techniques used in real-world attacks. It helps in developing specific threat models and methodologies used in various sectors, including private, governmental, and cybersecurity communities. Unlike traditional frameworks, MITRE ATT&CK provides an extensive matrix covering different stages of an attack.
- PCI DSS (Payment Card Industry Data Security Standard): Provides guidelines for penetration testing to protect cardholder data.
- OSSTMM (Open-Source Security Testing Methodology Manual): Offers detailed security testing methods covering operational security aspects.
- HIPAA (Health Insurance Portability and Accountability Act): Provides guidelines for penetration testing to ensure the protection of health information.
Regulatory Compliance with Penetration Testing
Complying with regulatory mandates has become increasingly stringent, with new regulations emerging worldwide that impact various sectors, particularly finance, healthcare, and critical infrastructure. Below are some key regulations related to penetration testing:
DORA: Threat-Led Penetration Testing (TLPT)
In response to the growing risks posed by IT infrastructure, EU regulators introduced DORA to identify and address vulnerabilities. Under DORA, two forms of testing are mandated for financial institutions:
- Digital Operational Resilience Testing: Mandatory annual testing for systems supporting critical functions.
- Threat-Led Penetration Testing (TLPT): Required every three years for major financial entities identified by competent authorities.
NCSC Cyber Assessment Framework (CAF)
CAF is a vital tool for public sector entities and those supporting Critical National Infrastructure (CNI). It provides a systematic approach to assessing an organization’s cybersecurity measures. CAF is particularly relevant for organizations covered under the Network and Information Systems (NIS) Regulations, which mandate certain cybersecurity protocols. It’s also valuable for sectors managing public safety risks, such as healthcare and transportation.
NIS2 Directive
The NIS2 Directive (EU Directive 2022/2555) aims to establish a high level of cybersecurity across the EU. It requires essential entities to implement measures to manage network and information system risks while minimizing the impact of potential incidents.
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming)
An EU initiative to enhance cyber resilience in the financial sector, TIBER-EU outlines a structured approach for conducting controlled, intelligence-led red team exercises. These tests simulate real-world cyberattacks to assess and strengthen an organization’s cybersecurity posture.
SOC 2 (System and Organization Controls 2)
SOC 2 is a widely recognized auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It focuses on ensuring that service organizations implement controls to protect customer data, particularly in the areas of security, availability, processing integrity, confidentiality, and privacy.
HIPAA (Health Insurance Portability and Accountability Act)
A U.S. federal law designed to protect the privacy and security of health information. Healthcare organizations are required to regularly validate their security controls, including conducting penetration testing, to ensure data protection.
PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS mandates penetration testing to ensure the protection of cardholder data. Section 11.3.1 requires external testing at least once every six months or after any significant IT infrastructure changes. Section 11.3.2 requires internal penetration testing at least every six months, with additional requirements for more frequent testing as needed.
In Conclusion
Preparing for penetration testing services requires careful planning, answering numerous questions, and ensuring adequate preparation before testing begins. However, the benefits of these services make the effort worthwhile, helping to maintain a strong security posture today, tomorrow, and in the future.
Hi I'm Olly, Co-Founder and Author of CybaPlug.net.
I love all things tech but also have many other interests such as
Cricket, Business, Sports, Astronomy and Travel.
Any Questions? I would love to hear them from you.
Thanks for visiting CybaPlug.net!
