Understanding The 9 Penetration Testing Phases
Penetration testing phases can be logically divided into different sections that represent the activities involved in planning, scanning, testing, reporting, and reviewing your company’s security.
Penetration testing is a vital part of your organization’s vulnerability management process and provides critical information to your executive teams to contextualize security risks, and key technical information to your IT teams to address and resolve vulnerabilities.
While there are logical stages that can be applied to the penetration testing phases, each specific activity may not be followed sequentially.
A penetration testing phase is often not a fixed rigid structure where day one is dedicated to reconnaissance, day two to scanning, then the vulnerability assessment, and so on.
For example, as the phases include information gathering, vulnerability scanning, and manually identifying vulnerabilities. The information gathering may take place while scans are being run, or identifying a vulnerability may prompt an additional scan or further information gathering.
Although all the phases should be completed as part of the pen testing process, the specific partner and pen tester you work with may blend multiple phases. Individual pen testers may also have their own specific order for completing a pen test and providing a detailed overview of your cyber threats and security posture.
1. Initial Planning
As part of any initial planning for a penetration test, decisions should be made regarding what is to be tested, the types of tests to be conducted, or whether the test is being carried out to help towards maintaining compliance standards.
As part of your planning for a test, there are likely multiple penetration testing companies that you can work with. Each company may present similar services, credentials, or experience, so it can be difficult to select the right company when, on the surface, some of the only differentiators may be the price.
Some considerations during your initial planning phase and determining your penetration testing partner can be:
Report Templates and Example Reports
A penetration testing report is one of the only takeaways you may have at the end of the assessment, so it is important to ensure it is clear and easy to understand, provides a sufficient level of detail for your technical team, and a high-level overview with a context-driven summary regarding risk, which can be useful for management or executive teams.
Reports can be provided in multiple formats, such as Word, PDF, Excel, an online dashboard, or a combination of each format.
Being provided with a useful and usable format may vary depending on who the report is intended for, and an example or template report should be requested to ensure you are satisfied with the type of content you will receive from your pen testing.
Communication Channels
Your planned penetration tests may take several days, a week, or longer to complete depending upon its scope and complexity. During this period you may have questions regarding the progress of the assessment or would like regular updates from the penetration testers, regarding findings and the state of your security.
While you can expect a report at the end of the assessment which details each finding, it is never ideal to have no method of communication with the people testing your security.
Ideally, you can work with a company that has several methods of communication established so that you and the people conducting the assessment can ask questions and provide updates. This could be through a messaging application, emails, and regular calls.
Individual Experience
While it is important for the company you are working with to have the relevant credentials and qualifications, it is also important for the individual penetration testers you are working with to have prior experience with solutions and tests similar to your requirements.
Different companies can employ a range of security testers with many different backgrounds and experiences. Some security testers may have specializations, years of experience, or may be relatively new to the industry.
When arranging your security test, consider the experience of the individuals as well as the company for your project.
Precautionary Measures
For all penetration tests, which include an active exploitation stage, there should be a discussion regarding the risks of carrying out such actions against a live and in-use system.
This conversation should outline the possibility of an exploit leading to system crashes, or allowing a penetration tester to gain access to a system that contains potentially sensitive data. Each of these outcomes should be discussed, including methods to mitigate these risks.
Post Assessment and Retesting
When working with a penetration testing partner you should determine what follow-up work may be done after the initial assessment is completed.
After being provided with a report, you may have follow-up questions regarding the results, want to schedule calls or meetings to discuss the results, or may be concerned about some of the findings and want to ensure they have been addressed.
Planning what to do after the report is an important part of your vulnerability management lifecycle, and should play a key part in deciding on your penetration testing partner.
2. Scoping and Scheduling
To determine the extent and coverage of the penetration testing process a scoping phase is undertaken.
The “Scope” of a penetration test dictates what is permitted for a penetration tester to perform security testing against.
Many security testing activities can be viewed as a breach of multiple countries’ laws on illegal hacking. It is therefore crucial for a penetration testing company to accurately define what they are allowed to perform tests against.
This process can include information provided by the client, regarding their requirements, but can also include input and advice from the penetration testing company on what they believe should be included to ensure a client receives their desired outcome or meets their required compliance standard.
The scoping phase may include scheduled calls or meetings to discuss the assessment but may be arranged solely through email if the planned penetration testing scope is relatively simple.
Once each target system has been outlined and the scope of the penetration test confirmed, the time required to conduct the assessment will be determined and the vulnerability assessment scheduled.
These stages of scoping and arranging an assessment will also include contracts to approve and documentation to sign.
3. Reconnaissance and OSINT
After all of the planning and scheduling for your penetration test, one of the first activities will be conducting reconnaissance to discover useful information, about your target system that may be relevant to your organization, in scope assets, accounts, and staff.
Information may be gathered from direct interaction with your target system. This process may reveal the types of authentication systems in use or accessible services. Often as part of this process version information can be disclosed which allows the penetration tester to research potential vulnerabilities with the technologies in use.
Open Source Intelligence (OSINT) can form a key part of the reconnaissance activities. A penetration tester may attempt to discover a range of information that may be useful to their assessment, such as:
- Names of your staff members through sources such as Linkedin,
- Email addresses through tools such as Hunter,
- If team accounts have been involved in previous database breaches through Have I Been Pwned,
- Any accessible services that may be accessible through Shodan,
Many other tools and types of information can also be gathered and useful for a penetration tester, including metadata that may be stored in your own hosted files or records of suppliers and third parties you may work with.
4. Scanning and Discovery Phase
Scanning forms an important supporting role for any penetration test. As automated tools can make thousands of requests for information in a relatively short timeframe, they can be useful for a number of automated processes.
This can include the discovery of accessible assets and operating systems, scans to identify open ports and services, the detection of known systems and version information, and the comparison of common vulnerabilities against known vulnerability databases such as the national vulnerability database.
Scanning tools are often designed to identify hosts, services, and webpages that respond to a request, attempt multiple requests to determine the type and version of the responsive asset, and compare this version information to a set of known security vulnerabilities.
Depending on the scanning tool in use, active testing for vulnerabilities may also be conducted, where a series of requests are made and the responses monitored to identify variations in content, type of response, or response times. This information is then collated to form a vulnerability scan report which details a likely set of vulnerabilities for each target system.
This frees up a lot of the penetration testers’ time, to identify potential vulnerabilities that vulnerability scanners are not able to find, however, a portion of a tester’s time will include verifying the results of scanning tools as they can produce false positives and false negatives.
5. Vulnerability Assessment
At this point in the assessment, the penetration tester will often have a range of information about your assets, accounts, accessible services, potential password information, and vulnerabilities.
With this data gathered, your company’s possible risks, exploitable vulnerabilities, and security weaknesses will be categorized with viable attack chains mapped out, and an effective attack strategy planned out, which could lead to the compromise of your critical systems and access to exploited sensitive data.
The discussed scoping information and critical targets for your business will be considered at this point to determine if there are any direct risks towards your key assets which host sensitive data or business-critical systems.
Where critical systems are in scope for the assessment and critical vulnerabilities are identified for these vulnerabilities, a discussion between the penetration testers and the client should also take place before any active exploitation is carried out.
As exploitation actions with a penetration test are not completely risk-free and can result in a system crash, it is important to identify the risk areas for a business without disrupting the day-to-day operations of the organization where possible.
6. Verification and Exploitation Phase
With the most viable vulnerabilities and exploit routes mapped out, your security tester will then attempt to exploit vulnerabilities found using a set of dedicated penetration testing tools and exploitation frameworks.
It can be the case that this process verifies a false positive reported by a vulnerability scanner, as the attempted exploit fails to access a system, or the process may identify additional mitigating factors that are in place, preventing the exploitation phase.
Where security flaws and exploitation methods are confirmed through penetration testing, an additional verification process can be undertaken to search for either horizontal or vertical privilege escalation or additional uncovered vulnerabilities.
Horizontal escalation of privileges can be where the access a penetration tester establishes leads to further access to devices or accounts but with the same level of access that has already been established. An example of this may be accessing a laptop with domain user accounts, which leads to the discovery of additional domain user accounts, or allows access to a second laptop but with the same account.
Vertical escalation of privileges is where the initial access to a laptop is achieved with a domain user account, but this leads to accessing a local admin account or a domain admin account. In this situation, additional administrator permissions are obtained which were not previously available.
The exploitation and escalation process are often repeated until no additional access is available and the process can be reported to describe the impact and severity a single initial vulnerability can lead to.
7. Reporting and Documentation
The reporting of a penetration test should incorporate the data that has been collected through each of the previous phases to provide a cohesive and comprehensive report that outlines your organization’s risks in a prioritized order that can be understood by both the executive and management teams, as well as the technical teams.
A penetration test report may be provided in multiple parts for different purposes, such as an ordered list of vulnerabilities for technical teams, as well as a risk overview including statistics and insights into the overall threats to the organization as a whole.
Some of the most important details for a penetration test report to include with each vulnerability are:
- A standard scoring system for each vulnerability, often the Common Vulnerability Scoring System (CVSS)
- A description for each vulnerability to explain what the issue is and exactly what is affected.
- A description of risk and a business impact assessment that details the specific impact this issue has on the business and applies a level of context.
- An explanation of how the vulnerability can be resolved or mitigated.
Many penetration testing reports can include further information than this to help provide additional insights and context related to the vulnerability and the organization.
An example walkthrough of how the vulnerability is exploited is often useful to include within the report so your security teams can work through the provided information and aim to replicate the exploit and verify remediation actions have had the intended effect. This can include detailing the tools used, commands run, output observed, and screenshots demonstrating this process.
8. Summary and Feedback
After receiving your penetration testing report there will often be several different teams or people that the information needs to be distributed to.
Once the relevant members of your team have had the opportunity to review the report, there can be questions that arise, clarification on specific issues requested, and retesting of vulnerabilities to arrange.
Ideally, your penetration testing provider will have scheduled follow-up meetings or calls as part of their standard process, to ensure you have the opportunity to review the report and request any additional information.
This information may be provided through additional screenshots or evidence that was collected as part of the assessment, verbal clarification regarding the context of specific vulnerabilities, or edits of the provided penetration testing report where necessary.
Your team will then need to arrange time to resolve each of the identified vulnerabilities as part of your vulnerability management lifecycle.
As part of this process, your team may be able to verify the vulnerability has been resolved or may request the penetration tester to verify the fix they have implemented.
9. Remediation and Retesting
Your penetration testing partner may include retesting vulnerabilities within their standard terms and conditions or may charge an additional rate for time spent confirming fixes are in place.
The retesting process can include replicating phases four to six but specifically targeted at the resolved vulnerabilities rather than the organization as a whole.
Where vulnerabilities are confirmed to have been resolved or persist within your assets, the penetration testing report should be updated to verify exactly what has been tested, why a security vulnerability has been confirmed to no longer be present, or why the issue is still present.
Penetration Testing Timeframe
The timeframe for a penetration test and each of the pen testing phases can vary significantly depending upon what is included within the “Scope” and the type of system to be tested, while some smaller tests may be achievable within a few days, others may take weeks.
For example, a custom web application with a thousand pages can take much longer to assess than a standardized web content management system with only ten pages, although the “Scope” for each may only be listed as a single web application.
The number of vulnerabilities that are identified may also contribute to the assessment timeframe, as larger reports will inevitably take longer to write and review.
Additionally, the remediation of vulnerabilities can often be a prolonged process. Where systems are considered critical there can be delays with disrupting access and applying the recommended mitigations, some vulnerabilities may require further configuration or a development team from a third party, which will have their own schedule and priorities to work around.
Where retesting is to be scheduled as part of the assessment, it can take several weeks from the initial delivery of a report to the assessed systems being prepared for a follow-up review.
Conclusion
Each of the described penetration testing phases outlines an important part of the security testing process, although some phases may be combined or conducted in a different order, each phase needs to be completed as part of your scheduled penetration test.
Although penetration testing can be a relatively expensive type of security test, in relation to other methods, it is important for your organization’s security posture, and protection against cyber attacks, to carry out regular penetration testing in addition to other more frequent types of security testing.
The combination of multiple security testing methods conducted regularly, in addition to an automated scan, following security best practices and staff training exercises, can provide your company with a secure foundation to mitigate potential risks to your business.
Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.