Table of Contents
- Who Will Benefit From This Guide
- What is Objective-based Penetration Testing?
- Objective-based Penetration Testing
- Objective-based Penetration Testing Methodology
- Physical Penetration Testing
- Logical Penetration Testing
- Social Engineering Penetration Testing
- Ransomware Technical Assessment
- Why is Objective-based Penetration Testing Important?
- How is Objective-based Pentesting Different From Infrastructure Pentesting, Application Security Testing, and Red Teaming?
- How Long Does It Take?
- Manual vs Automatic Testing Processes
- What Should Be Tested?
- How Much Does It Cost?
- What Can You Expect From An Objective-based Pentest Report?
Companies incurred a staggering $6 trillion in damages due to cybercrime in 2021. It should be no surprise companies are increasing their cybersecurity budgets and taking a more proactive approach to reduce their cyber-risk exposure. The average cost of a data breach was $6.75 M CAD per incident in 2021 according to the IBM report. That's up from 2018, when the average was roughly $4M CAD. The consequences of cyber-attacks include operational downtime, loss of brand reputation, loss of business relationships, and large fines and class action lawsuits.
The average cost of a data breach was up to 6.75 M CAD in 2021.
In the modern digital age, it is increasingly important for organizations to develop reliable security programs designed to achieve defensive targets and mitigate cyber risk. Understanding penetration testing and how it can help mitigate cyber risk is important for IT professionals at all levels of an organization, but especially at the top levels of management. This guide will benefit an organization’s leaders, such as CEOs, CTOs, and CISOs, as well as other senior team leaders, including security engineers, network engineers and administrators. This guide can also help to inform other IT professionals such as MSPs, IaaS, PaaS, and SaaS providers.
This guide includes:
The basics of Objective-Based Penetration Testing (OBPT)
OBPT methodology with the 4 pillars: Physical, logical, social engineering and ransomware technical assessment
How OBPT is different from infrastructure pentesting, application security testing and red teaming
Manual vs. automatic testing process
Factors that influence cost
What you can expect from a report
The purpose of this guide is to provide a comprehensive guide specific to Objective-based Penetration Testing, its relation to other types of penetration testing, and to provide answers to some commonly asked questions that surround penetration testing and its value. The takeaway should be a solid understanding of the range of activities, methodologies, and benefits of Objective-based Pentesting, what you should expect from an Objective-based pentest, and other related information to increase your awareness about the pentesting process.
Who Will Benefit From This Guide
C-level executives that deal with IT security (CISOs/CSOs/VP of security)
Other high-level management (CEO/Business Owner/ Business Executive)
Managed Service Providers (MSP)
Cybersecurity Architects, Network Architects and Network Administrators
This guide will benefit an organization’s leaders such as CEOs, CTOs, and CISOs, as well as other senior team leaders including security engineers, network engineers and administrators. This guide can also help to inform other IT professionals such as MSPs, IaaS, PaaS, and SaaS providers.
What is Objective-based Penetration Testing?
Penetration testing is the process of simulating a cyber-attack on an organization to assure that the security controls in place are effective, uncover and mitigate any vulnerabilities residing within an environment, and provide a detailed attack narrative to properly assess an environment's cyber-resilience. The unique circumstances of each organization requires a different penetration testing model. The particular process and activities (known as the scope of the test) differ significantly depending on an organization’s business model, network topography, and risk objectives.
Here are the fundamental ways that penetration testing engagements can be broadly categorized:
Whitebox / greybox / blackbox - determined by the amount of information provided to the pentesting entity beforehand. In whitebox tests, full information is provided before the tests begin, in blackbox no information is provided. In greybox tests, only some information is provided.
Internal / External - determined by the position of the simulated attack, from outside (external) to inside the network (internal).
Objective-based - determined by the scope of the testing tactics applied during the test and the overall goal or objective to be achieved
Objective-based Penetration Testing
Objective-based Penetration Testing is a flexible testing approach that is configurable to any organization's unique infrastructure and risk requirements. As the name suggests, Objective-based Penetration Testing focuses on achieving a specific goal; the most common being to gain unauthorized access to systems and sensitive data. A good way to understand Objective-based Penetration Testing is that it thoroughly evaluates the security posture of people, processes, and technology; it extends beyond testing for known software vulnerabilities and misconfigurations to include any possible way an attacker could compromise sensitive systems and data.
An Objective-based engagement's goals, scope, and methodologies are highly dependent on the target organization's risk requirements and can include elements from both Infrastructure Pentesting and Application Security Testing (AST). Because there are many ways an attacker can gain access to a target network, Objective-based Penetration Testing may include a virtually unlimited number of tactical approaches selected specifically with the target's needs and goals in mind.
Objective-based Pentesting typically starts by testing the security controls that protect external attack surfaces. External attack surfaces may include company websites and public-facing web applications, APIs and cloud-based applications, remote access services such as remote desktop (RDP) and VPN entry points, wireless access points, physical premises, and the human factor - testing the resilience of an organization's personnel to social engineering techniques.
Objective-based Pentesting goals may also include testing internal security posture to satisfy "what if" security questions such as:
What if an attacker gained access to a particular system?
What could an attacker do with stolen credentials?
What if an insider launched a cyber-attack against the organization?
What if a zero-day vulnerability was used to compromise a particular system?
What if an attacker successfully executed a session hijacking attack on a website user?
What if an attacker plugged a malicious device into an exposed ethernet port?
Answering these questions tells the story of where a compromised credential, system, planted rouge device, or socially engineered staff member could take an attacker and can reveal previously unknown techniques that could beat an organization's security controls.
Many Objective-based pentests also include a full Infrastructure Pentest, including an Active Directory (AD) assessment to identify weaknesses in passwords and configurations, and a ransomware assessment to gauge the potential impacts of a ransomware attack and an organization's "ransomware readiness"; their ability to detect and respond to a ransomware attack.
Organizations may also want to test their ability to detect and respond to cyber-attacks in what is known as a "red team" exercise. Objective-based testing combines a red team with a thorough pentest, providing deeper insight into a defensive IT security team's performance and incident response capability. This combined thorough pentest + red team test is a unique offering to Packetlabs and adds the most value to our clients.
Objective-based Penetration Testing Methodology
The methodology of each Objective-based Penetration Test varies according to the particular goals and is defined during an initial consultation between the target organization and pentesting entity before any testing actually begins. Every organization has a unique combination of technology, physical infrastructure, corporate structure, data, and processes, thus each organization's own internal risk assessments will uncover a distinct set of operationally critical components that are of high priority to assess and harden.
Risk-driven priorities also determine whether white-box, grey-box, or black-box testing methodologies (or a combination of those approaches) are appropriate and which external and internal testing techniques are used. Rules of engagement (ROE) set clear communication and escalation paths for reporting critical findings during the engagement are ultimately designed and agreed upon before any testing begins.
Pentesting methodologies are designed to simulate real cyber-attacks on an organization's infrastructure to emulate a variety of different threat-actors ranging from low complexity attackers all the way up to the highly-complex capabilities of nation-state and advanced persistent threat-actors (APT). Simulating a less complex attack could include preloading a USB device with a malicious script and attempting to plug it into any system that penetration testers can physically access, such as guest terminals, point-of-sale (POS) devices, or customer service-desk systems. Simulating APT could include reverse engineering open source or proprietary software to look for exploitable bugs, searching for exploits on the darkweb, or developing custom exploits.
It's important for Organizations to simulate insider threat scenarios to determine the risk posed by management, staff, third party contractors, or guests on the premises. Simulating an insider threat could include placing a weaponized USB extension cable in a restricted area to record keyboard strokes for stealing passwords, attaching a rogue device to an available ethernet port that can be controlled from a remote location, or executing malicious files on an employee's workstation.
Pentesters constantly update their knowledge and awareness of techniques, tactics and procedures (TTP) used by real-world attackers, and these TTP have been compiled into frameworked models of attacker methodology such as the Cyber Kill Chain, MITRE ATT&CK, and MITRE Common Weakness Enumeration (CWE) and penetration testers use these models to develop strategies that mimic real-world attackers.
With all this in mind, let's look at the most common tactical approaches of an Objective-based testing methodology.
Physical Penetration Testing
Physical penetration testing evaluates how well an organization's assets are protected against an attacker seeking to gain physical access to sensitive or restricted areas. Many organizations employ a complex set of physical security controls such as locks, fences, surveillance systems, security guards, safes, proximity card readers, and may employ biometric identification systems. If an attacker is able to circumvent these controls, they may directly access critical systems, plant rogue devices that provide remote access to the internal network, or steal devices outright. Having physical controls tested by a physical penetration expert is the only way to truly determine that physical controls deliver real threat prevention as opposed to offering only a measure of deterrence.
Some of the techniques used during a physical penetration test include:
Testing the resilience of physical locks to picking or other breach techniques
Attempting to tailgate or socially engineering employees as they enter restricted areas
Attempting to clone access cards of employees to gain access to restricted areas
Testing the ability of surveillance systems to detect and alert security staff about intruders in a timely manner
Impersonating personnel or third-party contractors to gain access
Logical Penetration Testing
Logical penetration testing evaluates how an attacker could compromise the security of information systems from a remote location or internally. The main goal is to test the security of critical IT environments to assure their resilience against cyber-attacks and assess whether an attack can be detected and remediated quickly and effectively.
From the external perspective, any service that is exposed on the public Internet can be attacked from a remote location, reducing the attacker's risk of being caught. A single weakness in an external attack surface could potentially allow an attacker to steal sensitive data, disable systems causing a service outage, or deploy ransomware that blocks access to critical data, demanding payment for its return.
It is important for an organization to thoroughly map their external attack surface to identify all services that accept connections, scan them for known vulnerabilities, and verify they are configured properly to reduce the opportunity for attackers to exploit them and gain initial access to a network. However, without simulating a real-world cyberattack it is difficult to truly know whether a system is well protected, and this lack of visibility represents a high degree of risk. Therefore, by simulating real-world attacks, penetration testing offers the highest degree of assurance that external attack surfaces are hardened and resilient to attacks.
Internally, logical penetration testing seeks to identify ways that anyone with control of a computer system on the network - either an external attacker who has already gained initial access, or an internal member of the organization - could access unauthorized systems or data, or otherwise compromise the security of the information systems. Configuring network topography and access controls to properly segment data and allow access only to authorized individuals is operationally complex and without testing the implemented configurations it is difficult to truly assess the level of protection they offer. Organizations can seek to gain security visibility by actively simulating advanced cyber-attacks directly from internal network endpoints.
Logical penetration testing tactics often include:
Testing web servers to ensure that systems are patched against known vulnerabilities, misconfigurations and that web applications are resilient to OWASP Top 10 vulnerabilities and beyond
Testing network infrastructure to identify known software vulnerabilities, misconfigurations, and legacy protocol vulnerabilities
Testing to identify any suspicious activity that may indicate a compromise is already active within the network
Testing cloud-based resources are resilient to OWASP Top 10 Cloud-Native Application Security vulnerabilities and beyond
Testing email servers to ensure they are properly configured to prevent company email addresses from being spoofed, and that authentication processes cannot be easily beaten or bypassed
Testing remote access services such as RDP and VPN solutions to ensure they are resilient against known vulnerabilities, misconfigurations, and authentication bypass attacks
Testing wireless access points and network configuration to ensure that guest and departmental networks are properly segmented from sensitive internal network resources, and internal wireless networks are protected with strong access controls
Testing IoT and other peripherals operating on the network to ensure they are configured properly, have default passwords changed, and are resilient to attacks
Social Engineering Penetration Testing
Social engineering penetration testing simulates the way real-world cyber-attackers attempt to trick individuals into performing an action that seems innocuous but can actually lead to network compromise. Employing social engineering tactics during a penetration testing engagement can help managers understand the maturity of user awareness amongst their personnel to determine what kind of training or additional security controls may be needed while also evaluating the resilience of the network's security.
IBM reported that phishing was the initial access vector in 40% of successful network breaches, and further identified Microsoft, Apple, and Google as the top three brands criminals attempted to spoof. As part of a phishing exercise, a testing entity will prepare and deliver email templates resembling well-known web applications. In a more sophisticated spear-phishing simulation, context-relevant emails appearing to come from managers, co-workers, or third-party vendors will be spoofed and delivered. If the end-user interacts by opening an attached file or clicking on a link, a malicious payload is delivered to compromise the victim's computer.
Although phishing based attacks are the most common way that attackers gain initial access to their victim's networks, social engineering attacks can also take other forms. For example, cybercrime gangs create websites that portray a great new software application with benefits such as increasing office productivity, a computer's performance, or protecting against malware. In reality, these are simply a means to trick the victim into installing trojanized software. The attackers may pay for advertisements on legitimate websites or bait victims with social media chatter about the benefits of their malicious software. Once installed, the malware can quickly steal files, passwords, exfiltrate screenshots and keystrokes, and install second stage malware such as ransomware.
Social engineering tactics used during an engagement may include any type of activity that can exploit human behaviour:
Phishing / Spear-phishing / Smishing - using fraudulent emails, SMS messages, or any other message system to lure a victim into completing an action defined by the attacker to compromise the victim's computer or gain sensitive information
Whaling - using a phishing attack to target senior management or C-level executives
Baiting - luring the victim into doing something that they think will make their job easier such as installing a trojanized software application or plugin
Vishing - attempting to trick a victim into providing sensitive information or unauthorized access over the phone
Pretexting - compelling a target to comply with a persuasive lie such as pretending to be a powerful person in the organization, or someone who needs help
Physical - using social engineering techniques such as tailgating or pretexting to gain access to restricted areas
The human factor - an organization's personnel including staff, managers, and even C-level executives - are the attack vector of choice for many real-world attackers and although the social engineering techniques do not require a high degree of technical sophistication, they are the gateway for attacks that are. Similar to other attack surfaces, gaining assurance of an organization's resilience to social engineering requires that people and processes must be tested.
Ransomware Technical Assessment
Ransomware attacks are increasing in numbers and costs, and ransomware threat-actors are known to target organizations of all sizes and industries making it vital that organizations invest in cybersecurity development that specifically addresses the unique threats posed by ransomware. Ransomware can be mitigated both in terms of reducing the chances of being successfully exploited and increasing the ability to quickly and completely recover from an attack if it is successful.
These efforts can be supported in different ways by a Ransomware Technical Assessment that is included in an Objective-based Penetration Test and a full Ransomware Penetration Testing engagement which includes both a Technical Ransomware Assessment and a Non-Technical Ransomware Assessment.
A Ransomware Technical Assessment is part of an Objective-based Penetration Test and can be described as a type of logical penetration testing that specifically tests an organization's resilience to ransomware attacks by simulating the actual tactics employed by ransomware threat actors.
The goals of a Ransomware Technical Assessment include:
Identifying the impact of potential ransomware attacks on an organization's unique set of infrastructure and data
Detecting security gaps in policies and processes that may allow a ransomware attack to gain initial access to a target network
Ensuring backups are secure, reliable, and can be quickly deployed if needed
Extended ransomware assurances are available through a full Ransomware Penetration Test which differs from the Ransomware Technical Assessment included in an Objective-based Penetration Test in that it embodies a fully specialized maturity assessment of both an organization's technical and non-technical components. The technical component is equivalent to the technical assessment included in an Objective-based Penetration Test, while the non-technical component evaluates policies, standards, and procedures to identify potential security gaps from an administrative perspective. A full Ransomware Penetration Test also compares an organization's security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374), a technical assessment of security controls, and a full penetration test.
PacketLabs' Ransomware Prevention and Response Checklist is a good starting point for understanding the critical elements of a cybersecurity program to reduce overall risk and develop a degree of preparedness to recover from a ransomware attack quickly and completely.
Why is Objective-based Penetration Testing Important?
Cybercriminals are becoming smarter and more malicious, deploying attacks that impose increasingly higher costs on victim organizations. A single security gap can lead to critical data being ransomed or even worse, permanently destroyed, and business operations being interrupted. Penetration testing is one part of a broader risk management program that seeks to ensure that an enterprise can sustain business operations indefinitely.
Objective-based Pentesting can create more security awareness in an organization’s staff, spawn a better understanding of how cybersecurity interacts with an organization’s risk profile, and give defenders perspective on how attackers perceive opportunities presented by the network environment.
Objective-based penetration tests simulate cyber-attacks from a wide range of threat actors from script-kiddies (novice attackers) to advanced persistent threats, and nation-state funded hacking groups. By simulating real-world attacks using the known tactics and techniques of cyber-criminals, organizations can identify security gaps and weaknesses, which allows IT security teams to harden attack surfaces and mitigate as many vulnerabilities as possible. The ultimate goal is to put an organization's security controls to the test by proactively simulating cyber-attacks to gain evidence-based assurances its people, processes, and technology provide strong cyber resilience, and the organization can maintain operations indefinitely.
How is Objective-based Pentesting Different From Infrastructure Pentesting, Application Security Testing, and Red Teaming?
Of all the fundamental types of penetration testing (Objective-based Penetration Testing, Infrastructure Penetration Testing, and Application Security Testing), Objective-based has the broadest scope. An Objective-based engagement may include any or all of the processes ascribed to Infrastructure and Application testing methodologies, and extend beyond them to include virtually any offensive strategy, tactic, or technique - commonly used in real-world attacks or novel - that could help identify security gaps within an organization.
The most common Objective-based Penetration Testing tactics include physical infrastructure testing, external and internal logical testing, wireless network testing, and social engineering testing.
Objective-based penetration testing is also different from Red Teaming. During a red team exercise, the penetration testing team launches a cyber-attack campaign on an organization's infrastructure with the goals of avoiding detection while compromising systems and data within the network. Under normal circumstances, the process of red teaming takes much more time considering the added goal is to avoid detection. During Objective-based penetration tests organization's cooperate with the pentesting entity by allowing phishing emails to pass through content proxies, providing user email lists, or setting up a computer on their internal network. However, red teaming takes place while all defensive IT security activities are fully active including content filtering proxies, anti-malware solutions, and network and host intrusion detection and prevention products. In some cases read teaming may not find vulnerabilities, but only verify that an organization's IT security team is effectively identifying attacks and stopping them.
How Long Does It Take?
Penetration testing engagements can vary in length from a few days to several months, and large organizations may even have continuous penetration testing programs. The specific goals, scope, types of testing requested, and extent of the target infrastructure can all impact the duration of the testing process.
By providing information before testing begins (i.e whitebox or greybox testing), an organization can save time by reducing the burden of information gathering efforts. For example, an organization can provide a full topography of their internal network environment including services and resources hosted on each node.
Gaining initial access can take an indefinite amount of time, and thus detract from efforts to test internal security controls. Objective-based Penetration Testing engagements are highly customizable to fit any organization's risk requirements and contextual priorities for security assurances.
Manual vs Automatic Testing Processes
Penetration testing involves both automated and manual testing. However, gaining a high degree of security assurance depends mostly on manual techniques. While automated testing tools can efficiently scan a network environment, devices, and applications to map attack surfaces, and identify some known vulnerabilities, manual techniques are required for the actual exploitation process. Manual exploitation techniques require careful analysis of the target environment and can leverage pre-built exploit frameworks and custom exploit kits.
In fact, automated testing accounts for only 5% of a typical PacketLabs penetration test. The other 95% consists of manually deployed real-life attack simulations that target identified vulnerabilities and misconfigurations.
What Should Be Tested?
Although the cyber-threat landscape is constantly evolving, the following CTI statistics from IBM X-Force Intelligence Index 2022 reflect what type of goals should be included in an Objective-based penetration test to cover the most prevalent attacks in the modern cyber-threat environment:
Ransomware - 21% of all cyber-attacks in 2022 were ransomware attacks
Phishing / spear-phishing - 41% of initial access compromises were achieved through phishing attacks
Software vulnerabilities - As 34%, software vulnerability exploitation was the second most common way that attackers gained initial access to a target network
Stolen credentials - Stolen credentials were the method used in 9% of successful network breaches
Weak or reused passwords - Passwords that could be either brute-forced or discovered in data from a previous data breach that had been publicly shared made up 7% of initial access vectors
Insider attacks - Malicious insiders constituted 5% of attacks in 2022
However, since a motivated attacker will conduct targeted reconnaissance to identify any security gaps in an organization's infrastructure, a penetration test should simulate as many different real-world attack scenarios as possible in order to thoroughly test an organization's existing security controls.
The most common tactics included in an Objective-based penetration test are:
Physical - Can an attacker gain physical access to sensitive areas within an organization's premises?
Logical - Can an attacker exploit a public facing system that belongs to an organization in order to gain initial access to an internal network or sensitive data? If an attacker is inside a network can an IT security team effectively detect and prevent the attacker from achieving their goals?
Social Engineering - Can an attacker trick an insider into performing some action on their behalf such as clicking on a malicious link, opening a document that contains malware, installing a trojanized application, sharing sensitive information, or providing unauthorized access?
Ransomware - Is an organization prepared to detect a ransomware attack at an early stage to prevent it or recover quickly and completely from a ransomware attack that encrypts their files?
How Much Does It Cost?
The cost of a pentest can vary greatly depending on the scope and complexity of the engagement, but the typical range of a quality professional is between $30K - $60K.
The most significant factors that impact the cost of an Objective-based penetration test include the depth of the methodologies used, the duration of testing engagement, and the amount of manual testing performed. All these factors are part of the formal discussion between the target organization and penetration testing entity before testing begins.
By limiting focus to a small set or single objective, or providing detailed information beforehand, the cost of a test can be reduced. Organizations, who are debating the value of penetration testing could initially contract a narrowly scoped test to assess the return value that penetration testing provides.
The Return on Security Investment (ROSI) metric is the appropriate method of calculating the ROI of penetration testing. ROSI is an alternative ROI equation, designed to accommodate the uniqueness of security-related investments. It compares the total avoided costs of potential security breaches to the cost incurred by penetration testing. A generalized version of the ROSI equation is:
ROSI = (Security expense avoided – prevention cost) / prevention cost
For example, if your company can expect to avoid even a minor security breach that would cost $100,000 over the next year, and the price of a penetration testing engagement were estimated to be $10,000, then the ROSI calculation would be 9 times the cost:
ROSI = ($100,000 - $10,000) / $10,000 = 9
What Can You Expect From An Objective-based Pentest Report?
A penetration test report is the deliverable information provided by the pentest consultant after testing has been completed. The report can be used to improve cyber-defences by mitigating any identified vulnerabilities, and to create more security awareness within an organization by understanding the context in which the vulnerabilities occurred.
Pentest reports are structured such that identified vulnerabilities are prioritized according to severity and include evidence of successful exploits such as exfiltrated data, cracked passwords, or screenshots of systems that were accessed without authorization.
A report generally starts with an executive summary that clarifies the test’s purpose and outlines specific goals, restrictions, and other rules of engagement (ROE). A report also includes descriptions of the methodology used to identify each particular vulnerability, descriptions of each vulnerability, steps for remediation, and insights into the overall security posture of the tested environment.
After receiving a pentest report, an organization is typically offered the opportunity to ask questions to clarify the results. Upon reading the report, an organization may want to immediately request further testing, or begin the remediation process. It is advised to redo penetration tests after remediation is complete to verify that security gaps have been successfully closed.
When selecting a penetration testing consultant many things should be considered such as reputation, trust, size of the entity, their degree of experience and professionalism (including certification requirements and statuses), and specialized skills that apply specifically to the target organization's environment.
Learn more about PacketlabsObjective-based Penetration Testing services.