What Is Penetration Testing
Penetration testing, also known as pen test, is an authorized and simulated cyber attack performed on an IT system (or systems) to evaluate existing security controls. In a pen test, an organization’s IT team allows an expert group of ethical attackers to try and compromise the organization’s security. This authorization can include permission to:
- Access or escalate accounts or permissions through unauthorized means
- Install simulated malicious code
- Modify system configurations
- Demonstrate the ability to exfiltrate data or disrupt business operations
A pen test should never be performed by the team maintaining and defending the system being tested. In most cases, a pen test is performed by third-party experts who know how to attack systems.
Typically, a pen test will be a surprise to the security team. This ensures the test simulates real-world attack conditions, where the defenders will not have advance notice of attacker actions.
Penetration testing attempts to replicate the types of attacks that cybercriminals actually use. This means that a pen test goes much further than other assessments and exercises meant to identify risk.
What Are the Benefits of a Pen Test?
A pen test provides vital security benefits you simply cannot get any other way.
1. Testing and Verification Accuracy
A pen test is the most accurate method of fully verifying an organization’s security posture.
There are three levels of security validation exercises: tell me, show me, and prove it. No matter how innovative or best-in-class your security tools are, no matter how expert your team is —you simply cannot know how good your cybersecurity defense is until you allow experienced attackers to test it.
2. Insight into Attackers
As IT professionals and security operations experts, you look at the world through the eyes of a defender. That’s a powerful lens to view cybersecurity, but it’s only half the picture.
Planning a pen test, both internally and in a scoping exercise with your pen testers, gives you access to the attacker’s perspective, which helps you increase understanding of your security and its potential weaknesses, informing all your security efforts to come.
3. Discovery of Exposure Areas
Every system is vulnerable. For a system to be effective for users, it must be exposed — and that exposure invites attack. But it’s difficult to prioritize protection, as there’s always another vulnerability waiting to be exploited, and every layer of defense you add impacts your budget, time, and system usability. Because a pen test demonstrates how an attacker could actually compromise a business system, it can help you set a realistic and effective defense agenda.
4. Validate Security and Strategy
The value of cybersecurity can be hard to demonstrate to non-practitioners.
But, because a pen test relies on actual attacks, the results — whatever they may be — can be demonstrated and explained to senior stakeholders regardless of their cybersecurity expertise.
A pen test “success” — where the defenders hold off the attackers — demonstrates the value of existing security attention and investment. And a pen test “failure” — where testers prove they can compromise key systems — clearly shows the dangerous outcomes the organization could face without investments to harden its security posture.
What Are the Phases of Penetration Testing?
A pen test includes seven key phases:
- Reconnaissance or intelligence gathering
- Scanning and discovery
- Vulnerability assessment: Gaining access
- Exploitation: Maintaining access
- Post-exploitation, reporting, and risk analysis
Pen Test Results
The results of your penetration test should include both areas of success and defined areas for improvement, along with a detailed account of the methods the pen tester exploited to compromise your systems. Now it’s your turn to leverage this gold mine of security intelligence. Gather your stakeholders to review the test’s outcome. As always, you’ll want to cast a wide net — effective cybersecurity is a cross-functional exercise focused on business risk, not just IT threats alone.
An important stakeholder to include in this work is your IT team, including any security partners. When the pen testers can collaborate with your security team on a testing exercise and on a review of the resulting reports, they typically produce a more effective total understanding of your security.
What To Do After a Pen Test
Whether you pass or fail a pen test, it’s important to look at the results and find a way to improve your organization’s security architecture.
Review the Report
The first step is to review your tester’s after action report. You’re looking to understand a few things:
1. What areas of security resisted your pen tester?
A tester will typically evaluate or attempt multiple methods of compromise, and report on the effort expended on these secure areas. Like physical safes, which are rated by how long they can resist an expert safecracker, understanding the depth of your cybersecurity will help you continue to improve it.
Reviewing these attempts and the defenses that worked will help you validate some of your security controls, strike the correct ongoing balance between security and usability, and concentrate attention on key areas of exposure.
2. What was the kill chain?
Review how the pen tester achieved their exploit against your business systems. How did they perform reconnaissance to discover your vulnerabilities? What attack tools did they select and why? How did they access your systems and execute the attack, while evading your defenses and detection? Use the MITRE ATT&CK Framework to map out exactly how the compromise occurred.
At every stage, identify how your organization could have broken the kill chain and thwarted the attack. Be creative — the most effective defense isn’t always the most obvious. Detection and response capabilities are often a less-disruptive defense than additional levels of protection which may be cumbersome and impede usability.
For example, if the pen tester used social research to identify the CFO’s name and spoof their email in a spear phishing malware attack, don’t just consider email security tools. Think about clearly identifying internal versus external emails, changing policies so that internal email addresses are harder to guess, and hardening procedures around file sharing and verifying attachments.
At every stage of the kill chain, you should be able to identify several areas of security improvement, from the technical to the procedural to the behavioral.
3. Make Strategic Investments
Once you’ve laid out areas for possible improvement, evaluate which ones you want to adopt first. Remember, a single improvement in a single stage will break the kill chain for this pen test, but attackers always work to reroute around defenses. Prioritize the improvements that will add the most robust defense against a range of attacks.
Such improvements can span from tactical countermeasures — such as changes to configurations, permissions, rules, and procedures in existing systems — to strategic enhancements like new security investments, re-architecture activities, GPO changes, and more.
Make sure that your investment in time and resources is strategic. Don’t just add a single malware signature to your endpoint tools, go farther and think about how you can use threat intelligence to keep detection continuously updated.
4. Assign Responsibility
Once you know what security improvements you plan to make, assign the responsibility to implement them. For most items, primary responsibility will belong to IT, but expect that approximately 20% of all changes may involve other functional groups. When assigning the responsibility for these improvements, be realistic about what each team will require to get them done. Will you push out other items of the plan? Allocate additional budget or head count? Reduce responsibility sprawl
5. Implement Change
A pen test is a real opportunity to force meaningful change — don’t squander it with an after-action exercise where everyone simply promises to really, truly do the stuff that they had already promised to do in the past, but never did.
Some of the improvements you identify will require executing existing plans or capabilities, like installing already-purchased security tools that have become shelfware or assigning clear escalation responsibilities for alerts. And some improvements you identify may require additional support from new or existing partners or vendors.
You can work with your existing security providers to understand which capabilities are in scope for them. You should also explore other options, including potential security partners better positioned to enhance your capabilities and replace partnerships that didn’t meet the security challenges set by the pen test.
Better understand the kinds of threats your organization could be facing with the Arctic Wolf Labs 2023 Threats Report.
Learn how a provider like Arctic Wolf can transform your organization’s defenses with our incident response timeline.