The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Analyzing an organization’s security posture through the prism of a potential intruder’s tactics, techniques, and procedures (TTPs) provides actionable insights into the exploitable attack surface. This visibility is key to stepping up the defenses of the entire digital ecosystem or its layers so that the chance of a data breach is reduced to a minimum. Penetration testing (pentesting) is one of the fundamental mechanisms in this area.

The need to probe the architecture of a network for weak links through offensive methods co-occurred with the emergence of the “perimeter security” philosophy. Whereas pentesting has largely bridged the gap, the effectiveness of this approach is often hampered by a crude understanding of its goals and the working principles of ethical hackers, which skews companies’ expectations and leads to frustration down the line.

The following considerations will give you the big picture in terms of prerequisites for mounting a simulated cyber incursion that yields positive security dividends rather than being a waste of time and resources.

Eliminating confusion with the terminology

Some corporate security teams may find it hard to distinguish a penetration test from related approaches such as red teaming, vulnerability testing, bug bounty programs, as well as emerging breach and attack simulation (BAS) services. They do overlap in quite a few ways, but each has its unique hallmarks.

Essentially, a pentest is a manual process that boils down to mimicking an attacker’s actions. Its purpose is to find the shortest and most effective way into a target network through the perimeter and different tiers of the internal infrastructure. The outcome is a snapshot of the system’s protections at a specific point in time.

In contrast to this, red teaming focuses on exploiting a segment of a network or an information / operational technology (IT/OT) system over an extended period. It is performed more covertly, which is exactly how things go during real-world compromises. This method is an extremely important prerequisite for maintaining OT cybersecurity, an emerging area geared toward safeguarding industrial control systems (ICS) at the core of critical infrastructure entities.

Vulnerability testing, in turn, aims to pinpoint flaws in software and helps understand how to address them. Bug bounty programs are usually limited to mobile or web applications and may or may not match a real intruder’s behavior model. In addition, the objective of a bug bounty hunter is to find a vulnerability and submit a report as quickly as possible to get a reward rather than investigating the problem in depth.

BAS is the newest technique on the list. It follows a “scan, exploit, and repeat” logic and pushes a deeper automation agenda, relying on tools that execute the testing with little to no human involvement. These projects are continuous by nature and generate results dynamically as changes occur across the network.

By and large, there are two things that set pentesting aside from adjacent security activities. Firstly, it is done by humans and hinges on manual offensive tactics, for the most part. Secondly, it always presupposes a comprehensive assessment of the discovered security imperfections and prioritization of the fixes based on how critical the vulnerable infrastructure components are.

Choosing a penetration testing team worth its salt

Let’s zoom into what factors to consider when approaching companies in this area, how to find professionals amid eye-catching marketing claims, and what pitfalls this process may entail. As a rule, the following criteria are the name of the game:

  • Background and expertise. The portfolio of completed projects speaks volumes about ethical hackers’ qualifications. Pay attention to customer feedback and whether the team has a track record of running pentests for similar-sized companies that represent the same industry as yours.
  • Established procedures. Learn how your data will be transmitted, stored, and for how long it will be retained. Also, find out how detailed the pentest report is and whether it covers a sufficient scope of vulnerability information along with severity scores and remediation steps for you to draw the right conclusions. A sample report can give you a better idea of how comprehensive the feedback and takeaways are going to be.
  • Toolkit. Make sure the team leverages a broad spectrum of cross-platform penetration testing software that spans network protocol analyzers, password-cracking solutions, vulnerability scanners, and for forensic analysis. A few examples are Wireshark, Burp Suite, John the Ripper, and Metasploit.
  • Awards and certifications. Some of the industry certifications recognized across the board include Certified Ethical Hacker (CEH), Certified Mobile and Web Application Penetration Tester (CMWAPT), GIAC Certified Penetration Tester (GPEN), and Offensive Security Certified Professional (OSCP).

The caveat is that some of these factors are difficult to formalize. Reputation isn’t an exact science, nor is expertise based on past projects. Certifications alone don’t mean a lot without the context of a skill set honed in real-life security audits. Furthermore, it’s challenging to gauge someone’s proficiency in using popular pentesting tools. When combined, though, the above criteria can point you in the right direction with the choice.

The “in-house vs third-party” dilemma

Can an organization conduct penetration tests on its own or rely solely on the services of a third-party organization? The key problem with pentests performed by a company’s security crew is that their view of the supervised infrastructure might be blurred. This is a side effect of being engaged in the same routine tasks for a long time. The cybersecurity talent gap is another stumbling block as some organizations simply lack qualified specialists capable of doing penetration tests efficiently.

To get around these obstacles, it is recommended to involve external pentesters periodically. In addition to ensuring an unbiased assessment and leaving no room for conflict of interest, third-party professionals are often better equipped for penetration testing because that’s their main focus. Employees can play a role in this process by collaborating with the contractors, which will extend their security horizons and polish their skills going forward.

Penetration testing: how long and how often?

The duration of a pentest usually ranges from three weeks to a month, depending on the objectives and size of the target network. Even if the attack surface is relatively small, it may be necessary to spend extra time on a thorough analysis of potential entry points.

Oddly enough, the process of preparing a contract between a customer and a security services provider can be more time-consuming than the pentest itself. In practice, various approvals can last from two to four months. The larger the client company, the more bureaucratic hurdles need to be tackled. When working with startups, the project approval stage tends to be much shorter.

Ideally, penetration tests should be conducted whenever the target application undergoes updates or a significant change is introduced to the IT environment. When it comes to a broad assessment of a company’s security posture, continuous pentesting is redundant – it typically suffices to perform such analysis two or three times a year.

Pentest report, a goldmine of data for timely decisions

The takeaways from a penetration test should include not only the list of vulnerabilities and misconfigurations found in the system but also recommendations on the ways to fix them. Contrary to some companies’ expectations, these tend to be fairly general tips since a detailed roadmap for resolving all the problems requires a deeper dive into the customer’s business model and internal procedures, which is rarely the case.

The executive summary outlines the scope of testing, discovered risks, and potential business impact. Because this part is primarily geared toward management and stakeholders, it has to be easy for non-technical folks to comprehend. This is a foundation for making informed strategic decisions quickly enough to close security gaps before attackers get a chance to exploit them.

The description of each vulnerability unearthed during the exercise must be coupled with an evaluation of its likelihood and potential impact according to a severity scoring system such as CVSS. Most importantly, a quality report has to provide a clear-cut answer to the question “What to do?”, not just “What’s not right?”. This translates to remediation advice where multiple hands-on options are suggested to handle a specific security flaw. Unlike the executive summary, this part is intended for IT people within the organization, so it gets into a good deal of technical detail.

The bottom line

Ethical hackers follow the path of a potential intruder – from the perimeter entry point to specific assets within the digital infrastructure. Not only does this strategy unveil security gaps, but it also shines a light on the ways to resolve them.

Unfortunately, few organizations take this route to assess their security postures proactively. Most do it for the sake of a checklist, often to comply with regulatory requirements. Some don’t bother until a real-world breach happens. This mindset needs to change.

Of course, there are alternative methods to keep abreast of a network’s security condition. Security Information and Events Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and vulnerability scanners are a few examples. The industry is also increasingly embracing AI and machine learning models to enhance the accuracy of threat detection and analysis.

Still, penetration testing maintains a status quo in the cybersecurity ecosystem. That’s because no automatic tool can think like an attacker, and human touch makes any protection vector more meaningful to corporate decision makers.