Penetration testing methodologies

Many learners are eager and excited to get started with learning about ethical hacking and penetration testing, and can’t wait to compromise their first targeted system. Some would be too eager and may overlook the fundamentals or forget to perform an important step during a process to reach their objectives. As a result, the desired outcome may not be achieved for this reason. Hence, various penetration testing methodologies help ethical hackers and penetration testers take a specific course of action during security assessments to ensure all in-scope systems, networks, and applications are thoroughly tested for security vulnerabilities.

The following are common penetration testing methodologies/frameworks:

• Penetration Testing Execution Standard (PTES)
• Payment Card Industry Data Security Standard (PCI DSS)
• Penetration Testing Framework (PTF)
• Technical Guide to Information Security Testing and Assessment
• Open Source Security Testing Methodology Manual
• OWASP Web Security Testing Guide
• OWASP Mobile Security Testing Guide
• OWASP Firmware Security Testing Methodology

As shown in the preceding list, there are various penetration testing methodologies that can be applied to organizations based on their operating industry, category of business, the goals of performing ethical hacking and penetration testing, and the scope of the security assessment.

To better understand the importance of each phase of penetration testing, let’s take a closer look at the PTES methodology as it is applicable to many scenarios.

Pre-engagement phase

During the pre-engagement phase, key personnel are selected. These individuals are key to providing information, coordinating resources, and helping the penetration testers understand the scope, breadth, and rules of engagement in the assessment. This phase also covers legal requirements, which typically include a Non-Disclosure Agreement (NDA) and a Consulting Services Agreement (CSA).

The following is a typical process overview of what is required prior to the actual penetration testing:

Figure 1.1: Pre-engagement phase elements

As shown in the previous diagram, it’s important to obtain legal permission from the persons who are in authority at the targeted organization. This is simply your get-out-of-jail card in the event that law enforcement is contacted to investigate a possible cyber-attack during the time of the penetration test at the organization. Next, the rules of engagement can be coupled with the CSA. The CSA is a contractual agreement between the service provider who is offering penetration testing services and the customer. The CSA defines the terms and conditions of work to be performed, which includes the work schedule timelines, scope of work, deliverables, payment terms, and more prior to starting any work on the customer’s systems and networks.

An NDA is a legal agreement that specifies that a penetration tester and their employer will not share or hold onto any sensitive or proprietary information that is encountered during the assessment. This is important to the customer as the penetration tester will be accessing their systems and may find confidential information. Companies usually sign these agreements with cybersecurity companies who will, in turn, sign them with the employees who are working on the project. In some cases, companies sign these agreements directly with the penetration testers from the company carrying out the project.

The scope of a penetration test, also known as the rules of engagement, defines the systems and networks the penetration tester is authorized to perform security assessments on. The scope should be directly aligned with the testing objectives to ensure the relevance and effectiveness of the assessment.

In other words, it defines what the penetration tester is permitted and not permitted to hack, and whether there are any restricted tools and attacks. This ensures the penetration tester remains within legal boundaries. This is a mutual agreement between the client (customer) and the service provider (penetration tester). It also defines sensitive systems and their IP addresses as well as testing times, and which systems require special testing time-windows. It’s incredibly important for penetration testers to pay close attention to the scope of a penetration test and the location they are testing in order to always stay within the testing constraints.

The following are some general pre-engagement questions to help you define the scope of a penetration test:

• What is the size/class (IP addresses and/or network blocks) of the external network? (Network penetration testing)
• What is the size/class (IP addresses and/or network blocks) of the internal network? (Network penetration testing)
• What is the purpose and goal of the penetration test? (Applicable to any form of penetration testing)
• How many site pages does the web application have? (Web application penetration testing)

This is not an extensive list of pre-engagement questions, and all engagements should be given thorough thought to ensure that you ask all the important questions so you don’t under-scope or under-price the security assessment.

Now that you’ve understood the legal limitation stages of penetration testing, let’s move on to learn about the information-gathering phase and its importance.

Information-gathering phase

Penetration testing is a lot like real-world hacking with the exception the penetration tester is limited to the scope and time allocated for the security assessment to be completed. Therefore, like a real cyber-attack, penetration testers need to perform sufficient reconnaissance to collect information from various data sources to create a profile about the targeted organization and identify security vulnerabilities. Information gathering is essential to ensure that penetration testers have access to key information that will assist them in successfully conducting their security assessments.

A seasoned professional will normally spend a day or two conducting extensive reconnaissance on their target. The more knowledge that is known about the target, the better the penetration tester will be able to identify the attack surface, such as points of entry in the targeted systems and networks. Additionally, this phase also helps the penetration tester identify the employees, infrastructure, and geolocation for physical access, network details, servers, and other valuable information about the targeted organization.

Understanding the target is very important before launching any type of attack as a penetration tester, as it helps in creating a profile of the potential target and determining which types of attacks are most effective based on the attack surface. Additionally, recovering user credentials/login accounts in this phase, for instance, will be valuable in later phases of penetration testing as it will help ethical hackers and penetration testers gain access to vulnerable systems and networks.

Threat modeling

Threat modeling is a process used to assist penetration testers and network security defenders to better understand the threats that inspired the security assessment or the threats that applications or networks are most prone to. This data is used to help penetration testers simulate, assess, and address the most common threats that an organization, network, or application faces.

Overall, threat modeling helps organizations and cybersecurity professionals better understand and evaluate the cyber risks and threats that have the potential to negatively affect the assets of a company. In addition, it helps cybersecurity professionals determine the potential each threat has to successfully compromise an asset, together with the likelihood and the ability of the organization to respond to a security incident.

The following are common threat models:

• Spoofing identity, tampering with data, repudiation threats, information disclosure, denial of service, and elevation of privilege (STRIDE)
• Process for attack simulation and threat analysis (PASTA)

Let’s assume we want to perform threat modeling for an online banking system from a cybersecurity perspective using STRIDE:

• Spoofing identity – As a threat, the malicious actor can attempt to impersonate the identity of a legitimate user to gain unauthorized access to the online banking portal. For mitigation, the bank can implement multi-factor authentication (MFA) to improve the verification process of legitimate users.
• Tampering with data – As a threat, a malicious actor can attempt to intercept and alter sensitive financial data that is being transmitted, causing unauthorized transfer of funds from the victim’s account. As a mitigation, the bank can implement end-to-end data encryption technologies such as using digital certificates and signatures to protect the data and its integrity during transmission.
• Repudiation threats – As a threat, a threat actor can perform a DoS attack on the bank’s online platform to deny any legitimate requests from authorized and trusted users. This would create a potential financial loss in transactions performed by the online banking system. As a mitigation technique, the cybersecurity team of the bank can implement transactional logging systems to record each user’s transaction on the platform and to further validate that each transaction is associated with a unique identifier such as a digital signature to enforce non-repudiation, where a user cannot deny their action on a system.
• Information disclosure – As a threat, the customer’s sensitive data can be exposed to unauthorized persons, either through a security vulnerability within the bank’s database or insecure API technologies and implementation. For mitigation, the bank can implement security access controls and data encryption technologies to the web application and its database.
• Denial of service – As a threat, the malicious actor can flood unsolicited request messages to the bank’s online system, causing the system resources of the hosting server to be overwhelmed and become unavailable to process legitimate requests from authorized users. As a mitigation, the bank can implement CAPTCHA technologies and intrusion prevention systems (IPSs) to detect and prevent malicious network traffic.
• Elevation of privileges – As a threat, the malicious actor may exploit a web application vulnerability on the bank’s online portal to escalate their privileges and obtain unauthorized access to administrative areas of the online banking system. As a mitigation, implementing the principle of least privileges helps ensure that users have only the minimum level of access needed to perform their tasks. Furthermore, regular auditing of users’ privileges helps in recognizing suspicious activities.

Let’s perform threat modeling for the online banking system using PASTA:

1. Define the objectives – Ensuring the information security and technologies of the online banking system to protect the customers’ data, preventing financial fraud, and sustaining the availability of the system to users. It’s important to establish the goals of this phase such as identifying any potential threats and vulnerabilities that can compromise the online banking system.
2. Define technical scope – The online banking system may include web and mobile applications, backend database servers and hosting services, third-party vendor technology integration, and usage of application programming interfaces (APIs). The technical scope focuses on identifying the technical boundaries of the system for analysis that may be susceptible to cyber-attacks and threats.
3. Decompose the application – Identifying and documenting various components, data flows, and functionality within the online banking system. It’s important to break down the online banking system into different parts to better understand its architectures and dependencies. This information helps you better understand the attack surface that an attacker can exploit to gain unauthorized access to the system.
4. Analyze the threats – Performing threat analysis to identify potential threats and attack scenarios that can be used to exploit security vulnerabilities in the online banking system. This stage focuses on developing ideas and analyzing how a threat actor can identify and exploit security vulnerabilities in the system.
5. Vulnerability analysis – Identifying and assessing the security vulnerabilities found in the online banking system that can be exploited by a malicious actor. This phase is performed using code analysis, vulnerability scanning, and assessment tools.
6. Attack analysis – Simulating real-world cyber-attacks based on the identified security vulnerabilities and potential threats that can compromise the system. This phase involves creating the attack scenario and using the TTPs that real threat actors employ to compromise their targets.
7. Risk and impact analysis – This phase focuses on evaluating the risk (likelihood) and potential impact each identified cyber threat would have on compromising the online banking system.

Having understood the importance and need for threat modeling, the next step is to perform a vulnerability assessment on the assets to further determine the risk rating and severity.

Vulnerability analysis

During the vulnerability analysis phase, the ethical hacker or penetration tester performs both manual and automated testing on targeted systems to identify hidden and unknown security flaws. Identifying security vulnerabilities within systems helps organizations better understand the attack surface, which is the vulnerable point of entry within their systems and network infrastructure. While many organizations implement and use automated vulnerability scanning tools, it’s also recommended to perform manual testing to determine whether a security vulnerability exists on a system and how it can be exploited by a real adversary, hence the need for penetration testing.

Furthermore, the vulnerability analysis helps the stakeholders and decision-makers in the organization better determine how to allocate resources to higher-priority systems. For instance, many automated vulnerability scanners provide a vulnerability score between 0 (lowest) and 10 (most severe) for each security flaw found on a system. The vulnerability scores can help organizations determine which security vulnerability on a system requires more attention and higher priority due to the potential impact if the vulnerability were to be exploited by an adversary. However, not all vulnerabilities with high scores are equally critical in every context. The criticality of a vulnerability may depend on factors such as the system’s role, the data it handles, and its accessibility to the internet.

In the later chapters of the book, you will learn how to perform vulnerability assessments using various tools and techniques on targeted systems. After identifying the security weaknesses in a targeted system or network, the next phase is exploitation.

Exploitation

As an ethical hacker and penetration tester, the next steps are discovering vulnerabilities in a targeted system, performing manual testing to validate whether these security vulnerabilities exist, and determining how a real threat actor can compromise the system. Exploitation is sometimes the most challenging phase during a penetration test since you will need to either develop or acquire an exploit and modify and test it thoroughly to ensure it has the capability of taking advantage of the vulnerability in the targeted system. Exploitation is the ammunition or evidence that helps articulate why the vulnerability matters and illustrates the impact that the vulnerability could have on the organization. Furthermore, without exploitation, the assessment is not truly a penetration test and is nothing more than a vulnerability assessment, which most companies can conduct in-house better than a third-party consultant could. For many cybersecurity professionals, exploitation is the most exciting phase due to the feeling of breaking into a system.

To put it simply, during the information-gathering phase, a penetration tester profiles the target and identifies any vulnerabilities. Vulnerability assessments play a critical role in identifying and prioritizing vulnerabilities for remediation. They are a fundamental component of a comprehensive security program, providing a broad overview of an organization’s security posture. Using the information about the vulnerabilities, the penetration tester will do their research and create specific exploits that will take advantage of the vulnerabilities of the target – this is exploitation. We use exploits (malicious code) to leverage a vulnerability (weakness) in a system, which will allow us to execute arbitrary code and commands on the targeted system(s).

Often, after successfully exploiting a targeted system or network, we may think the task is done – but it isn’t just yet. There are tasks and objectives to complete after breaking into the system. Next, we’ll discuss the post-exploitation phase in penetration testing.

Post-exploitation

After a threat actor compromises a targeted system, the adversary usually attempts to expand their foothold on the network by compromising additional systems and setting up backdoor access. This provides additional points of entry into the network infrastructure of the targeted organization. Similarly, ethical hackers and penetration testers apply common post-exploitation techniques such as lateral movement to compromise other systems on the network and set up C2 operations to control multiple systems simultaneously.

During post-exploitation, the primary goal is typically to demonstrate the impact that the vulnerability and access gained can pose to the targeted organization. This impact assists in helping executive leadership and decision-makers to better understand the risks, vulnerabilities, and damage it could cause to the organization if a threat were to target their company and assets.

Report writing

Report writing is exactly as it sounds and is one of the most important elements of any penetration test. Penetration testing may be the service, but report writing is the deliverable that the client/customer sees and is the only tangible element given to the client at the end of the security assessment. Reports should be given as much attention and care as the testing.

Report writing involves much more than listing the security vulnerabilities that were found, their impact, and recommendations. It is the medium through which you convey risk and business impact, summarize your findings, and include remediation steps. A good penetration tester also needs to be a good report writer or the issues they find will be lost and may never be understood by the customer who hired them to conduct the assessment. It’s crucial that the report is understandable to a range of stakeholders, including those without technical backgrounds. This means explaining technical vulnerabilities in a way that is accessible to non-experts and illustrating the potential business impacts of these vulnerabilities.

Having completed this section, you are now able to describe each phase of a penetration test and have gained a better idea of the expectations of penetration testers in the industry. Next, we will dive into understanding various penetration testing approaches.