What we’ll be learning
Today, we’ll be learning about penetration testing, or pen testing for short. We’ll discuss exactly what it is, and how it works from start to finish. We’ll also learn about common terms used in pen testing, and some common techniques used by pen testers.
What is penetration testing?
Penetration testing is the process of identifying an organization’s vulnerabilities and providing recommendations on how to fix them… By breaking into the organization’s network environment. Penetration testing uses the same tools and skills that malicious hackers use, in order to test the security of the environment. In cybersecurity, the environment is usually networks and computers, but physical pen testing also exists. Usually, penetration testing is carried out by external groups hired by an organization.
Why would you want that!?
The main benefit of penetration testing is that it gives a realistic test of security measures, without causing the damage of a real cyber attack. Pen testing can reveal hidden security weaknesses or oversights that otherwise might have gone unnoticed, provide defensive security teams with hands-on experience countering active cyber attacks, and direct efforts to improve security.
How is that legal?
Penetration is hacking, but it’s authorized hacking. Pen testers receive a signed contract from the client called a statement of work, that outlines what they are allowed to do, and gives them permission to carry out the penetration test. Without authorization, breaking into an organization’s environment is illegal.
Penetration testing is really cool
Let’s be honest: Penetration testing is just plain cool. Getting to legally hack into computers and networks is absolutely as cool as it sounds, and while there’s a lot more to the job than just hacking, it’s still a very popular field of cybersecurity.
One type of penetration testing that’s relatively easy to get into is bug bounties, where organizations will give monetary rewards to people who discover bugs or vulnerabilities in software, websites, etc. This doesn’t mean you should start trying to take down websites willy-nilly though: If you are interested in bug bounties, make sure you understand the rules of what is and isn’t allowed for a given bug bounty program.
The basics of pen testing
Rules of Engagement
While pen testing does involve hacking, it’s not usually an “anything goes” scenario. Organizations don’t normally want pen testers to cause actual damage, just see if they could. Rules of Engagement (ROE) are documents that specify the parameters of the penetration test (also referred to as the engagement).
The ROE specify the goal and scope of the penetration test, as well as specific considerations such as systems that should be considered off-limits. These rules are part of the statement of work, which should be a legally binding contract signed before any hacking takes place.
Organizations may want to simulate from various sources, both internal and external. Attack profiles are an important consideration in penetration testing and refer to how much information the pen testers are given about the environment ahead of time.
- White-Box pen testing is done with full knowledge of the environment, simulating attacks from knowledgeable insiders. This type of pen test can also be used to follow up on discoveries made during other types of pen testing.
- Grey-Box pen testing is done with partial knowledge of the environment, simulating an attacker with some insider knowledge. They require some reconnaissance on the part of the pen tester.
- Black-Box pen testing is done with no knowledge of the environment, simulating an external attack. The pen tester can only obtain information through reconnaissance.
While penetration testing is adversarial, it’s also a collaborative effort: The people defending the network are just as much a part of the pen test as the people attacking it. Rather than saying “attackers” or “defenders”, we refer to different groups involved in the pen test as teams.
Red Team and Blue Team are the most common types of teams to have, but there are others.
- Red Team is the team doing the ‘attacking’. They have goals set out in the ROE, such as breaching a specific server and aiming to complete their objective.
- Blue Team are the defenders. Their goal is to defend the environment and prevent the red team from accomplishing their goals.
- White Team is a team that serves as referees. For example, if the red team isn’t sure whether something they’re considering is allowed, or if an actual attack takes place, the white team will be able to provide guidance or stop the exercise completely.
- Purple Team is less of a team and more of a methodology. In a purple-team scenario, the red and blue teams meet regularly to discuss how the pen test is going. This diminishes the adversarial nature of the exercise but can be useful for teaching the blue team about defense.
How it’s done: the PTES
The Pen Testing Execution Standard (PTES) is a standard for conducting penetration testing. It is divided into 7 phases, with some phases forming a loop that continues until the exercise comes to an end.
The phases are as follows:
Phase 1: Pre-Engagement
This phase is a collaborative effort between the client and the pen tester, with the goal of tailoring the pen test to the client’s needs. The ROE should be defined during this phase, based on the purpose of the pen test, practical restrictions, etc. While this part isn’t very interesting from a cybersecurity perspective, it’s crucially important in delivering a pen test that meets the client’s needs. At the end of this phase, contracts should be signed, and the pen testers should have a statement of work.
Phase 2: Intelligence Gathering
This phase is about gathering information about the target. In black and gray-box pen tests, this means using passive and active reconnaissance techniques. In gray and white-box pen tests, this means going over the provided information about the environment.
Phase 3: Threat Modeling
Once the information has been obtained in phase 2, that information is used to determine what potential targets should actually be targeted. This involves:
- Determining how valuable a potential target it is.
- How difficult it would be to target.
- The capabilities of the adversary the pen test is trying to simulate.
If the goal is to simulate an attack by script kiddies, going after a target that requires specialized knowledge probably isn’t helpful to the client.
Phase 4: Vulnerability Assessment
With a target in mind, the red team now decides how to attack it. Using the information gathered in phase 2, and prioritizing the targets chosen in phase 3, the red team will look for vulnerabilities that they can exploit in order to advance their goal. Once enough vulnerabilities have been found, it’s time for…
Phase 5: Exploitation
This phase is about actually exploiting vulnerabilities. This can be done in many different ways: Using tools like Metasploit to automate the process, using custom pre-existing exploits, or even developing entirely new exploits.
Phase 6: Post-Exploitation
Once an exploit is completed, there’s still work to do. Here are some of the key activities that take place in the post-exploitation phase:
- Obtaining Persistence: The ability to maintain access even if the initial attack vector is closed.
- Privilege Escalation: Exploiting some vulnerabilities to increase one’s access in the environment.
- Cleanup: Removing evidence of the exploit.
- Pivoting: Using the access gained in the exploitation phase to repeat phases 2-6. For example, the red team might compromise an IT worker’s computer, then use stored credentials to pivot to a web server that they had not been able to access before. This is also referred to as lateral movement.
This is also the phase where the red team might accomplish specific goals laid out by the client. For example, if the client wants them to place a file on every computer they compromise, that would happen here.
Phase 7: Reporting
Throughout the pen test, the pen testers should be documenting everything they do. In this phase, the information they collect is turned into a report for the client: Every vulnerability, every recommendation, etc. Remember, the purpose of a pen test is to improve the client’s security, so this is a crucial step, albeit less exciting than some of the others. Even a “failed” pen test where the red team didn’t accomplish their goals can still provide useful information for the client.
Penetration testing is a really cool field of cybersecurity, but it’s not just about legal hacking. The goal of pen testing is to help clients improve their security by simulating an attack by a threat actor, to find vulnerabilities, and giving the blue team hands-on experience in adversarial environments. Done well, penetration testing can be an incredibly effective way to improve security.