The digital age has come and gone. Right here today, we’re living in the post-digital era. Applications and systems are no longer fast becoming a core part of business, they are now the foundation of the world’s business ecosystem. And rather than software “users”, most organisations are now technology companies in their own right; application design, development, and implementation form the backbone of operability and growth. It’s an exciting time to be doing business.
Naturally though, within dynamic, multiplex digital infrastructures where business is driven by development lifecycles, applications accumulate and cyber risk evolves fast. Development and scale provide the opportunity for organisations, but also for a greater number of attackers set to monopolise on this accumulation. The emergence of new risk is continuous, magnified by the increased accessibility of attacker tradecraft. This leads us to an important question: how do you scale your security testing activities to rival the growing risk?
Penetration testing has always been a core building block of cybersecurity, and with more applications and systems to test than ever before, that remains the case. But the industry is moving forward and the playing field for testing is changing. In response, this article takes a deep dive into penetration testing – what it is, how it’s best used, and where it fits alongside new, continuous approaches to testing.
What is penetration testing?
Penetration testing (aka pentesting; pen testing) is an offensive security exercise that uses manual and automated (tooling-based) techniques to design and deploy a controlled attack on an organisation's assets to test their security. “Security” in this context is defined by the resilience of said assets – i.e., their ability to withstand different malicious techniques being used against them to:
- Harm them (corrupt, destroy, or encrypt)
- Extract information and secrets
- Manipulate them into means for targeting further assets
The deliverable of a penetration test is a report. This provides details on the security of the tested assets so that the organisation undergoing testing can remediate vulnerabilities and bugs and improve their application implementation and governance processes. (See section: What are the outcomes of a penetration test?)
Penetration testing is a point-in-time activity: it evaluates the security of an asset at an exact moment. Unlike the continuous security testing activities discussed later in this article, it is not designed to be dynamic.
Why do I need to do penetration testing?
Penetration testing is just one of many activities required within a robust, resilience-focused security strategy. At a high level, organisations need penetration testing because it highlights asset-based weaknesses present on an attack surface. Viewed in a practical business context, this can lead to many positive outcomes:
Outcome: monitor, control, and minimise the likelihood, severity, and impact of a cyberattack against the organisation; maintain business continuity during an attack.
Outcome: establish and/or maintain regulatory compliance to avoid penalties; develop customer trust and gain a competitive advantage as a compliance-led organisation.
Outcome: achieve maximum return on investment (ROI) from digital transformation projects by verifying the safety and security of new technologies and the processes underpinning their implementation.
Outcome: avoid or reduce reputational damage and the associated financial implications following a compromise.
Outcome: achieve business growth by fulfilling partner security testing requirements.
Who carries out penetration tests?
Penetration tests are carried out by penetration testers (aka pentesters; pen testers; security testers). Pentesters normally work for security vendors and managed security services providers (MSSPs), but sometimes exist client-side in an internal team. They are offensive (rather than defensive) security specialists trained to tackle security from an attacker’s perspective.
A penetration tester’s job isn’t simply to test in isolation. Much of their work is communication and consultation. They will discuss the logic behind their thinking, advise based on previous experience, and call on specialists in their team when additional expertise is needed.
It’s important to understand the level of service your provider can offer through its pentesters, as this will inform the accuracy of the test, the thoroughness of the report you receive, and your experience throughout. Accreditation is one way to validate the calibre of a pentesting team. Further evidence can be gathered from examples of:
- Complex and bespoke engagements tailored to a client’s needs (case studies)
- Offensive research and tooling development
- Independent research, authoring, and public knowledge sharing
How are penetration tests carried out?
Penetration testing varies from company to company, but the typical flow of activities covers the following six steps:
1. Scoping and planning
A project scope and plan are used to model the test around the organisation’s requirements as per the outcomes it is trying to achieve. These are agreed between customer-side stakeholders and an experienced member (or members) of the penetration testing team, leading to a scope of work that will include:
- Penetration test goals and desired business outcomes
- Systems, applications, or infrastructure in scope (to be tested)
- Testing methodology
- Testing location (onsite/remotely)
- Project duration
- Confirmation of critical assets and sensitive files
- Confirmation of any exclusions
Once the scope of work is agreed upon, the provider will recommend a statement of work. This sets all expectations for the test, including the cost.
A penetration tester will be allocated to the project and the work time scheduled by the provider’s delivery management team. Timescales, system access, channels/frequency of communication, and agreed safety measures will be submitted to the customer for approval. This approval provides the “authority to test” – the official consent from the customer and any required third parties for the provider to begin testing as agreed in the statement of work.
As an offensive security assessment, penetration testing broadly follows the cyber kill chain. As such, the tester will start by performing reconnaissance to analyse the asset(s) in scope. Reconnaissance involves network scanning and application mapping to build context and identify potential vulnerabilities within the asset(s). This stage is essential for the tester to accurately understand how the asset(s) are connected to the organisation’s wider infrastructure and what potential risk they pose in that context.
4. Manual testing
Following reconnaissance, the pentester will select the most suitable techniques and design an attack sequence to achieve the objectives outlined in the statement of work. This can involve any number of techniques to exploit individual vulnerabilities within the asset(s) and chain vulnerabilities together to demonstrate how one technique can be scaled. Unlike red teaming, where activity is delivered covertly, pentesters typically work overtly without a limit on the attempts they can make to compromise the asset(s).
The approaches used by a pentester during this stage will be tied to attack methodology, whether or not their tactics, techniques, and procedures (TTPs) have been seen executed in the wild. This type of experimentation enables organisations to see how unfamiliar and novel techniques could be used against them in a real attack scenario, increasing the realism of the test.