Do you know what a penetration test is? It is nothing sexual, but a process to find out how vulnerable a computer system is by how easy it is to penetrate it.
It is possible that when you have been informed about what is "pentesting", "penetration testing", "pentest", "computer security audit", "Red Team", you may have doubts about what they are and what they consist of. In this article I am going to help you with the mental ruckus by giving you an overview of what pentesting is.
A pill about pentesting
Pentest, penetration testing, penetration testing and pentesting are different ways of referring to the same thing. The term pentesting (union of penetration testing), which in English translates as penetration or intrusion testing, is the process carried out using ethical hacking techniques to simulate what a cyber attacker would do to compromise a company or organization by breaching the confidentiality, integrity and availability of its systems or services.
"A penetration test is a process that is both complex and delicate. You have to thoroughly review the targeted systems to identify significant security holes that put a company's or organization's security and that of its users at risk."
An example of what can be done during pentesting: using a vulnerability in an outdated service exposed on public networks as an attack vector to penetrate a company's internal network. Other common tests can be searching for possible ways to leak internal information, DoS/DDoS stress tests (without resorting to the use of a botnet since this is an illegal method), Wireless and VoIP communications and analyzing whether privileges are properly configured depending on the user's role within the company.
It is important to note the following:
- When conducting a penetration test, it must be ensured that the activity will have as little impact as possible on production systems and enterprise services. If the pentest is to be conducted in the cloud it is important to take into account the rules of interaction on Microsoft Cloud components or other vendors.
- These tests have to be approached through a structured process, i.e. following a succession of steps that ensure that each potential vulnerability is checked and in an agile way (this is fundamental because, due to the complexity of some systems, we can lose our heads if we do not follow a methodology and miss relevant vulnerabilities).
The phases of a penetration test are as follows:
As you may have noticed in the previous diagram, pentesting is a cyclical process, which means that as soon as a vulnerability has been exploited and access to another system has been gained, the process starts again with the information gathering phase. The cycle repeats until there are no more systems and services (within the scope previously indicated by the company) to assess and exploit or until no more vulnerabilities are found that allow us to move forward (this is also positive!).
After the report is delivered to the company or organization, a period of time is set for the technical team responsible to correct the vulnerabilities detected and, subsequently, the same systems are re-evaluated to verify that they have been corrected correctly. The objective of this step is to ensure that the systems are as secure as possible. Afterwards, it is advisable to perform penetration tests periodically, since new attack techniques and vulnerabilities that may affect the systems are constantly emerging.
Types of penetration tests:
Depending on which systems you want to test and which roles you want to simulate, you can perform one type of penetration test or another: black box, gray box or white box.
This type of test implies that the person performing the pentest has the role of a cyber attacker who has no prior knowledge about the operation of the systems and services of the company or organization. In the information gathering phase, the penetration testers will search public sources for IP addresses, domains and subdomains and then look for services listening on open ports that have vulnerabilities that can be used as an attack vector to break into the organization's internal networks.
The gray box test involves having a partial view of the systems, it is designed to simulate attacks performed by staff personnel, clientele or disgruntled individuals who have some privilege within the internal network. In order to perform this test, the team that is going to perform the pentest must have access to the internal network and user accounts with some privilege. The objective of this test is to simulate what an attacker with few privileges would do: look for ways to elevate privileges, access confidential information, exfiltrate sensitive documents, etc.
To perform this type of test the team needs to have a full view of the systems and their services. At the time of carrying it out, the architecture of the systems on which the pentest is going to be performed is known, which operating systems and services they use and it is necessary to have access to the systems with an account with elevated privileges to be able to review policies, systems, services, networks and application code. The objective of the white box test is to find security holes that could make it easier for privileged users to breach the CID triad (confidentiality, integrity and availability) of systems and services.
Due to the complexity of a company's or organization's infrastructure, it is necessary to approach the pentest in one way or another:
- It can be a pentest from the public infrastructure.
- Pentesting of internal networks (requires a VPN connection or travel to the office).
- It could be pentesting of web applications.
- Pentesting of wifi networks. The use of wifi networks can involve serious security problems due to the fact that the wireless signal propagates through the air. The objective is to identify vulnerabilities in these networks that could make it easier for cyber attackers to gain access to the company's internal systems.
- Pentest of VoIP communications.
How is pentesting different from an IT security audit?
As you may have deduced, the main difference is that an audit does not move on to the exploitation phase after assessing the possible vulnerabilities detected and is not a cyclical process. When you are auditing a bounded system and you have already inventoried all possible vulnerabilities or security flaws (outdated software, leaked passwords, misconfigured firewalls, etc.) you create a document so that the IT team has a list of vulnerabilities to fix (it may also be necessary to verify if security standards are met). In a pentesting exercise, the pentester goes further and continues to look for vulnerabilities in the successive environments he or she reaches after using pivoting points (going from one machine to another) and ways of escalating privileges until no vulnerabilities are found or all systems within the scope have been analyzed.
What is the difference between a Red Team exercise and a Pentest?
The main difference is the techniques used and the duration. For a Red Team exercise, there is free rein to try to break into an organization by simulating what cybercriminals would do: social engineering, phishing, OSINT (open source intelligence), pentesting, persistence, among others, are usually used. In a Red Team exercise, pentesting would be used to exploit vulnerabilities, looking for pivoting points to move within a corporate network in order to escalate privileges and control compromised devices using Command and Control (C2) techniques. A Red Team tests defenses managed by a Blue Team to find flaws.
In short, a Red Team exercise can use a pentest as one of the ways to achieve its goal.
If you have any questions or think we can help your organization, do not hesitate to contact us. We will be happy to help you😊