Penetration tests, also known as pen tests, offer significant security benefits to your business. But, before we dive into what they do, let’s take a moment to understand what they are.
What Is a Pen Test?
A penetration test is an authorised and simulated cyber attack performed on an IT system (or systems) to evaluate existing security controls. In a pen test, an organisation’s IT team allows an expert group of ethical attackers to try and compromise the organisation’s security. This authorisation can include permission to:
-
Access or escalate accounts or permissions through unauthorised means
-
Install simulated malicious code
-
Modify system configurations
-
Demonstrate the ability to exfiltrate data or disrupt business operations
A pen test should never be performed by the team maintaining and defending the system being tested. In most cases, a pen test is performed by third-party experts who know how to attack systems like yours.
Typically, a pen test will be a surprise to the security team. This ensures the test simulates real-world attack conditions, where the defenders will not have advance notice of attacker actions. This ensures the test simulates real-world attack conditions, where the defenders will not have advance notice of attacker actions.
What is the Goal of a Pen Test?
A pen test attempts to replicate the types of attacks that cyber criminals actually use. This means that a pen test goes much further than other assessments and exercises meant to identify risk.
How Is a Pen Test Different from Other Assessments and Exercises?
Pen Test vs. Vulnerability Assessment
In a vulnerability assessment, security experts evaluate an organisation’s IT systems for known vulnerabilities, which might include insecure policies, unpatched software vulnerabilities, misconfigurations, and more. A vulnerability assessment is a valuable tool for IT, identifying areas of concern for remediation, but it’s entirely theoretical. It does not include an actual attempt to exploit these vulnerabilities and does not consider the security context.
A pen test, however, closes the loop and not only verifies that the vulnerabilities exist, but also demonstrates how they can be exploited by a real attacker—as well as how such an attack could be blocked, detected, and responded to appropriately.
Pen Test vs. Tabletop Exercises
In a tabletop exercise, stakeholders—either from internal IT or across the entire organisation—review and role-play the organisation’s response to a hypothetical attack scenario. Tabletop exercises are extremely valuable in setting shared understandings and expectations, especially across functional roles, but they deal with a hypothetical scenario. That means that tabletop exercises do not demonstrate an attacker’s actual capabilities and do not impact actual business operations.
A pen test can accomplish both.
Pen Test vs. Red Team Exercises
Red team exercises are closely related to penetration testing. But here’s the distinction: a pen test broadly tests security infrastructure and its configuration across the organisation, while a red team exercise tests the capabilities of IT team’s usage of the fully implemented and configured security stack.
What Are the Benefits of a Pen Test?
Maybe the idea of a simulated cyber attack on your IT systems sounds horrifying. After all, you face enough threats every day without going out and hiring attackers of your own, right? Plus, pen tests are high-effort exercises that may end up impacting actual business operations. So, why have a pen test at all?
Because a pen test provides vital security benefits you simply cannot get any other way.
Testing and Verification Accuracy
A pen test is the most accurate method of fully verifying an organisation’s security posture.
There are three levels of security validation exercises: tell me, show me, and prove it.
Vulnerability assessments focus on tell me—the security team’s understanding of their own capabilities and processes. Tabletop exercises reach the level of show me—an actual demonstration of the capabilities in play. But to prove it, a pen test is required.
No matter how innovative or best-in-class your security tools, no matter how expert your security operations team, no matter how resilient your security architecture, no matter how rarely actual security incidents occur in your systems—you simply cannot know how good your cybersecurity defense is until you allow experienced attackers to test it.
And when it comes to an area of business risk as serious as cybersecurity, not knowing won’t cut it.
Insight Into Attackers
As IT professionals and security operations experts, you look at the world through the eyes of a defender. That’s a powerful lens to view cybersecurity, but it’s only half the picture.
Planning a pen test, both internally and in a scoping exercise with your pen testers, gives you access to the attacker’s perspective, which helps you increase understanding of your security and its potential weaknesses, informing all your security efforts to come.
Discovery of Exposure Areas
It’s unavoidable: every system is vulnerable. For a system to be effective for users, it must be exposed—and that exposure invites attack. But it’s difficult to prioritise protection, as there’s always another vulnerability waiting to be exploited, and every layer of defense you add impacts your budget, time, and system usability.
Because a pen test demonstrates how an attacker could actually compromise a business system, it can help you set a realistic and effective defense agenda.
Validate Security and Strategy
The value of cybersecurity can be hard to demonstrate to non-practitioners. After all, when security works, nothing happens. That makes it a challenge to allocate proper resources and attention to ongoing security needs. But, because a pen test relies on actual attacks, the results—whatever they may be—can be demonstrated and explained to senior stakeholders regardless of their cybersecurity expertise.
A pen test “success”—where the defenders hold off the attackers—demonstrates the value of existing security attention and investment. And a pen test “failure”—where testers prove they can compromise key systems—clearly shows the dangerous outcomes the organisation could face without investments to harden its security posture.
Scoping Your Pen Test
Your organisation has countless IT systems that can impact security. It’s not economical, practical, or relevant for pen testers to attempt to compromise all of them. So, to perform a meaningful pen test, you’ll first want to define the scope.
Scoping Systems
Scoping the systems for your pen test begins with conducting an internal audit of your systems and data. While that sounds rather formal, it really just means documenting all your key systems and data, and then evaluating how important they are and how exposed they are to attackers.
For a small IT shop, this may take only an afternoon at the whiteboard or on a spreadsheet. For this exercise, it’s wise to get as diverse a group of stakeholders in the room as possible—you may be surprised at what your colleagues recall that you don’t even know about.
If you don’t have a pen test provider yet, it’s smart to perform this exercise before or during outreach to vendors with whom you might work. That way you can use the results of the systems scope to evaluate testers, ensure they have the right experience for the areas of security you plan to explore, and set shared expectations and a statement of work.
Once you’ve engaged a particular tester, you may wish to review the systems audit before the test begins to set priorities—or you might opt for a “black box” pen test, where the actual testers have restricted visibility into which systems and data the defenders consider most valuable.
Once your systems and resources are audited, identify which ones you want to include in the pen test. In general, you’ll want your pen test to focus on high-value, high-exposure resources and systems. You should, however, also include some high-value, low-exposure systems as well—just in case you’ve underestimated how exposed those systems are.
As for low-value systems, they’ll probably fall outside of the scope of the pen test (except as incidental attack vectors) because pen test results on low-value systems won’t drive a meaningful security strategy.
You’ll also want to consider which security controls you’ll target for evaluation, as it involves tradeoffs. For example, starting your pen test inside the perimeter by giving the tester some level of access (a relatively common practice) is more expedient, but means your test will bypass evaluating the effectiveness of some key security controls.
Scoping Outcomes
It’s vital to understand and clearly define what outcomes are in scope for your pen testers. For example, if the pen test is to try and compromise your customer database, what should the attackers do if successful? Can the testers exfiltrate the entire database to a cloud repository? Can they delete files in the database, forcing your team to recover from backup? Can they publish the data publicly, testing how your organisation would respond to an actual breach of its fiduciary duty? Or should they simply end the test and notify you without touching the data?
Which outcomes are out of scope differs from client to client, and it’s vital to set clear, explicit expectations on outcomes with the pen testers in advance of the actual process.
For instance, don’t immediately rule out outcomes that would provide your team with more information. Having pen testers exfiltrate actual data is scary (my blood pressure is rising just typing it), but it’s also a great opportunity to test and validate any data loss prevention tools or policies you have in place. Having pen testers disable live servers in production is also really scary, but it’s the only way to know if your organisation’s resilience plan is up to snuff.
But don’t give in to overconfidence. The worst mistake you can make in scoping outcomes is to say “You can do anything you like! We’re not worried because you’ll never compromise our systems.” The truth is, a dedicated, patient, sophisticated attacker will almost always succeed in eventually compromising any normal business system, and your pen test will be no different.
This is another place where you’ll want to engage stakeholders across teams. Senior business, legal, and risk stakeholders are vital here. It’s easier to ask permission than forgiveness. You never want to explain a pen test outcome that unexpectedly disrupted actual operations to an uninformed C-suite.
Performing a thorough outcome scoping exercise will provide greater clarity about your business and its risks, and position you for a safe and meaningful pen test experience.
Scoping Results
You’ll also want to work with your prospective pen tester to understand the full outputs of the test. A pen test report isn’t just a light that flashes “green” or “red.” Instead, your tester should provide a detailed explanation of all the test’s outcomes, including every test maneuver (successful or unsuccessful), every vulnerability detected, any compromise executed, and so on. This review should include both the results and the context, allowing you to validate effective controls, understand ineffective ones, and share the results with your internal stakeholders.
Who Should Perform Your Pen Test?
There’s no secret to shopping for a qualified penetration testing provider. As with any other cybersecurity offering, you should look for a provider with both organisational expertise and highly qualified, experienced practitioners. It’s always a plus if the organisation comes well recommended by your industry peers, or if they offer special knowledge around the types of systems that you prioritise in your audit.
However, there is one key when shopping for a pen test provider; do not commission a pen test from the same entity that provides the security resources you wish to test—or, if you do, be extremely cautious.
While pen test practitioners are generally a reliable group of professionals, it’s never a good idea to receive a service and an evaluation of that service from the same organisation. It creates too great a risk of misaligned incentives, too much reason for your pen testers to soft-pedal any security gaps they may detect, and too much temptation to ignore known weaknesses in their own product.
You should also be cautious about pen tests offered as part of a sales cycle by a security vendor, as it’s another case of misaligned incentives. In such an instance, the pen tester/seller is looking to highlight vulnerabilities that their service can address—whether those vulnerabilities truly represent key risks to your organisation or not.
So, who should you hire? You can hire pen testers through an IT reseller you work with and trust, provided the pen testing organisation is independent from any security provider you’re using. And, if you have an existing security partnership—such as with an Arctic Wolf Concierge Security® Team—it’s a best practice to engage with them for at least some of the test scoping and planning. You’ll get more value out of a shared understanding of the test objectives.
Because of our channel-focused approach, Arctic Wolf’s security experts often have good contacts with trusted local pen testing providers and may be able to refer you to an organisation that meets your needs.
Getting the Most Out of Your Pen Test
The results of your penetration test should include both areas of success and defined areas for improvement, along with a detailed account of the methods the pen tester exploited to compromise your systems. Now it’s your turn to leverage this gold mine of security intelligence. Gather your stakeholders to review the test’s outcome. As always, you’ll want to cast a wide net—effective cybersecurity is a cross-functional exercise focused on business risk, not just IT threats alone.
An important stakeholder to include in this work is your IT Team, including any security partners (such as Arctic Wolf). When the pen testers can collaborate with your security team on a testing exercise and on a review of the resulting reports, they typically produce a more effective total understanding of your security.
That understanding begins with the most high-level information, the insight that gives the clearest identifier of the strength of your system: Did you pass or fail the pen test?
You Passed!
Congratulations! This is a testament to all the hard work you’ve done to establish a meaningful security practice for your organisation. Take a moment to enjoy your success.
But in the immortal words of Han Solo, “Great, kid! Don’t get cocky.” A successful pen test is not the culmination of a security journey, but rather another milestone along the way. A successful pen test is no guarantee that you can defeat tomorrow’s attackers—who will come armed with new tricks, new tools, new zero-day vulnerabilities, and simply another chance.
Use this opportunity to evaluate the systems and techniques out of scope of the pen test and determine if you would have protected yourself as effectively there. Take time to consider upcoming changes in your organisation that will leave you exposed in areas where you were protected today. Do you have a cloud migration coming up that will expose high-value data out from under your validated on-premises security? Will you be adding new locations or systems, and are they up to your security standard?
And finally, ask yourself: How can I continue to improve my defense in-depth? Can I add another layer or enhancement to my detection and risk management capabilities? Are my employees properly trained to protect the organisation?
By asking these questions, you’ll give yourself the best possible opportunity to pass the next pen test—and continue to keep your business secure.
You “Failed”…
Maybe you found out in the form of a late-night incident, where your existing detection tools alerted on a pen tester’s activities—but only after a compromise already occurred. Maybe the pen testers caused an outage you had to resolve. Maybe you learned from the pen tester’s after-action report, where you discovered that your systems had been compromised without your knowledge. At any rate, you failed the pen test.
This outcome is disappointing and frustrating. It can be embarrassing to report a pen test failure; it can feel like all the hard work and focus you applied to cybersecurity has been wasted. You’ll feel like you failed. Such reactions are reasonable and understandable.
But it’s important to remember: a pen test that exposes vulnerabilities isn’t a “failure”—it is exactly the outcome you needed. A skilled pen tester will almost always find some vulnerability to exploit and highlight—you should be getting something for your pen test investment, after all! When your pen tester compromises your systems, they have accomplished their mission. And they’ve provided you with a rare opportunity to identify and close real gaps in your security so that you can defend your organisation and your data better.
Review the Report
The first step is to review your tester’s after-action report. You’re looking to understand two things:
1. What areas of security resisted your pen tester?
A tester will typically evaluate or attempt multiple methods of compromise, and report on the effort expended on these secure areas. Like physical safes, which are rated by how long a time they can resist an expert safecracker, understanding the depth of your cybersecurity will help you continue to improve it. Reviewing these attempts and the defenses that worked will help you validate some of your security controls, strike the correct ongoing balance between security and usability, and concentrate attention on key areas of exposure.
2. What was the kill chain?
Review how the pen tester achieved their exploit against your business systems. How did they perform reconnaissance to discover your vulnerabilities? What attack tools did they select and why? How did they access your systems and execute the attack, while evading your defenses and detection? Use the MITRE ATT&CK Framework to map out exactly how the compromise occurred.
At every stage, identify how your organisation could have broken the kill chain and thwarted the attack. Be creative—the most effective defense isn’t always the most obvious. Detection and response capabilities are often a less-disruptive defense than additional levels of protection which may be cumbersome and impede usability.
For example, if the pen tester used social research to identify the CFO’s name and spoof their email in a spear-phishing malware attack, don’t just consider email security tools. Think about clearly identifying internal versus external emails; changing policies so that internal email addresses are harder to guess, and hardening procedures around file sharing and verifying attachments.
At every stage of the kill chain, you should be able to identify several areas of security improvement, from the technical to the procedural to the behavioral.
Make Strategic Investments
Once you’ve laid out areas for possible improvement, evaluate which ones you want to adopt first. Remember, a single improvement in a single stage will break the kill chain for this particular pen test, but attackers always work to reroute around defenses. Prioritise the improvements that will add the most robust defense against a range of attacks.
Such improvements can span from tactical countermeasures—such as changes to configurations, permissions, rules, and procedures in existing systems—to strategic enhancements like new security investments, re-architecture activities, GPO changes, and more.
Make sure that your investment in time and resources is strategic. Don’t just add a single malware signature to your endpoint tools, go farther and think about how you can use threat intelligence to keep detection continuously updated. Don’t just change the alerting priority around executive email accounts, go farther and think about how your business can clear all security alerts in a timely manner. Don’t just lock down your Remote Desktop Protocol permissions, go farther and consider whether your organisation detects misconfigurations and vulnerabilities across systems on an ongoing basis.
Assign Responsibility
Once you know what security improvements you plan to make, assign the responsibility to implement them. For most items, primary responsibility will belong to IT, but expect that approximately 20% of all changes may involve other functional groups. When assigning the responsibility for these improvements, be realistic about what each team will require to get them done. Will you push out other items of the plan? Allocate additional budget or headcount? Reduce responsibility sprawl?
Implement Change
A pen test is a real opportunity to force meaningful change—don’t squander it with an after-action exercise where everyone simply promises to really, truly do the stuff that they had already promised to do in the past, but never did.
Some of the improvements you identify will require executing existing plans or capabilities, like installing already-purchased security tools that have become shelfware, or assigning clear escalation responsibilities for alerts. And some improvements you identify may require additional support from new or existing partners or vendors.
In this latter category, capabilities to implement may include:
-
Single-pane-of-glass visibility across your various systems at risk, including network, endpoint, cloud, and security tooling
-
24×7 security monitoring, with near-real-time detection, escalation, triage, and response
-
Risk and vulnerability management, including guidance on which patches and fixes to prioritise
-
A Security Awareness program that enables employees to recognise and neutralise social engineering attacks and human error.
-
Security operations, where a vendor’s offering provides access to dedicated security experts who understand your business’s needs and respond to incidents or pen tests in progress
-
Security journey support, where you build a relationship with security partners that facilitates ongoing hardening and posture improvement as you extend beyond the insights driven by an individual pen test
You can work with your existing security providers to understand which capabilities are in scope for them. You should also explore other options, including potential security partners better positioned to enhance your capabilities and replace partnerships that didn’t meet the security challenges set by the pen test.
Failure Is Not the End
Take the gaps exposed by your pen test failure seriously. Engage in a meaningful after-action evaluation, and vigorously implement the new capabilities your organisation requires. Once you do so, you may find the failed pen test was the best thing to happen for your company’s security.
In Conclusion
A pen test can be a vital and even revolutionary security investment. But your work doesn’t stop when the test does. Maturing your security posture over time takes hard work. And it’s always easier with a partner.
If you’d like to learn more about how Arctic Wolf security operations helps defenders like you protect your organisation, whether during a pen test or from actual attackers in the real world, request a demo today.
