Cybersecurity penetration testing explained: what is pen testing?

This blog was written by a third party author.

What is penetration testing?

Cybersecurity penetration testing is a method of checking for security weaknesses in software and systems by simulating real-world cyber-attacks.

Also known colloquially as 'pen tests,' penetration tests probe beyond the scope of automated vulnerability scans. Pen tests find gaps in protection that can arise when unique combinations of applications, systems, and security defenses work together in live environments.

External vs internal pen testing

Most penetration tests tend to be broken into two broad categories:

• External pen testing—External penetration tests try to exploit flaws from the outside of corporate confines, simulating the kinds of attacks that remote hackers would carry out on externally facing assets. This includes internet-facing systems like web applications website servers, open APIs, DNS infrastructure, and more.

• Internal pen testing—Internal penetration tests start from inside an organization's internal network. They're meant to mimic the kinds of attacks that can be carried out by a malicious employee or an outside attacker who has already gained a foothold in the network via phishing attacks or other malware attacks against employees' endpoints.

Types of penetration tests

Methodology and scope of penetration tests can vary greatly. Some of the most common types of pen tests include:

• White box tests—Pen testers are given a detailed amount of information about the company and systems they're tasked with targeting.  This may include basic credentials, source code, or other inside information.

• Black box tests—Testers are only given the name of the targeted organization and must figure out how to break into systems with the same level of information that an outsider would have. Also referred to as 'blind' tests.

• Grey box tests— Testers are given some amount of information and insights, perhaps incrementally if testing progress halts, in order to continue the assessment.

• Social engineering attempts—Depending on scope of penetration testing engagement, pen testers may engage in social engineering attacks to trick employees into giving them physical or logical access to systems. Social engineering tests may be as simple as phishing or calling employees to see if they'll divulge passwords to as elaborate as dressing as delivery people or service workers to try to gain physical access to sensitive systems.

• Red/Blue/Purple team engagements—These are structured attack and defend scenarios where a red team made up of penetration testers targets a defensive blue team's assets. Red team engagements are less about enumerating a range of technological vulnerabilities and more about stress testing threat detection and response aptitude of the blue team.  When these teams work more collaboratively, it is referred to as a purple team test.

The phases of penetration testing

The phases of penetration testing tend to mirror the phases of attacks commonly carried out by today's cyber adversaries—with the valuable addition of a debriefing for cybersecurity defenders at the end of the test.

Scoping 

Goals are set for the breadth of weaknesses that pen testers will probe for and systems or processes they're meant to target. Rules of engagement are set for the test methods and pen test frameworks that can be used, as well as where in the network or physical premises testers can operate.

Recon and scanning

Particularly important in black box testing, the reconnaissance phase has pen testers gathering intelligence about the network and systems through a range of methods, including network scans, social engineering, reverse engineering, and static or dynamic analysis of application code. Testers seek to map out as much information as possible to look for vulnerabilities they can exploit.

Gaining access

Once pen testers enumerate the network and system vulnerabilities, they begin the work of exploiting flaws to gain access to systems. Like attackers commonly do, they'll frequently seek to gain footholds on low-value assets, move laterally across the network, and escalate privileges on systems wherever possible.

Maintaining access and evading detection

Depending on the scope of engagement, pen testers tasked with mimicking advanced attackers may be called upon to seek persistence on systems they exploit and hide evidence of their network incursion to test how long (or if) the security team finds their simulated 'malicious' behavior.

Reporting and analysis

The best penetration tests are followed up with detailed reporting that offers analysis of which vulnerabilities or security weaknesses pen testers exploited to gain access, what sensitive information they were able to access, how long they were able to evade detection, and what that means for the organization moving forward. Pen testers should ideally offer guidance and prioritization on how a company should go about closing security gaps they've found, both through changes in technology and processes.

Key benefits of penetration testing to a business

• Assess real-world cyber readiness
• Uncover complex vulnerabilities, business logic flaws, and weaknesses in processes or employee training
• Find compliance violations and satisfy pen testing requirements from PCI DSS and other regulations
• Document security gaps in technology and processes for auditor and executive review
• Prioritize remediation based on exploitability of issues discovered in your environment

Should you go with an MSSP for penetration testing?

Penetration tests are conducted by highly trained individuals—sometimes referred to as ethical hackers—who specialize in looking for exploitable security weaknesses the same way an attacker does. The best ethical hackers not only know how to mimic attacks, but also debrief defenders on what those attacks tell them about systems they successfully exploited. Ethical hackers regularly conduct pen tests against a range of organizations and bring a deep expertise to the table that can rarely be matched by internal pen testers.

Penetration testing vs vulnerability scanning

While penetration testers may use vulnerability scanning tools as a part of their pen testing tactics, the practice of penetration testing is very different than vulnerability scanning. Automated vulnerability scanning creates a laundry list of vulnerabilities and configuration flaws in systems or applications under review. Meanwhile, manual penetration testing examines a target environment as a whole looking into complex or underlying weaknesses that a vulnerability scanner couldn't find, including business logic flaws, poor separation of duties, ineffective network segmentation, and more.

FAQ

Who conducts penetration tests?

Penetration tests are conducted by specialized professionals—sometimes referred to as pen testers, sometimes as ethical hackers—who can simulate attacks with techniques commonly used by adversaries and help document weaknesses in a company's cybersecurity defenses.

How far into my network will a penetration tester go?

The scope of engagement on a penetration test is completely up to an organization, depending on their goals for uncovering security flaws. Penetration tests can be limited to just a few applications or resources, to certain business functions, or opened up across a wide range of systems.

Why would I choose a penetration test if I already do automated vulnerability testing?

Manual penetration tests can help reduce false positives and uncover complex, emerging or obscure vulnerabilities that automated scans can miss.  Annual penetration testing, at minimum, is considered a best practice and is often a compliance requirement.