The Complete Penetration Testing Guide: Types, Methodology, Tools & More
If you’re thinking about using ethical hacking to improve your Cybersecurity defences, you’ve no doubt come across the concept of penetration testing. There are various types of penetration tests, different stages in conducting it, tools used and stages involved to make it robust enough to withstand the evolving technologies of today’s Cybercriminals.
What is Penetration Testing?
Penetration testing (referred to as “pen testing”) in simple terms, is a human-driven vulnerability detection process and the primary method used by organisations to detect Cyber weaknesses. A pen test involves the launch of a simulated Cyber attack against your system in order to find and expose vulnerable points in your networks and systems.
During pen testing, any number of areas in your network or applications can be targeted. Anything from your services to your firewall and your APIs could be a valid target for the pen test team.
Some of the most commonly targeted system vulnerabilities include:
- Weak or faulty configuration
- New and existing software vulnerabilities
- Known and unknown faults with the hardware
- Poor Cyber Security response protocols
- Low Cyber Security user awareness
- Outdated applications or operating systems
If your system is successfully penetrated by any of the methods used, this will give you valuable information as to where your Cyber Security weaknesses lie and how easily they can be exploited. This can be used to improve your Cyber Security strategy and help to protect your network.
If the penetration test has failed to breach your system, this gives you a good level of assurance that your networks and systems are well protected from Cyber threats.
It’s important to highlight, however, that the pen test results are only valid at the time of performing the test and vulnerabilities can develop in the time that passes in between two penetration tests, especially if that time exceeds a year.
Types of Penetration Testing
There are various types of penetration tests depending on a number of factors, including the type of attack launched, who is conducting the test and the level of knowledge about the system given to the test team. A well-designed penetration test will take into account multiple variables in the same analysis to ensure that different real-life scenarios are covered.
Types of Penetration Testing based on the level of awareness
Typically pen testers will be given different targets, and how much knowledge they’ll be given of the system often varies. Whether the system administrators know about the test, and how much they know about what is being tested, can also be used as variables.
Black Box Testing
This is the most challenging variation for pen testers. In this scenario, the testers will have no information about the system whatsoever and will attempt to breach it as complete outsiders – just like real Cyber attackers would. Black Box testing can be conducted in two different ways:
- Blind testing: The testers are given no prior knowledge of the system, or a very limited amount (such as the name of the company only) to work with. However, the employees of the business are aware that a penetration test is taking place.
- Double-blind testing: This takes Black Box testing to another level. In a double-blind test, the testers know nothing about the system and the employees of the target company are not aware of the test either. With only one or two key members of the business in the know about the penetration test, it can catch everyone else off-guard, much like a real Cyberattack.
Pros: Black Box testing gives you an accurate idea of what a potential Cyberattack would unveil, and the impact it would have on your business. It is the most realistic way to approach vulnerability detection and a good place to start when you have no previous knowledge of weaknesses in your system.
Cons: Black Box testing may require a lot of reconnaissance time for the testers, which could incur a higher cost.
White Box testing
White Box testing examines the internal structure, design and code of a system, and testers are given detailed knowledge of the target network. They’ll have access to everything, from the current security protocols and network infrastructure to the known existing vulnerabilities and misconfigurations that the system is prone to. The information provided will go into granular details; the testers will even be given the IP addresses used within the organisation.
A good example of a White Box test is a targeted penetration test, which consists of testers and in-house security specialists working simultaneously to conduct it. Both sides are aware of the simulated attack and will be working parallel to each other – one side trying to infiltrate and the other to defend. This type of exercise is a great way for the employees to see their own actions through the eyes of the hackers in real-time.
Pros: White Box testing is very detailed so it allows you to efficiently explore vulnerabilities with maximum coverage of the system. Since the testers have a lot more information than a Black Box test, it is easier to target particular issues and explore various paths in detail. Hidden faults in the code can be exposed in the process, which helps optimise the code and system efficiency afterwards.
Cons: White Box testing requires extensive knowledge and specialised tools, and due to its detailed nature, it can take longer to complete. This can make the process quite expensive and so, unsuitable for smaller businesses that may not have the budget required.
In reality, a combination of both White Box and Black Box tactics are required to achieve optimal defence results. This is why some pen testers use ‘Grey Box’ techniques as a compromise. In a Grey Box test situation, the testers are given a limited amount of information to work with, so they don’t start from scratch, but they also have a more targeted scope of action. Grey Box testing is the most common type of pen testing due to the larger cost, size and scope associated with Black and White testing.
Types of Penetration Testing based on the source
Cyberattacks can come both from external and internal sources, which is why both external and internal penetration tests are a viable option.
External testing is the testing of a bank of IP addresses. It is used to find out if a public-facing system can be penetrated remotely. Modern firewalls and secure cloud storage systems can be exposed to higher risk due to human mistakes and misconfigurations, and external testers will attempt to exploit those vulnerabilities.
An internal Penetration Test will be designed to simulate a malicious attack coming from within your business, meaning the attacker would have access to internal credentials. Internal attacks could relate to a disgruntled employee who is actively trying to harm the business, or to a hacker who has gained internal access by stealing log-in information via phishing or other data breach techniques.
Penetration Testing methodology
If we look at a Penetration Test step by step, we will see that the Penetration Testing methodology is generally split into five stages:
- Reconnaissance and strategy
The first step is often also the most time-consuming. Borrowing the term reconnaissance or recon from military terminology, this refers to gathering intelligence on a target before devising a plan of action. This step is crucial – if the testers miss important details in the Cyber recon process, then the pen test will be flawed and will either fail to penetrate or will fail to address a specific vulnerability.
Ironically, reconnaissance is something we have all done at some point in our lives for various reasons. The process often incorporates sources such as Google, Facebook, Twitter and other social media platforms where anyone can get access to information about a business, including their name, the software they use, people who work in the business, and so on.
Once all necessary information has been gathered, it’s time to map out the penetration strategy and prepare to execute the simulated attack.
This is the first point of contact with the target system. The testers will send out various packages of information to the system and see how it responds. From port scanning to identify entry points to scanning IP addresses and gathering information about things installed on the system – all the code you use can be scanned in a single attack.
At this stage, the tester will gather important information such as what business assets are at risk (employee data, customer information, technical data), as well as what internal and external threats there are. Scanning can be performed while the system is active to get information about its reactions as the situation unfolds, or it can be done statically to better understand the code in its entirety.
- Penetration and exploitation
As soon as the testers have identified potential openings, they will attempt to gain access to the system. If penetration is successful, then the process of exploitation begins. The testers will launch any number of hacking techniques, ranging from Wi-Fi attacks, network attacks and web app attacks, to zero-day exploits and social engineering attacks.
You can limit the types of attacks performed by specifying your exact needs before testing commences. This is known as the Terms of Reference or Terms of Engagement, and it is something you should discuss with your Penetration Testing specialist prior to conducting it.
- Access maintenance
Once inside the system, ethical hackers would look for a way to maintain access that would enable them to draw information for as long as possible. Installing a Trojan Horse, for example, is a great way to plant code inside a system and keep it actively causing disruption in the background. This has to be done while avoiding detection of course, because as long as no one is aware of the security breach, no one will try to fix it.
Pen testers may also attempt to secure their entry point and keep it open for further access. By inserting a backdoor or by using keyloggers, hackers can code their way into a system which then allows them to let themselves in whenever they please. With the help of a rootkit, the testers can even elevate rights to a network or a system.
This is the most valuable stage for the business. You may understand nothing from the whole technical process but the results should identify the vulnerabilities detected and provide remediation steps. A good penetration report will include:
- Any weaknesses that have been identified
- Risk level assessment for each threat
- Actions to resolve or minimise all issues found
- Recommendation on when the next pen test should be done
Pen Testing tools
Pen Testing is a widely engaged practice, so there are many pen testing tools on the market and pen testers use a variety of them during testing. Having a varied toolkit that is easily configurable increases effectiveness as it allows for systematic scanning and reporting.
With many free or open-source penetration testing software available, pen testers have the freedom to implement and modify the code as they see fit, without having to worry about the cost.
It also helps that pen testers and hackers often use the same tools as a lot of code is shared openly in the hacker community. Using the same toolbox is a good way to ensure the simulated attack is as close to real things as possible.
When to carry out a Penetration Test?
To ensure on-going commitment to your Cyber Security, you should have regular Penetration Tests that are conducted at least twice a year as a minimum. It is slowly becoming a quarterly exercise due to the constantly evolving landscape, with t vulnerability assessments carried out more frequently. Vulnerability assessments should be considered a monthly exercise due to the use of scanning tools that can work in the background. If your business has undergone significant changes, such as moving premises, deploying a new network infrastructure or significantly modifying the existing one, as well as changing the security policies of the business, then a vulnerability scan would identify any new vulnerabilities that the change may have created
There is no ‘one-size-fits-all’ solution when it comes to Penetration Testing, this is all based on your company’s size and budget, as well as the regulations in your specific industry. Some companies may be required by law to have pen tests conducted more frequently in order to stay compliant with data protection legislation and data security standards for example.
Why your business needs a Penetration Test
Keeping your Cyber Security up-to-date is important for your credibility and the smooth running of your business and performing them will allow you to:
- Identify high-risk targets such as personal data and financial information
- Uncover vulnerable breach points in your system
- Find fault in the existing code
- Identify the need for Cyber Security awareness training
- Improve your Cyber Security posture
- Ensure compliance with existing security standards in your industry
- Verify the adequacy of your vulnerability assessment
What is a Penetration Test?
Pen testing is an ethical hacking technique used to identify vulnerabilities in a network or system and then attempting to exploit them; simulating what a real attacker may do to the organisation.
How is Penetration Testing conducted?
Penetration testing uses methodologies and tools employed by real hackers, including deploying malware, SQL injections, port scanning and more.
What’s the difference between a vulnerability scan and a pen test?
A vulnerability scan is entirely automated, whereas a Penetration Test will use vulnerability scanning tools as part of the process but in addition, it traditionally requires human input.
How long does a Pen Test take?
This depends on the type of pen test required, the size of the business and the scope of the test. Some penetration tests may be time-limited to ensure that costs are kept to a set budget, but most penetration tests can be completed over a period of 2-3 days or more, depending on the targets and environments being tested.
What can Pen Testing tell you about your system?
Penetration Testing is designed to uncover network and system vulnerabilities and to determine the level of technical risk associated with them. Given your Penetration Test is constructed and executed to comply with best practices, it can give you reliable information on the Cyber Security risks you are facing. If your system passes the test, it can be assumed that there are no vulnerabilities known to the public at the time of testing.
What tools are used for Penetration Testing?
Pen testers will use a combination of various tools to fully cover all aspects within the scope of the test. Some of the more commonly-used free or open-source tools include Nmap, Metasploit, Wireshark and John the Ripper.
How often should a pen test be conducted?
It is recommended to do a pen test at least twice a year. However, depending on the nature of your business you may need to do this more often to ensure compliance with security regulations.
How much does a pent test cost?
This depends on the number of targets, the scope of the testing, the test types being performed, and the number of testers required. If physical site visits are required, this may require additional costs. It is recommended that you clearly define what you want to achieve from the testing. This should then provide an accurate number of targets to base the commercials on.
Is a pentest worth it?
Penetration testing is considered the most accurate way to determine what could happen if your organisation was the target of a Cyber attack. It is more accurate than just using vulnerability scanners because the human-driven element can react in a variety of ways whereas the machine can only detect what it knows, and not change or adapt to the environment presented to it.
What happens after a Penetration Test?
You should receive a comprehensive report which will detail a list of issues discovered, as well as suggested remediation actions to fix those. Based on the report, you should address the system vulnerabilities that have been highlighted and take actions to strengthen your Cyber Security. Depending on the security flaws found, you could implement a range of solutions, ranging from system modifications to user-focused activities, such as Cyber Security awareness training.