The security operations experts at Arctic Wolf walk you through everything you need to know about penetration testing (“pen tests”) and the security benefits they can provide to your business in this three-part blog series. (See part one)
In our second blog post (this one!) we discuss how to plan your pen test, including the key question of who should do your pen test. So, without further ado, let’s jump in!
First, a pen test will never be performed by the team maintaining and defending the system being tested. In most cases, that means the pen test will be performed by third-party experts, who know how to attack systems and how they’ll attack your organization. That might make it sound like you don’t have a lot of planning to do, but there are several key responsibilities for pen test clients.
Scoping Your Pen Test
Your organization has countless IT systems that can impact security. It’s neither economical, nor practical, nor relevant for pen testers to attempt to compromise all of them.
For example: Do you care if the vending machines in your lobby can be hacked to swallow extra bills without dispensing candy? Well, maybe if it’s Snickers—but this is probably not a priority for the business-level pen test to investigate.
So, to perform a meaningful pen test, you’ll first want to define:
Systems in Scope
Scoping the systems for your pen test involves conducting an internal audit of your systems and data.
“Internal audit” sounds rather formal—and it can be—but really it just means documenting all your key systems and data, and then evaluating how important they are and how exposed they are to attackers. For a small IT shop, this may take only an afternoon at the whiteboard or on a spreadsheet. For this exercise, it’s wise to get as diverse a group of stakeholders in the room as possible—you may be surprised at what your colleagues recall that you don’t even know you don’t know about.
Once your systems and resources are audited, identify which ones you want to include in the pen test. In general, you’ll want your pen test to focus on high-value, high-exposure resources and systems. You can also include some high-value, low-exposure systems in scope—just in case you’ve underestimated how exposed these systems are.
As for low-value systems, they’ll probably fall outside of the scope of the pen test (except as incidental attack vectors) because pen test results on low-value systems won’t drive a meaningful security strategy anyway.
If you don’t have a pen test provider yet, it’s smart to perform this exercise before or during outreach to vendors with whom you might work. Then you can use the results of the scoping exercise to evaluate testers, ensure they have the right experience for the areas of security you plan to explore, and set shared expectations and a statement of work. Once you’ve engaged a particular tester, you may review the audit before the test begins to set priorities—or you might opt for a “black box” pen test, where the actual testers have restricted visibility into which systems and data the defenders consider most valuable.
You’ll also want to consider which security controls you’ll target for evaluation, as it involves tradeoffs. For example, starting your pen test inside the perimeter by giving the tester some level of access (a relatively common practice) is more expedient, but means your test will bypass evaluating the effectiveness of some key security controls.
Outcomes in Scope
It’s vital to understand and clearly define not just what systems, but what outcomes are in scope for your pen testers.
For example, if the pen test can compromise your customer database, can the testers exfiltrate the entire database to a cloud repository? Can they delete files in the database, forcing your team to recover from backup? Can they publish the data publicly, testing how your organization would respond to an actual breach of its fiduciary duty?
Or should they simply end the test and notify you without touching the data?
Obviously, some of those proposed outcomes are beyond the scope for most organizations. (Frankly, my blood pressure rose just writing about them.) But which outcomes are out of scope differs from client to client, and it’s absolutely vital to set clear, explicit expectations on outcomes in scope with the pen testers in advance of the actual test process.
On the one hand, don’t immediately rule out outcomes that would provide your team with more information. Having pen testers actually exfiltrate real data is scary, but it’s also a great opportunity to test and validate any data loss prevention tools or policies you have in place. Having pen testers disable live servers in production is really scary, but it’s the only way to know if your organization resilience plan is up to snuff.
On the other hand, don’t give in to overconfidence.
The worst mistake you can make in scoping outcomes is to say “you can do anything you like! Don’t worry, you’ll never compromise our systems.” The fact of the matter is that a dedicated, patient, sophisticated attacker will almost always succeed in eventually compromising any normal business system, and your pen test is no different.
This is another exercise where you’ll want to engage stakeholders across teams. Senior business, legal, and risk stakeholders are vital here. It’s easier to ask permission than forgiveness. You never want to explain a pen test outcome that unexpectedly disrupted actual operations to an uninformed C-suite.
This section may have been a little daunting. But it doesn’t need to be. Performing a thorough outcome scoping exercise will provide greater clarity about your business and its risks, and position you for a safe and meaningful pen test experience.
Results in Scope
You’ll also want to work with your prospective pen tester to understand the full outputs of the test. A pen test report isn’t just a light that flashes “green” or “red.” Instead, your tester should provide a detailed explanation of all the test’s outcomes, including every test maneuver (successful or unsuccessful), every vulnerability detected, any compromise executed, and so on. This review should include both the results and the context, allowing you to validate effective controls, understand ineffective ones, and share the results with your internal stakeholders.
Now that you’ve reviewed this thorough scoping exercise, you’re facing the next key question:
Who Should Perform Your Pen Test?
There’s no secret to shopping for a qualified penetration testing provider. As with any other cybersecurity offering, you should look for a provider with both organizational expertise and highly qualified, experienced practitioners. It’s always a plus if the organization comes well recommended by your industry peers, or if they offer special knowledge around the types of systems that you prioritize in your audit.
However, there is one key restriction when you shop for a pen test provider: Avoid conflicts of interest. That means two things. First, do not commission a pen test from the same entity that provides the security resources you wish to test—or, if you do, be extremely cautious.
While pen test practitioners are a generally reliable group of professionals, it’s never a good idea to receive a service and an evaluation of that service from the same organization. It creates too great a risk of misaligned incentives, too much reason for your pen testers to soft-pedal any security gaps they may detect, and too much temptation to ignore known weaknesses in their own product.
By the same token, you should be cautious about pen tests offered as part of a sales cycle by a security vendor. It’s another case of misaligned incentives. In such an instance, however, the pen tester/seller is looking to highlight vulnerabilities that their service can address—whether those vulnerabilities truly represent key risks to your organization.
So, where do you start? You can hire pen testers through, for example, an IT reseller you work with and trust, as long as the pen testing organization is independent from any security provider you’re using. And, if you have an existing security partnership—such as with an Arctic Wolf Concierge Security® Team—it’s a best practice to engage with them for at least some of the test scoping and planning. You’ll get more value out of a shared understanding of the test objectives.
This isn’t a referral blog, so we won’t be linking to any providers. However, you can reach out to your local Arctic Wolf team for assistance. Because of our channel-focused approach, our regional security experts often have good contacts with trusted local pen testing providers and may be able to refer you to an organization that meets your needs.
Ready to Engage?
Once you’ve scoped your exercise and selected your tester, it’s time to launch your test! Depending on how it is structured (a “red team” vs. “purple team” model), you may have relatively little work to do during the test period. Or you may engage with testers to tune and target their activities.
Once the test is over, it’ll be time to grapple with the outcome, which we’ll discuss the upcoming final blog in this series.
And if you’d like to learn more about how Arctic Wolf security operations helps defenders like you protect your organization, whether during a pen test or from actual attackers in the real world, read how we help businesses in your industry.