Discover 5 valuable lessons learned from penetration tests. Improve your security strategy based on real-world insights. Pen testing involves identifying vulnerabilities in the target system & fixing them. It’s often a lengthy process that requires extensive recon & exploitation of various weaknesses.
Typically, penetration testers are able to obtain domain or enterprise administrative access in about 20% of engagements. That’s a pretty good win rate considering how many older, well-known vulnerabilities are still widely available today.
1. Know Your Target
Penetration tests are simulated hacker attacks on systems and networks to determine vulnerabilities that real hackers could exploit. Pen testers work closely with organizations whose security posture they are commissioned to improve to help them identify and eliminate these points of attack.
When planning a penetration test, it’s important to consider the impact it may have on staff and operations. It’s also important to understand how the test will be conducted so that it can be done effectively without disruption. Some penetration tests are performed without the involvement of staff to test response scenarios, while others require employees to collaborate with the pen testers for a more controlled and coordinated approach.
The scope of a penetration test is another factor that can have significant impacts on an organization’s operations. The more hosts that are included in a penetration test, the more time and effort it will take to complete the assessment. To reduce the risk of negative business impacts, it’s recommended to define a clear scope with your penetration tester.
Regardless of the scope of an engagement, it’s very common for penetration testers to scoop up credentials during their assessments. Whether through vulnerability exploitation, social engineering, or red team, it’s estimated that about 73% of penetration testing engagements result in at least one set of credentials being collected.
While stealing credentials isn’t the end goal of many penetration tests, it does provide an advantage to attackers in terms of ongoing access, impersonation, and the ability to steal private data stored, received, or transmitted by compromised systems. This information is especially valuable if an exploit is able to establish root or admin access, which is why pen testers are primarily concerned with integrity-centric vulnerabilities during penetration tests.
2. Know Your Tools
In penetration testing, you’re paying consultants days, weeks, or even months of their time to test your systems. You want to get the most value for your money and make sure they’re working on what matters.
One of the ways to do that is knowing the tools penetration testers use to find vulnerabilities and exploit them. While vulnerability assessments are a great way to quickly scan for flaws, penetration tests take that one step further and simulate how malicious hackers could actually exploit them in real-world attacks.
To do this, penetration testers run a variety of tools to collect and analyze data on a target system including obtaining database or table names, DB versions, software and plugin versions, hardware, and more. This allows the tester to create a more targeted attack plan and gain access to a greater amount of information than they would otherwise have been able to access.
Another example is using social engineering tests to target helpdesks, employees, and processes. This helps to identify a number of human errors that can lead to security vulnerabilities such as the common practice of storing passwords in web browsers. These can be accessed by penetration testers and attackers, so users should consider switching to a password manager that provides hardware 2FA.
Once a foothold is gained, a penetration test will typically leverage that access to gain further & better access throughout the network in search of valuable data or more domain-wide access. This is the process of escalating an attack and why it’s important to test your entire environment, not just what is visible to the outside world.
Ensure your penetration tests are effective by properly preparing your systems. For example, make sure all systems are up to date with patches and decommission old, unnecessary services. Additionally, consider implementing an automated vulnerability scanner like Acunetix WVS to help prioritize and remediate risks.
3. Know Your Environment
A penetration test is a full-scale simulated hack attack against your systems and networks. It’s a far more intrusive exercise than vulnerability scans. Pen testers will use social engineering techniques to try to gain access to sensitive data. They may try to break passwords using a password cracker, send phishing emails or even attempt a network breach by exploiting open connections and lateral movement within the network.
The good news is that penetration tests do show how effective (or lack thereof) your security controls are. However, the bad news is that they also demonstrate how much damage an attacker could cause to your business if left unchecked.
Penetration tests are often conducted by teams of security professionals that are trained to mimic the behaviors of malicious hackers. As such, a penetration test is the best way to see what an attacker would actually do if they had complete access to your system. This insight is extremely valuable for assessing the effectiveness of your security controls.
Once a pen tester gains initial foothold access on your internal network, it’s common to find multiple vulnerabilities that can be leveraged to extend that access further across the enterprise. In fact, a single penetration test can take a tester up to 80 contracted hours or more in the average engagement.
To help prevent these surprises, it’s important that you prepare for your penetration test in advance. This doesn’t necessarily mean improving your cybersecurity posture before the test itself, but rather understanding the types of threats that are most common and preparing accordingly. This can include patch management, implementing hardware 2FA such as a Yubikey or RSA token and reducing the number of passwords that can be easily cracked (e.g., by utilizing passphrases and setting up strong password complexity).
4. Have a Plan
The best preparation you can do for a penetration test is to have a clear understanding of what you want to accomplish. This may seem obvious, but the number of ways that a penetration tester can attack your infrastructure is huge, and it can be difficult to narrow down what you want to be tested.
It is also important to know what systems you want to be tested, since a penetration test can cover everything from network services and web based applications to client-side and wireless security. You will likely have to specify these systems to your penetration tester so that they can make sure to target the relevant vulnerabilities.
During the attack phase of the penetration test, the ethical hacker attempts to take advantage of any vulnerable systems they find. This can involve stealing data, escalating privileges or even installing backdoors and rootkits to gain in-depth access to the system. The ethical hacker then simulates how a real bad actor would maintain persistence in the system and covers their tracks to ensure that no one will be able to trace their actions back to them.
Once the penetration test is complete, your cybersecurity team will need to be ready for what comes next. The results can be quite shocking and can show your IT infrastructure in a very different light than you might have expected. It is usually best to communicate with key IT staff so that they are aware that a penetration test will be conducted and are not tempted to try to interfere with the testing process.
It is not always necessary to notify all staff, but you should decide how many people you will need to inform in advance. If you tell everyone, they will start to treat the test like a real attack and this can impact the quality of the results.
5. Debrief
Debriefing is the process of evaluating an experience and taking a look at all of the lessons that can be learned from it. It’s a great way to identify the root causes of any failures and determine how to correct them for the future. This is an important step in the STEALTH methodology, as it allows you to learn from the mistakes of others and avoid repeating them in your own operations.
To conduct a good debriefing session, you’ll need to prepare in advance. This includes sending out a questionnaire to participants before the meeting, so that they can reflect on their performance during the event. It’s also important to designate one person who can lead the conversation so that it doesn’t become chaotic. This will most likely be you, but if it isn’t, you should delegate someone to follow the agenda and keep track of the meeting’s goals and objectives.
The next step is to review all of the feedback from your team members, and to decide which topics you want to focus on during the debriefing session. Ideally, you’ll need to ask questions that will provoke a more developed answer than just a yes or no. This is the best way to ensure that the information your team members provide will be useful and actionable for the future.
You should also include a section for participants to give their feedback anonymously, although this will not be as effective as asking for specifics. The more detailed the responses are, the more helpful your debriefing session will be. The final step is to put together a summary of the main lesson points, and consider how these can be incorporated into your future practices.
