Table of Contents
- Who Will Benefit From This Guide
- What is Penetration Testing?
- Infrastructure Penetration Testing
- Objective-Based Penetration Testing
- Why Is Infrastructure Penetration Testing Important?
- Infrastructure Penetration Testing Scope
- Penetration Testing Methodology
- Penetration Testing Tools
- Automated vs Manual Testing
- How Often Should Testing Be Done?
- How Much Does Pentesting Cost?
- What Can You Expect From A Pentest Report?
- Internal vs External Pentesting
- What Are The Stages Of The Pentesting Process?
- How Long Does It Take?
- Who Will Complete My Pentest?
- How To Pick A Cybersecurity Company
The purpose of this post is to provide a comprehensive guide specific to Infrastructure Penetration Testing, its relation to Objective-Based Penetration Testing, and to provide answers to some commonly asked questions that surround penetration testing and its value.
This guide includes:
The basics of penetration testing
The benefits of conducting a penetration test
Penetration testing scope and methodologies
Factors that influence the cost
What you can expect from a pentest report
The pentesting process
How to pick a cybersecurity company to work with
Companies incurred a staggering $6 trillion in damages due to cybercrime in 2021. It should be no surprise companies are increasing their cybersecurity budgets and taking a more proactive approach to reduce their cyber-risk exposure. The average cost of a data breach was $6.75 M CAD per incident in 2021 according to the IBM report. That is up from 2018 when the average was roughly $4M CAD. The consequences of cyber-attacks include operational downtime, loss of brand reputation, loss of business relationships, and large fines and class action lawsuits.
The average cost of a data breach was up to 6.75 M CAD in 2021.
In the modern digital age, it is increasingly important for organizations to develop reliable security programs designed to achieve defensive targets and mitigate cyber-risk. Understanding penetration testing and how it can help mitigate cyber-risk is important for IT professionals at all levels of an organization, but especially at the top levels of management. This guide will benefit an organization’s leaders such as CEOs, CTOs, and CISOs, as well as other senior team leaders including security engineers, network engineers and administrators. This guide can also help to inform other IT professionals such as MSPs, IaaS, PaaS, and SaaS providers.
Who Will Benefit From This Guide
C-level executives that deal with IT security (CISOs/CSOs/VP of security)
Other high-level management (CEO/Business Owner/ Business Executive)
Managed Service Providers (MSP)
Cybersecurity Architects, Network Architects and Network Administrators
What is Penetration Testing?
Penetration testing is the process of simulating a cyberattack on an organization to assure that the security controls in place are effective, uncover and mitigate any vulnerabilities residing within an environment, and provide a detailed attack narrative to properly assess an environment's cyber-resilience. The unique circumstances of each organization requires a different penetration testing model. The particular process and activities (known as the scope of the test) differ significantly depending on an organization’s business model, network topography, and risk objectives.
Here are the fundamental ways that penetration testing engagements can be broadly categorized:
White-box / grey-box / black-box - determined by the amount of information provided to the pentesting entity beforehand. In white-box tests, full information is provided before the tests begin, in black-box no information is provided. In grey-box tests, only some information is provided.
Internal / External - determined by the position of the simulated attack, from outside (external) to inside the network (internal).
Objective-based / Infrastructure - determined by the scope of the testing tactics applied during the test
This article will highlight Infrastructure penetration testing, but first, let’s clarify the difference between Objective-based and Infrastructure pentest approaches.
Infrastructure Penetration Testing
The primary goal of Infrastructure testing is to identify ways an attacker can move around the LAN and what sensitive data could be stolen or otherwise negatively impacted. Therefore, an Infrastructure penetration test is more tactically focused on lateral movement, privilege escalation, and persistent command and control (C2C) than gaining initial access to the network via physical security breaches, social engineering attacks, phishing / spear-phishing, or credential stuffing attacks to compromise external accounts. This makes Infrastructure penetration testing the best suited methodology for testing internal network security controls. In other words, Infrastructure pentests "cut to the chase" by sharpening focus on simulating malicious activity that takes place after an initial access breach, or by an insider.
By shifting the focus in this way, a target organization can optimize time and budget resources. Infrastructure testing efficiency can be further optimized by conducting them as a white-box credentialed-tests, in which a topography of internal infrastructure and credentials for remote access services such as VPN, RDP, or SSH are provided beforehand. Blackbox testing, however, is more likely to uncover network assets that are unknown to an organization because the pentesting entity will start by building their own topography map. During an Infrastructure pentest, the testing entity may install their own penetration appliances directly into the target network. These appliances can be controlled remotely allowing the pentesters to work remotely.
The Infrastructure pentesting methodology also seeks to identify misconfigurations and exceptions to IT security best practices recommended by industry standards such as NIST and SANS CIS Controls (formerly known as Critical Security Controls). This includes checking for legacy protocols (normally on by default) and proper access controls and strong encryption are used to protect internal network resources and data.
Infrastructure testing is also normally done on production network environments, since the size and complexity of an internal network is difficult and time consuming to replicate as a testing environment, and it is important to ensure that the environment being tested is identical to the production environment. When testing production environments, limitations should be set such as when the pentesting entity should stop the testing process and immediately report their findings. Testing a production environment can also serve to test an organization's threat detection and disaster recovery capabilities, and develop valuable defensive security team experience. It’s also the case that pre-production environments may be altered before deployment, and the best value of an Infrastructure test is to ensure that the test applies to the environment that is actually in use.
The result of an Infrastructure penetration test is an audit report which presents the identified vulnerabilities along with technical descriptions and instructions to remediate the weakness. Similar to Object-based reporting, Infrastructure test reports include the results from each stage of the test such as information gathering, host discovery, vulnerability assessment, exploitation, and post-exploitation.
Objective-Based Penetration Testing
Objective-based penetration testing focuses on achieving a particular goal, and the most common goal is to gain access to unauthorized systems, or steal sensitive data. Objective-based penetration testing typically starts by testing the security controls that protect external attack surfaces.
During an Objective-based engagement, tactics such as social engineering, phishing / spear-phishing, and physical penetration are usually considered in-scope activities to tell the story of where a compromised credential or installed executable could take an attacker. In addition to phishing, an Objective-based pentest includes a full Infrastructure pentest, an active directory assessment to identify weaknesses in passwords and configurations, and a ransomware assessment that will identify potential impacts of a ransomware attack with the current configuration and security controls.
Objective-based testing is good when you want to have a red team with a full pentest, which is not a unique offering to Packetlabs and adds the most value to our clients.
Why Is Infrastructure Penetration Testing Important?
Cybercriminals are becoming smarter and more malicious, deploying attacks that impose increasingly higher costs on victim organizations. A single security gap can lead to critical data being ransomed or even worse, permanently destroyed, and business operations being interrupted. Penetration testing is one part of a broader risk management program that seeks to ensure that an enterprise can sustain business operations indefinitely.
Penetration testing can increase security posture and attest the effectiveness of existing security controls and recovery plans across an organization. Pentesting can create more security awareness in an organization’s staff, spawn a better understanding of how cybersecurity interacts with an organization’s risk profile, and give defenders perspective on how attackers perceive opportunities presented by the network environment.
Although vulnerability scans may identify some types of known vulnerabilities, they are limited in scope and do not simulate an actual attack. Therefore, vulnerability scans alone cannot assure the effectiveness of existing security controls against a group of skilled and resourced human attackers who may be able to combine several low severity weaknesses together to gain access to sensitive systems and data to cause damage. Penetration testing is considered an important extension of an enterprise vulnerability management program.
Some organizations are required to conduct pentests or have a continuous pentesting regimen to meet industry or regulatory compliance standards such as PCI-DSS for processing payment card data, HIPPA for organization's that handle personal health information. Alternatively, some companies seek compliance recognition as evidence of their strong security posture to their customers and partners such as SOC-2 for companies that handle financial information. Organizations also need to be audited and certified as compliant to be eligible for government contracts, and standards compliance displays a leading approach to security to existing and new potential customers.
Infrastructure Penetration Testing Scope
Penetration testing scope is determined by the tactical goals and limitations of a pentesting engagement. In general, the scope of a test clearly outlines which infrastructure and approaches are considered in-bounds, and which are excluded.
The scope of an Infrastructure pentest can include both internal and external attack positions. Infrastructure testing does not include vectors such as social engineering tactics, phishing / spear-phishing, or exploiting physical security weaknesses. This is because Infrastructure testing assumes that the attacker is an insider, or has already penetrated external defences.
It may be beneficial to conduct Infrastructure pentests as white-box or grey-box, and credentialed vulnerability scans to identify gaps in hardening and patching that otherwise wouldn’t be uncovered if not credentialed. White-box and grey-box testing also enable organizations to direct attention towards their own risk priorities, and gain assurance where it matters most to them. Setting a narrow scope has the added effect of making a pentest less intrusive, because high-value target systems are identified beforehand and so false leads or non critical assets are not probed or exploited.
Penetration Testing Methodology
Pentesting methodologies are meant to simulate real cyber-attacks from a variety of different threat actors ranging from low complexity attacks such as those of script-kiddies, all the way up to the highly-complex cyber-attack capabilities of nation-state and advanced persistent threat-actors (APT).
The most common types of threat actors ordered from least to most sophisticated are:
Hacktivists / Terrorist Groups
Nation State / APT
Simulating a less complex script kiddie attack could include preloading a USB device with a malicious script and attempting to plug it into any system that penetration testers can physically access, such as guest terminals, point-of-sale (POS) devices, or customer service-desk systems. Simulating an insider threat could include placing a weaponized USB extension cable in a restricted area to record keyboard strokes for stealing passwords. Simulating APT could include reverse engineering open source or proprietary software to look for exploitable bugs, searching for exploits on the darkweb, or developing custom exploits.
Pentesters constantly update their knowledge and awareness of techniques, tactics and procedures (TTP) used by real-world attackers, and these TTP have been compiled into frameworked models of attacker methodology such as the Cyber Kill Chain, MITRE ATT&CK, and MITRE Common Weakness Enumeration (CWE) and penetration testers use these models to develop strategies that mimic real-world attackers.
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a framework of attacker behaviors including detailed descriptions of how attacker TTP are used at various stages of a cyber-attack. MITRE ATT&CK helps pentesters visualize the attack process as multiple individual attacks that are chained together to achieve the attacker's goal. The individual stages of a successful attack are to (1) gain initial access, (2) escalate privileges to increase level of access, (3) identify and target high value assets, (4) exploit the high value assets, and sometimes (5) pivot laterally to penetrate other systems on the network.
Penetration Testing Tools
Penetration testing involves a large number of specialized proprietary and open-source applications, as well as standard software development tools and business applications. The pentesting tool ecosystem is frequently updated by the global community of security researchers, and even includes full OSs that are especially purposed for penetration testing such as Kali Linux, Parrot OS, and BackBox.
Pentesting tools perform a wide range of different functions including information gathering and network scanning tools that help map the target's attack surface, automated vulnerability scanning tools that can scan endpoints or applications for vulnerabilities, sniffers and connection proxies that can intercept and tamper with network traffic, and exploit frameworks that can deploy exploits against authentication services, protocols and software applications to gain initial access, elevate privileges, pivot to higher-value systems, and exfiltrate or destroy sensitive data.
A complete pentest toolkit also includes stealers that can scan a device for password hashes and exfiltrate them, password cracking tools that can extract passwords from stolen password hashes, automated tools for deploying brute-force attacks such as password stuffing and many other specialized tools and custom scripts. Penetration testing also involves using standard built-in OS tools such as Bash and Powershell for a Living Off The Land (LOTL) approach.
Automated vs Manual Testing
Penetration testing involves both automated and manual testing. However, gaining a high degree of security assurance depends mostly on manual techniques. While automated testing tools can efficiently scan a network environment, devices, and applications to map attack surfaces, and identify some known vulnerabilities, manual techniques are required for the actual exploitation process. Manual exploitation techniques require careful analysis of the target environment and can leverage pre-built exploit frameworks and custom exploit kits.
In fact, automated testing accounts for only 5% of a typical PacketLabs penetration test. The other 95% consists of manually deployed real-life attack simulations that target identified vulnerabilities and misconfigurations.
How Often Should Testing Be Done?
Scheduling penetration testing is important to effectively manage an enterprise security program. Exposure time refers to the period of time in between vulnerability scans or penetration tests, when new vulnerabilities may have been publicly disclosed, or changes to the network environment or configuration may have introduced new vulnerabilities.
Large enterprises may have penetration testing programs that are continuous, but for organization's that do not have a continuous penetration testing program, testing should be done at least once per year and also done after significant changes to infrastructure or business operations. Changes to infrastructure are particularly relevant to Infrastructure penetration testing, so it's especially important to conduct tests after changes are made.
Pentesting may also be required by regulations that an organization either must comply with by law, or or industry standards to improve overall security posture. For companies handling payment card data, PCI-DSS requires that companies conduct penetration tests every 3 months or after significant changes to infrastructure. Similarly, SOC-2 type 2 is a continuous attestation of IT security compliance by an organization and requires a penetration testing program that is in-line with a businesses unique operational and risk objectives.
Requesting access to penetration testing information such as frequency, reports, and remediation activity is also advisable when a merger or acquisition (M&A) is being considered. This due diligence can provide valuable insight into the risk management practices and security posture of potential partners.
How Much Does Pentesting Cost?
The cost of a pentest can vary greatly depending on the scope and complexity of the engagement, but the typical range of a quality professional test is between $5K - $150K.
The most significant factors that impact the cost of a pentest include:
The complexity of the target environment
The desired scope of the test
The type of testing conducted (white-box / grey-box / black-box, internal / external)
The amount of manual testing performed
The duration of the engagement
All these factors are part of the formal discussion between the target organization and penetration testing entity before testing begins.
By limiting focus to a small group of assets, or providing detailed information beforehand (such as in a white-box test), the cost of a test can be reduced. Also, organizations, who are debating the value of penetration testing could initially contract a narrowly scoped test to assess the return value that penetration testing provides.
The Return on Security Investment (ROSI) metric is the appropriate method of calculating the ROI of penetration testing. ROSI is an alternative ROI equation, designed to accommodate the uniqueness of security-related investments. It compares the total avoided costs of potential security breaches to the cost incurred by penetration testing. A generalized version of the ROSI equation is:
ROSI = (Security expense avoided – prevention cost) / prevention cost
For example, if your company can expect to avoid even a minor security breach that would cost $100,000 over the next year, and the price of a penetration testing engagement were estimated to be $10,000, then the ROSI calculation would be 9 times the cost:
ROSI = ($100,000 - $10,000) / $10,000 = 9
What Can You Expect From A Pentest Report?
A penetration test report is the deliverable information provided by the pentest consultant after testing has been completed. The report can be used to improve cyber-defences by mitigating any identified vulnerabilities, and to create more security awareness within an organization by understanding the context in which the vulnerabilities occurred.
Pentest reports are structured such that identified vulnerabilities are prioritized according to severity and include evidence of successful exploits such as exfiltrated data, cracked passwords, or screenshots of systems that were accessed without authorization.
A report generally starts with an executive summary that clarifies the test’s purpose and outlines specific goals, restrictions, and other rules of engagement (ROE). A report also includes descriptions of the methodology used to identify each particular vulnerability, descriptions of each vulnerability, steps for remediation, and insights into the overall security posture of the tested environment.
After receiving a pentest report, an organization is typically offered the opportunity to ask questions to clarify the results. Upon reading the report, an organization may want to immediately request further testing, or begin the remediation process. It is advised to redo penetration tests after remediation is complete to verify that security gaps have been successfully closed.
Internal vs External Pentesting
The scope of a penetration test can be limited to internal or external, or include both attack perspectives. The primary goals of an external pentest is to identify sensitive information that can be accessed from outside of the network, and whether initial access can be gained, sensitive data exfiltrated, or the breach can be extended to other high value systems.
Internal penetration tests seek to identify what can be accomplished by an attacker that has already gained initial access, thus evaluating internal network security controls. When considering that a company's employees already have access to internal resources, it makes sense to verify that the principle of least privilege is effectively limiting access to only the services required to fulfill each job role, whether existing security controls can detect attempts to access unauthorized resources, and if other vulnerabilities may allow an attacker with an inside position to elevate their access privileges.
What Are The Stages Of The Pentesting Process?
The process of pentesting starts with a discussion between the target organization and the entity performing the penetration test. The initial goal is to communicate the organization's reasons for getting a penetration test, whether the test will be conducted on production or development infrastructure, the scope, and any other rules of engagement (ROE).
Other aspects of the testing process are clarified during the initial consultation such as whether the test will be internal, external, or both, and if the tests will be white-box, grey-box, or blackbox. After engagement parameters have been agreed upon, all penetration tests generally follow the same process that consists of the following stages:
Discovery and Vulnerability Scanning
Application and Network Layer Penetration Testing
Report Generation and Delivery
Remediation of Identified Vulnerabilities
Retesting of Target Infrastructure
For a more detailed description of the penetration testing process, see our detailed post All You Need To Know About Pen Testing.
How Long Does It Take?
Penetration testing engagements can vary in length from a few days to several months, and large organizations may even have continuous penetration testing programs. The specific goals, scope, types of testing requested, and extent of the target infrastructure can all impact the duration of the testing process.
By providing information before testing begins (i.e white-box or grey-box testing), an organization can save time by reducing the burden of information gathering efforts. For example, an organization can provide a full topography of their internal network environment including services and resources hosted on each node.
Gaining initial access can take an indefinite amount of time, and thus detract from efforts to test internal security controls. Infrastructure testing in particular seeks to optimize the testing process to allocate more efforts towards internal security controls by forgoing initial access tactics.
Who Will Complete My Pentest?
The pentester role (also known as ethical hacker) is a distinct IT security role that requires specialized training and certification. Ethical hackers may be categorized as generalists who are broadly trained in penetration testing tactics, or specialists with deeper skills in some particular aspect of the pentesting process. Specialists may also be distinguished by the specific exploitation frameworks, protocols, operating systems, or exploitation types they are experts in.
The OSCP is a globally recognized and industry leading ethical hacking certification offered by Offensive Security. Offensive Security offers several certifications but the OSCP is the most broad and well-known. Packetlabs is a passionate team of highly trained ethical hackers with the industry’s most advanced certifications.
All PacketLabs pentesters are required to have a minimum of OSCP. While OSCP is the PacketLabs minimum requirement, many team members go above and beyond to gain additional certified expertise including:
Evasion Techniques and Breaching Defenses (OSEP)
Offensive Security Wireless Attacks (OSWP)
Windows User Mode Exploit Development (OSED)
Offensive Security Web Expert (OSWE)
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA)
GIAC Web Application Penetration Tester (GWAPT)
GIAC Mobile Device Security Analyst (GMOB)
GIAC Systems and Network Auditor (GSNA)
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
GIAC Certified Incident Handler (GCIH)
This allows our team of OSCP penetration testing professionals to demonstrate industry leading comprehensive hands-on mastery of penetration testing.
How To Pick A Cybersecurity Company
There are many reasons to outsource pentesting, but the primary reason is that putting fresh eyes on a target environment is likely to shed light on potential security weaknesses that an internal security team may overlook. This is because internal teams can develop assumptions and blind spots that the fresh eyes of a motivated and specialized pentesting team will not have.
Many internal enterprise security programs use automated scanning tools that can identify many known vulnerabilities and misconfigurations. However, these automated testing tools are not capable of identifying all vulnerabilities and over-reliance on them may provide a false sense of security. Therefore it is important to evaluate a cybersecurity firm based on their ability to conduct advanced manual testing techniques.
Ransomware has greatly increased the potential value of a cybersecurity breach to cyber-criminals. This results in highly-skilled and pervasive threat actors dedicating their efforts towards developing custom exploits and learning every trick in the cyber-attack playbook. The specialized knowledge, skills, and tools possessed by a professional penetration testing team allow them to simulate a wide range of realistic attacker TTP and provide stronger security assurances.
When selecting a penetration testing consultant many things should be considered such as reputation, trust, size of the entity, their degree of experience and professionalism (including certification requirements and statuses), and specialized skills that apply specifically to the target organization's environment.
Learn more about Packetlabs Infrastructure Penetration Testing services.
Have Questions? Need a Quote?
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications