Demystifying penetration testing
Most people who keep relatively up to date on security lingo easily understand the concepts of the basics, such as "compliance," "edge security," and "incident response." But when you bring penetration testing into the conversation, you lose half your audience. A much smaller percentage of the population knows what it is, and even fewer understand how it is done or the significant value it adds to the security tool chest.
While some enterprises may contract a third party to conduct penetration testing because it is required for a variety of reasons (part of an industry framework such as PCI-DSS or FedRAMP, or a prospective customer demands it), many don’t understand the techniques involved or are surprised by the depth of the activity. The client may not actively engage in the "scoping" calls to review and set parameters around what will be done and then are surprised by the more rigorous techniques involved, especially if those techniques unsuspectingly bring down client systems temporarily. The testers themselves, shrouded in misperceptions, may evoke images of donning hoodies and barely skimming the line between criminality and service. Recent news of penetration testers being whisked off to jail during a client assignment in Iowa hasn’t helped. It’s time to set the record straight.
Penetration Testing vs. Vulnerability Scanning vs. Red Teaming
Penetration testing is a type of security testing that uses the techniques, tools, and procedures that real threat actors would use if they decided to attack your business. In other words, a real, skilled human looks to exploit any level of vulnerability in your defensive armor to gain an initial foothold into your network and then leverages that foothold to find another, and then another, like stepping stones across a pond, moving laterally, to gain greater credentials and control until they can compromise your data assets. By doing so, they can then tell you where your vulnerabilities lie so you can fix them before an actual threat actor can potentially take those same steps for malicious reasons. Penetration testing can include probing internal networks, external networks, applications, or any combination thereof, as requested by the client or demanded by the framework. Penetration testing goes far beyond vulnerability scans, which are automated tools that scan ports, networks, and applications for vulnerabilities. Penetration testers may leverage vulnerability scans as one tool, but their work is far more in depth and comprehensive in your quest for greater security, as it doesn’t just highlight technical vulnerabilities; testers leverage a logical process that threat actors could use to break into your systems to find deeper vulnerabilities and identify points of failure, which an automated scan may well miss.
Red team testing is similar to penetration testing but goes even further than vulnerability scanning or penetration testing as that next step in security testing -- it can include social engineering techniques and physical security testing, such as trying to convince employees to give the tester access into the building and to network resources; breaking into the building itself to test physical security; pretext calling (calling employees with a fabricated story to get them to provide information); phishing (sending malicious emails); vishing (sending malicious voicemails), etc., to more holistically test security defenses. A lot of organizations will also use phishing testing programs in an effort to keep their users more security aware throughout the year. Though these programs are good at keeping users aware, they are far from what may be included in a more targeted red team phishing attack.
Why Conduct Penetration Testing? Beyond Tools and Processes
Penetration testing is conducted for one purpose -- to safeguard the business -- by utilizing security professionals that intend to assist the client through discovering and fixing vulnerabilities. These testers are extremely helpful security professionals who are ready to not just diagnose security issues, but walk the client through their findings with knowledgeable recommendations on how to remedy their security gaps.
In short, penetration testers are the good guys (known as "white hats" in the industry) hired to ensure that, despite your investments in security tools, processes, and staffing, you know where your remaining security gaps lie. Testers must follow ethical standards -- ISACA, for example, publishes a Principals for Security Practitioners guidelines document for those involved in security services. Proactive testing is an essential activity because security investments will never fix every gap; threat actors will find a way through these defenses, and thus, this in-depth testing is the best way to accurately replicate a threat actor’s probable attack chain to find the gaps.
Don’t Be Surprised: Engage in Scoping and Document Review
As a client, it is essential to know what you are contracting for to avoid surprises that may come up while testing. You should be clear on the differences among vulnerability scanning, penetration testing, and red teaming, and actively participate in contract review and scoping calls. When contracting with a firm for technical testing, it is important to be clear on what you are asking the firm to do and obtain a complete understanding of whether you are conducting a penetration test or a red team (e.g., will there be physical security testing? Social engineering? If so, what methods will be used or are not allowed to be used?); which parts of the network will be tested or omitted; who has ultimate authority to approve the testing, etc. All details that could potentially lead to confusion or dispute should be fully spelled out in advance. Some technical testing methodologies may remain vague -- if the testers tell you exactly how they intend to test from a technical viewpoint, it may interfere with accurate results. But scoping the confines of the types of activities themselves can help avoid disputes and confusion. The outcome of this should be a well-refined document called the "Rules of Engagement," which protects both the penetration testers and your organization throughout the engagement.
Penetration Testing Is Needed Now More Than Ever
In our business, we are called upon to investigate a wide range of security incidents after the fact -- many of the root cause analyses we see could have been remedied with more proactive testing that might have exposed such things as outdated systems or services exposed to the internet that shouldn’t have been. Verizon’s yearly Data Breach Investigations Report (DBIR) suggests that 52 percent of breaches featured hacking, 28 percent involved malware, 21 percent involved error, 15 percent were misuse by authorized users, and 33 percent included social attacks such as phishing. This data roughly aligns with our findings -- we typically find in our penetration tests that the most common exploitable vulnerabilities are those that fall into the "best practice" area of security; but that could be missed by security tools and remote vulnerability scanning such as unpatched updates, improper security controls implementations, or lack of security training.
Today, security tools are getting increasingly sophisticated. But it’s inevitably true that skilled threat actors will find some way around them. Penetration testing is the one security testing technique that works like our adversary. So, unless we find the one perfect, infallible tool that never misses a security flaw and can logically look at and test a network, it’s not time to pull back on penetration testing. Scope accurately, and let the good guys roll!
Kyle Goode is a Senior Consultant, The Crypsis Group.