There are so many factors that mark a sophisticated, high value, and effective penetration test. A penetration test must demonstrate effectively the worst case scenario, in terms of business impact, that can happen in case of a security breach. It goes far beyond an automated vulnerability scanning. Technical managers as well as executive ones must be able, by studying a penetration test report, to assess the security posture of their organization and to decide where and how to spend their money securing their information. In this post, I will present seven qualities which I believe are essential to what we might call an effective penetration test.
1. Multi-Talented and Diverse Team
Even though we tend to look at penetration testing from a purely technical perspective, such testing won’t be complete if it does not include testing the physical and human aspects of the target. Sensitive information may be immune to theft by a hacker, but it may not be as such to a thief breaking into a weak window. Or, the sensitive information could be divulged by a secretary over the phone to someone claiming to be a business partner of the manager. For this reason, a penetration test team must include a person specialized in social engineering and physical break-ins.
2. Well-Defined Success Criteria
Success Criteria are conditions under which the target is said to be “hackable.” They must be defined and stated before the actual penetration testing engagement. Ill-defined success criteria may cause a lot of misunderstanding at the end of a penetration test since each the testers and the target owners are left to their own interpretation of the findings. Success criteria have to be clear, exact, specific, and provable on what types of actions are considered true “hacking” and that would impact the business operation of the target.
3. Comprehensive Intelligence Gathering
Before the penetration tester would jump into firing his or her own favorite port scanner or vulnerability analyzer, they must perform thorough reconnaissance and footprinting of the target organization. A competent penetration tester must not be hindered by the triviality of any information they find. Every piece of information gathered at this phase counts, e.g., names, phone numbers, physical addresses, public documents, news, etc., are all going to serve a need at some time later during the test. A well-executed intelligence gathering means better scanning and assessment results, more attack vectors, sophisticated social engineering attacks, and so on.
4. Manual Assessment of Each Vulnerability
In order to deliver a highly effective penetration test, the tester must not rely on the findings and assessment of any automated vulnerability scanner. And there are different reasons why this is crucial. First, an automated scanner may generate false positives, that is, they might state findings that are actually non-existent. Second, the assessment – or risk rating – of these scanners might not reflect the actual risk for the particular target organization. And third, automated scanners will not classify the scanned assets based on their worth to the business. For these reasons, a skilled tester must check and assess each reported finding manually, verify its exploitability, rate the associated risk, and demonstrate any business impact.
5. Asset Classification and Threat Modeling
In warfare, an army cannot start attacking their enemy blindly without having a well-built strategy. An attack strategy must prioritize the target assets in terms of their worth, and also prioritize attacks in terms of their impact. Similarly, during a network penetration testing, at the time of the attack, one would start attacking the most valuable assets with the most impactful types of attack; then, one would move in degree to other assets with lesser and lesser importance. Only at the end, one would perform attacks that might have the least impact, only after having exhausted all the great attacks.
6. Extreme Post-Exploitation Pivoting
A sign of a well-performed penetration test is the techniques and mechanisms employed after successfully exploiting a system, that is, the post-exploitation phase. For a competent penetration tester, gaining access – a shell – to a system is not the end, but rather, the beginning. There are a lot of steps and actions to be executed after the initial compromise. One of such important actions is utilizing the compromised system as an entry point to dive deeper into otherwise unreachable networks and systems – but always within the initial agreed-upon scope. This is the art of pivoting. Other systems, which might be behind a firewall or in a DMZ can be exploited and chained to the initial exploited system. In other words, exploiting the secondary systems is tunneled through the first exploited system. And these secondary systems can further be pivots to exploit a third layer of systems, and so on.
7. Multi-Layered Recommendation
One of the mistakes that many penetration testers commit when they submit the final report is to include a single recommendation for each vulnerability – as generally extracted from an automated vulnerability scanner. However, a highly effective penetration test must end with a well-written report that actually informs the target organization’s IT team how to take their entire IT architecture and design to a higher and more secure level. It is important to include those single recommendations, but in addition, it is more important to offer advices on how to enhance the overall network architecture, to integrate latest solutions, and to even change the mentality of IT people on how to perceive information security.