The news these days is filled with stories of data breaches, hacks and (gasp) ransomware. And we’ve all heard the warning, right? “It’s not if you’ll get breached, but when.” Doesn’t sound too promising, huh? How do you know if you’re next? How do you know if your network is vulnerable to the bad guys (we like to call them threat actors)? The way to find out is through penetration testing, also known as pen testing or ethical hacking. A pen test is an authorized cyberattack conducted with the sole purpose of evaluating an organization’s security posture.
There are different types of penetration tests to evaluate the various parts of your network. Just as there are different types of pen tests, there are also different approaches to pen testing: black box, white box, and gray box. With black box pen testing, the pen tester has very little information about their target’s network. Sometimes an organization wants the pen tester to assess controls that they already have in place and fully discloses the organization’s network infrastructure. This is known as white box testing. Somewhere in the middle is – surprise! – gray box testing. In gray box testing, the pen tester is given some information about the network (e.g., credentials), but not all.
Unless it’s an inside job, most hackers are taking the black box approach since they lack information regarding your internal network. Most threat actors start by casing the joint: they need to learn all they can about their target. As such, penetration tests start with Open Source Intelligence (OSINT). OSINT is a reconnaissance and information gathering phase where the tester mines the internet for any information that will aid in accessing the organization’s network. There is a lot of information on the dark web (think sketchy internet neighborhood) and what’s not free can be bought. You’re probably wondering what could possibly be on the internet about your network infrastructure. No, your network topology diagrams are probably not on the web; that’s true. But organizations forget that they do have assets that are freely floating around the world wide web and are easily hacked: HUMANS.
You’ve all heard it: humans are your weakest links. So, the first type of penetration test that we’ll discuss is Social Engineering. Social Engineering is basically manipulating human behavior in order to get the information that you need. Social Engineering penetration tests usually use information gathered during the OSINT phase. Social Engineering pen tests can range from remote phishing campaigns to in-person physical security testing. So, what does this mean? Well, I know that most people are kind and courteous. This means that, even though they’ve been instructed not to, most people will hold the door open for whomever is behind them. They won’t look back, they won’t check for a badge, they will simply hold the door open because that’s what they’ve been taught to do and it’s what they’ve always done. This is dangerous, but that’s another blog for another day. The point is, by relying solely on human kindness, I’m now inside your building and on my way to find your data center!
The pen tests that most people are familiar with are network penetration tests, both external and internal. From an external perspective, the tester is looking for a way to get into the network. They are looking for open ports and the services that are running on them. If one of the services is compromised, the threat actor can gain access to the internal network. Once on the internal network, the tester can use a vulnerability scanner to assess vulnerabilities of devices on the network: desktop computers, laptops, firewalls, servers, routers, switches, printers, etc. The goal of an internal penetration test is to exploit one of the found vulnerabilities and escalate privilege to Domain Administrator status to access confidential data. This is not always possible as exploiting vulnerabilities can take quite a long time.
Penetration testers can also assess Web and Mobile Applications for security vulnerabilities. Pen testers are looking to see if they can log into the application using brute force (trying different username/password combinations non-stop) or if they can bypass authentication all together. They will try to manipulate the application by typing code into open fields, test for known vulnerabilities, and look for misconfigurations (e.g., default configurations, error messages that give too much information, etc.). The pen tester will conduct attacks that should be detected by the organization’s technical staff and will verify whether the web or mobile application has sufficient monitoring and/or logging for critical events.
I said earlier that the goal in any penetration test is to exploit one of the found vulnerabilities, but that there is not always time to do that. This is important to understand: threat actors have virtually endless amounts of time. They will try for months to exploit vulnerabilities. Penetration testers do not have that type of time, but they are able to alert the organization’s technical staff to the vulnerabilities that exist. Upon conclusion of the testing, the penetration tester will document all findings in a report that is delivered to the organization. In the report, the penetration tester will make recommendations to the organization on what steps to take to mitigate any risks found.