What are the elements of high-quality penetration testing?
Evaluating security just as vital as implementing security. With various types of security testing such as vulnerability scanning, risk assessments, and penetration testing available to organizations, it can be difficult to pinpoint what type of assessment suits your team's needs... and what differentiates high-quality security exercises vs. low-quality security exercises.
With penetration testing being the most in-depth and coverage-based approach for organizations looking to bolster their security posture, adhere to security regulations, and fortify themselves against future threats, today we'll be honing in on what quantifies high-quality pentesting.
Let's get started:
Penetration testing and vulnerability scanning are often misinterpreted as being the same service, leading to organizations mistakenly purchasing one when, in actuality, they would benefit from the other.
A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. A penetration test is a detailed hands-on examination that works to detect and exploit weaknesses in your organization's system.
Due to its scope, pentesting recommended over a VA scan for common instances including, but not limited to:
Regulatory compliance
Cyber insurance
Security posture
Informing future cybersecurity roadmaps
As listed in the MITRE cybersecurity framework, there are numerous variations of pentesting, all of which can be tailored to an organization's timeline, expected outcomes, and cyber insurance requirements.
Here at Packetlabs, we execute penetration tests via the following:
DevSecOps: DevSecOps is integrated early in an organization's development cycle and acts as an extension of its development team to flag vulnerabilities within pre-existing detected management systems
Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization
Purple Teaming: Purple Teaming is our collaborative testing exercise where the Packetlabs red team works with a company's internal security operations team (or blue team) to bridge the gap between offensive techniques and response efforts
Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of an organization's cybersecurity strategy. As the first step in strengthening its security posture, this assessment generates the roadmap to strengthen its overarching security program
OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing
Ransomware Penetration Testing: A Ransomware Penetration Test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack
Cloud Penetration Testing: Multiple perspectives help with strengthening security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle
Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that a company can discover gaps and vulnerabilities unique to their organization (alongside testing their ability to detect and respond to threat actors)
Application Security Testing: More targeted in scope than a regular pentest, Application Security Testing uncovers vulnerabilities residing in web and mobile apps by actively exploring applications from an attacker’s perspective
Infrastructure Penetration Testing: Infrastructure Penetration Testing uncovers vulnerabilities in IT and network systems to provide a tailored approach for each environment
These are all in addition to the Packetlabs Portal, which enables teams to quickly view Packetlabs' findings, prioritize efforts, request retests after remediation, and monitor progress.
Each type of penetration test or assessment can be tailored to a company's specific cybersecurity wants, needs, goals, and pre-existing vulnerabilities.
There are numerous factors that denote high-quality penetration testing.
There are several factors that determine the cost of a pentest such as the size of the target, scope, methodology, experience, endpoints, test duration, and the breadth of expert remediation recommendations offered in the final report for fixing found security weaknesses.
Other common factors are as follows:
Scope: The more comprehensive the pentest, the higher the cost. This includes everything from identifying and testing vulnerabilities to performing a social engineering assessment
Type of testing: As just one example, a black box test is more expensive than a white box test because it is more time-consuming
Methodology: Penetration testing should be conducted using globally accepted and industry-standard frameworks
Automated vs manual: Manual penetration testing is more costly but more effective in identifying vulnerabilities. At Packetlabs, automated testing accounts for only 5% of the testing. The other 95% consists of manually simulated real-life attacks
Complexity of target environment: The more complex the environment, the more time and effort it will take to identify and assess potential vulnerabilities
Tester qualifications: Experienced and certified ethical hackers will provide you with a more thorough pentest which can save you time and money in the long run
Time frame: As expected, the longer the testing timeframe is, the higher the cost will be
While not all high-quality pentests come with a higher fee, it is advised to be wary of penetration tests that are offered at a cost under the average market value.
The reputation of the penetration testing company (alongside the skills, qualifications, and collective years of experience of the team conducting the penetration test) are one of the top determining factors what is defined as high-quality penetration testing.
Senior penetration testers with robust industry certifications, such as CREST, OffSec‘s Offensive Security Certified Professional (OSCP), OSCE, OSWE, and SANs, result in higher fees; however, they also result in more in-depth findings, enhanced cross-team communication, and longer-term cyber hygiene benefits.
Seeking a cybersecurity firm with a strong history of positive reviews is also indicative of quality. For example, alongside celebrating our twelfth year in business in 2023, our team's experience and 95% manual penetration testing yielded a partnership with the SickKids Foundation, which was another one of last year's highlights: the SickKids Foundation is a fundraising organization based in Toronto that supports the Hospital with sick children. With over 1.5 million active donors, the foundation collects and manages sensitive information, which could result in reputational damage and loss of donors if breached.
A high-quality pentest involves thinking and acting like an attacker. There might be different ways to break into a system and might also require someone to think outside the box especially if the target has some security mechanisms in place.
Without an in-depth understanding of the target, its context, and how it works, the pentest might not be rigorous. A high-quality pentest should cover all these aspects and can often span a longer duration of time than some organizations may assume.
For example, projects with larger scope or higher complexity generally require more time and resources to assess. This could include:
The presence of custom codes and legacy systems
Unique integrations within a company's networks
More than one type of penetration testing being performed in a bundle
Ongoing consultation with an organization's IT team
In-depth remediation efforts
High-quality pentests result in reports that are as descriptive as they are informative.
When looking for a pentesting vendor, their dedication to detail is paramount; different applications and industries, for example, have varying PII to be determined for each report, with different inclusions depending on the context.
When done right, pentesting doesn't just address existing weaknesses: it addresses potential future ones as well.
High-quality pentesting firms offer remediation testing or the periodic rotation of pentesting team in order to better help clients in implementing recommended security posture improvements.
These services can be essential for organizations looking to enhance their security posture, but can also contribute to higher upfront costs. One way we offer this at Packetlabs is via our MSP Partner Program: through a Partnership, Managed IT Services Providers can leverage our specialized cybersecurity skills and knowledge to provide even more comprehensive solutions to clients.
While we recommend investing in a high-quality pentesting firm long-term, there are certain instances where vendor rotation may be beneficial.
Here are situations when we advise you look into rotation:
There have been no new findings in 1 - 2 years. Outdated cybersecurity is the top risk for SMBs and enterprises alike–and is costing businesses upwards of one million dollars per cyberattack. That, combined with a cyberattack occurring once every 39 seconds, means that having a pentesting vendor stay on top of new vulnerabilities is crucial... and that, if they aren't finding any, they simply aren't looking deeply enough
Your reports look like VA scans. Although VA scans are serviceable for identifying base-level threats, this surface-level approach to reporting only skims the tip of the iceberg and leaves your organization vulnerable to numerous advanced and emerging threats
The penetration testing quality is poor. If your penetration testing vendor delivers only the standard level of VA reporting, is only relaying basic threats, is not relaying new findings, and engages in poor communication, it's time to move on to a vendor that cares about your organization's cybersecurity as much as you do
On the opposing end, it is recommended to stay with your current vendor if they are meeting the following criteria:
They deliver high-quality findings. As we illustrate in our plethora of sample reports, the difference between a baseline VA scan report and a report brimming with high-quality findings is stark. If your team is continually coming to the table with new findings, provides in-depth reporting, and is communicative about their approach, we recommend not trying to fix what's not broken
They offer the ability to rotate testers. With some pentesting vendors, they are not able to offer the opportunity to rotate testers due to either outsourcing or reliance on automated scans. With teams like Packetlabs, our 95% manual testing methodology means that we can (and often do!) swap our ethical hackers between projects periodically in order to ensure that your organization's vulnerabilities are always getting fresh eyes on them
They have a team that aligns with your security goals. Finding a vendor for any service that aligns with your company's goals, security standards, and vision for improvement is rare. If you find that your team is aligning with your vendor's, we advise that you continue to foster that relationship long-term
No organization is too small–or too large–for threat actors to target, which makes having the right cybersecurity team at your back a necessity.
With cyber threats continuing to develop at a breakneck pace, high-quality pentesting has never been more crucial.
In recent years:
There are an estimated 800,000 cyberattacks per year in 2023–with that number predicted to continue to rise annually
97% of security breaches are exploiting WordPress plugins
An estimated 300,000 new malware are created daily
92% of malware is being delivered via email
In 2023, it’s taking organizations an average of 49 days to identify a cyberattack
Over 4.1 million websites on the Internet have malware
66% of interviewed CIOs plan to continue to increase their investment in cybersecurity
As a CREST and SOC 2 Type II accredited penetration testing firm, Packetlabs’ 95% manual pentesting goes beyond industry standards. Our best-in-class methodology digs deeper to deliver more. We offer several solutions that push the envelope on security–and guarantee full regulatory and cyber insurance compliance.
Pentesting is one of the commonly misrepresented terms, with even more misconceptions shrouding what differentiates a high-quality pentest from a low-quality one. obscurity in the understanding of a high-quality and a low-quality pentest.
To recap, indicators of high-quality penetration testing include, but are not limited to:
Being manual vs. automated
Having seasoned, qualified ethical hackers at the helm
Being priced on-par (or above) average market value
The willingness to encourage vendor rotation when warranted
Offering in-depth remediation steps
Touting a coverage-based, transparent process
By considering the needs of their systems, pre-existing vulnerabilities, and mandated compliance, organizations can select the most suitable type of pentesting for them. Investing in a thorough manual penetration test can be the difference between being saved from what Packetlabs clients have aptly nicknamed "company-killing asteroids" and suffering reputational or financial losses.
Looking to explore the benefits of high-quality penetration testing? Our team is always one click away.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.