Penetration Testing Services: what to look for in a pen test provider

October 14, 2020 | Mike Klepper

These days computers and the software that operate upon them touch practically every part of our professional and personal lives.  The information they store, process and transmit is the foundation upon which businesses are built, how customer experiences are delivered, and how we find the best takeout food in our immediate area.  So why is it so hard to keep them highly secure?

Computer security can be thought of as a never-ending sports season played between our “home team” of network and application administrators on one side and the various groups of cyber threat actors on the other. As in any such contest, it pays to know the other team’s playbook so that you can adjust your strategy accordingly. One of the best ways to do this is through Penetration Testing Services. AT&T Cybersecurity Services’ team of professional penetration testers conduct cyber-attack simulations that are reflective of current, real-world methods used by the threat actors your administrators face off against every day. 

How does a penetration testing service typically work?

Penetration testing services are a cornerstone of any mature security program. Such exercises are used to validate that technical controls, applications and configurations are operating as expected, identify gaps in detective and preventative controls and supporting processes, and obtain a practical understanding of exposures arising from user-targeted attacks. As a result, it is important to understand, from an organizational perspective, what you want to achieve as a result of your penetration test.  What is it you are hoping to learn by the results?  What additional security assurance are you hoping to obtain? Ultimately these objectives will determine the scope, duration, and cost of the penetration test.

With objectives firmly in mind, translated into a technical scope it is time to begin testing. How the testing will proceed will be determined by the rules of engagement that are agreed upon between the organization and the penetration testing provider.  This agreement will cover things like testing timeframes, notification requirements, exploitation objectives or limitations, and known critical or sensitive systems or applications that require special care when testing to avoid outage.  As the technical testing progresses, it is important to have regular check-in’s with stakeholders as well as escalation procedures for any urgent matters that must be addressed during the assessment and cannot wait for the final deliverable. 

What you should expect a pen testing provider to accomplish?

The penetration testing provider that your enterprise selects should be able to consult with you on how to get the most out of any assessment.  It is your organization’s goals, objectives, security and compliance needs that drive the consumption of these services and as such those requirements should be kept front and center.  How mature is your security program?  Would a more advanced approach to penetration testing bring more value to your organization?  Does your scope meet your compliance requirements, or might there be a surprise down the line when the time comes to provide supporting evidence to your auditor? 

From a technical perspective, your assessment provider should have the capabilities necessary to get the job done and done right. By utilizing industry-recognized methodologies and tools your provider should be able to offer consistent results across multiple engagements. The ability to apply creative thinking and problem solving to accomplish penetration testing objectives is arguably the core value of any penetration test team.  Having a broad team of deeply skilled security professionals is key to accomplishing this as individual assessors can draw upon the collective experience of the entire team to achieve client goals.            

When are more advanced tests required?  

For organizations that have mature security operations capabilities and have experience with penetration testing and their outcomes, more advanced testing may be appropriate.  Adversary Simulation engagements or “Red Team” exercises are approaches to penetration testing that provide a stress-test of an organizations ability to identify and respond to suspicious activity.  These engagements use many of the same tools, techniques and procedures as any other form of penetration test. The difference is they are conducted with minimal coordination and transparency with a particular focus on avoiding detection and obfuscating attacks so your network defenders can test their chops.

Red Team approaches can identify opportunities for improvement in the tuning of detective controls, the need for additional training for SOC staff, and gaps in supporting processes, such as incident response. The results of an advanced penetration test will not only validate the accuracy of your cybersecurity maturity, but identify very specific, exploitable conditions and their root cause to help take your security posture to the next level.

Pen testing from AT&T Cybersecurity Consulting

AT&T Cybersecurity Consulting takes a consultative approach to penetration testing to provide that the scope, rules of engagement, and outcomes align with your security organization’s objectives.  With over twenty years of experience providing these services to the market, and a team of security professionals that average 12 years of experience performing these assessments, AT&T Cybersecurity Consulting can execute on assessments regardless of size, complexity or market segment.  Once engaged, our team will work to find and exploit those issues in the enterprise that escaped attention previously, provide detailed recommendations for how to resolve or mitigate the issues, and draw attention to underlying gaps that should be addressed to help prevent future reoccurrence.   

Mike Klepper

About the Author: Mike Klepper

As the National Practice Director for Application Security, Threat & Vulnerability Management within AT&T Cybersecurity Consulting, Mr. Klepper has broad responsibilities. In addition to providing subject matter expert support to sales teams across all channels and verticals, Mr. Klepper is responsible for defining services offered regarding penetration and vulnerability testing, application security testing, managed scanning solutions, and incident response and forensics. A sought after thought leader and public speaker, Mr. Klepper makes regular appearances on AT&T Threat Traq and mentors team members in both technical and non-technical disciplines such as sales techniques, strategic problem solving, and quality assurance.

Read more posts from Mike Klepper ›

‹ BACK TO ALL BLOGS