The 4 Phases of Penetration Testing
You’ve done your research on the different types of penetration testing, now you’re ready to conduct an engagement and let the pentesters do their best to breach your systems.
But what exactly happens after you give ethical hackers the chance to bypass your strongest defences? Where do they start? How long does the test take? What information will they offer once they’re done?
To get your answers, let’s review the four phases of the penetration testing process, step-by-step:
As you begin the penetration testing process, a practice lead will start by defining the scope of your security assessment. There’s a lot that goes into defining this, such as the criticality of the applications being tested, whether it’s on or off-site testing, and how many servers or devices will be involved— just to name a few.
During this planning stage, the timing and duration of the penetration test is also determined. It’s crucial for both the assessment team and for the company to outline a clear timeline for the testing window, so that evaluation doesn’t drag out and so that timely remediation can be used to strengthen defenses.
It’s during this initial conversation that your business must decide whether to alert employees of the penetration test or not; our team recommends keeping the engagement private so that your employees behave as they normally would. This fosters more accurate results, revealing a true reflection of your security posture. Occasionally, a handful of individuals may be “in the know” about the test, but this is not common.
Before testing begins, the pre-attack phase is critical. To plan for a successful exercise, the pentesting team must work through an extensive plan. Oftentimes, bad actors begin by gathering whatever data they can on your company (or from the individual employees they choose to target).
The cyberattackers look for Open Source Intelligence (OSINT), or any publicly available information that they can gather to use against you. They usually start with free information, or data that isn’t blocked by paywalls. Unfortunately in our growing digital age of social media usage, it can be shocking how much data can be accessed by doing a simple Facebook or LinkedIn search.
This data grants the bad actors the tools they need to guess passwords, fool you or your employees with clever social engineering attempts, and more.
After the security assessment team discovers and qualifies a list of vulnerabilities to exploit, the penetration attempts (or “attacks”) begin.
Depending on the type of engagement, your pre-attack plan may have a variety of starting points and many different tests may be employed. Social engineering and web application exploits, however, are the two most common vectors that a real threat actor employs— which is why most pentesters pursue these two vectors first.
From a social engineering perspective, a pentester will research your company and employees. They’ll look for people within your corporation who may easily be manipulated into sharing access to private data. Once a human target has been determined, the assessor will attempt to gain higher privileges through phishing emails and pretext phone calls, etc.
Some assessors will go the extra mile and test your physical security, attempting to gain entry into your office or to discover important information about your business through installing hardware implants or cloning access control cards.
As far as web application attacks go, there are a few ways bad actors can strike. Commonly, cyber criminals will spoof website domains, creating a very similar URL to a trusted site using a fake domain lookalike (think zoom.com when the real site is zoom.us). Once you click a link in a sneaky phishing email to hop on a Zoom video conference, you’re prompted to download an update for your streaming software. This update is really a weaponized package, which installs malicious malware onto your computer. It also contains the real software update, so many users are none-the-wiser that they were even breached.
Often, pentesters will leave some sort of signature on the system or network that has been compromised to denote evidence of breach, for review in the post-attack analysis.
At the end of the penetration testing procedure, we provide our customers with an extensive set of reports and recommendations to effectively eliminate the detected breaches:
- Brief description based on the achieved results and findings.
- List of detected system vulnerabilities and their classification according to how easy they are to exploit and how harmful for the system and business they may be.
- List of changes in the system that were implemented during testing.
- Test protocol (including instruments and tools used, parts that were checked and issues found).
- Actionable recommendations to eliminate the revealed security issues.
You’ll receive a full report detailing what the ethical hackers discovered, including a list of vulnerabilities, an analysis of the findings, conclusion of the findings, remediation measures and recommendations, log files from tools as evidence of findings, and an executive summary for sharing across corporate levels.
This report will often explain the probability of each exploit occurring, as well as the potential monetary or brand impact of every security compromise.