Often in discussions with customers and potential customers, questions arise about our penetration testing services, as well as penetration testing in general. In this post, we want to walk through Mandiant's take on the five W's of penetration testing, in hopes of helping those of you who many have some of these same questions. For clarity, we are going to walk through these W's in a non-traditional order.
First and foremost, it's important to be upfront with yourself with why you are having a penetration test performed (or at least considering one). If your organization's primary motivation is compliance and needing to "check the box," then be on the lookout for your people attempting to subtly (or not so subtly) hinder the test in order to earn an "easy pass" by minimizing the number of findings (and therefore the amount of potential remediation work required). Individuals could attempt to hinder a penetration test by placing undue restrictions on the scope of systems assessed, the types of tools that can be used, or the timing of the test.
Even if compliance is a motivating factor, we hope you're able to take advantage of the opportunity penetration testing provides to determine where vulnerabilities lie and make your systems more secure. That is the real value that penetration testing can provide.
Finally, if you are getting a penetration test to comply with requirements imposed on your organization, that will often drive some of the answers to later questions about the type and scope of the test. Keep in mind that standards only dictate minimum requirements, however, so you should also consider additional penetration testing activities beyond the "bare minimum."
There are really two "who" questions to consider, but for now we will just deal with the first: Who are the attackers that concern you? Are they:
- Random individuals on the Internet?
- Specific threat actors, such as state-sponsored attackers, organized criminals, or hacktivist groups?
- An individual or malware that is behind the firewall and on your internal corporate network?
- Your own employees ("insider threats")?
- Your customers (or attackers who may compromise customers' systems/accounts)?
- Your vendors, service providers, and other business partners (or attackers who may have compromised their systems)?
The answer to this will help drive the type of testing to be performed and the types of test user accounts (if any) to provision. The next section will describe some possible penetration test types, but it's helpful to also discuss the types of attackers you would like the penetration test to simulate.
What type of penetration test do you want performed? For organizations new to penetration testing, we recommend starting with an external network penetration test, which will assess your Internet-accessible systems in the same way that an attacker anywhere in the world could access them. Beyond that, there are several options:
- Internal network penetration test - A penetration test of your internal corporate network. Typically we start these types of assessments with only a network connection on the corporate networks, but a common variant is what we call an "Insider Threat Assessment," where we start with one of your standard workstations and a standard user account.
- Web application security assessment - A review of custom web application code for security vulnerabilities such as access control issues, SQL injection, cross-site scripting (XSS) and others. These are best done in a test or development environment to minimize impact to the production environment.
- Social engineering - Using deceptive email, phone calls, and/or physical entry to gain access to systems.
- Wireless penetration test - A detailed security assessment of wireless network(s) at one or more of your locations. This typically includes a survey of the location looking for unauthorized ("rogue") wireless access points that have been connected to the corporate network and are often insecurely configured.
If budgets were not an issue, you would want to do all of the above, but in reality you will need to prioritize your efforts on what makes sense for your organization. Keep in mind that the best approach may change over time as your organization matures.
In what physical location should the test take place? Many types of penetration testing can be done remotely, but some require the testers to visit your facility. Physical social engineering engagements and wireless assessments clearly need to be performed at one (or more) of your locations.
Some internal penetration tests can be done remotely via a VPN connection, but we recommend conducting them at your location whenever possible. If your internal network has segmentation in place (as we recommend), then you should work with your penetration testing organization to determine the best physical location for the test to be performed. Generally, you'll want to do the internal penetration test from a network segment that has broad access to other portions of the internal network in order to get the best coverage from the test.
Another "Where" to consider for remote testing is where the testers are physically located. When testers are in a different country than you, legal issues can arise with data provisioning and accessibility. Differences in language, culture, and time zones could also make coordination and interpretation of results more difficult.
We recommend that most organizations get some sort of security assessment on an annual basis, but that security assessment does not necessarily need to be a penetration test (see Penetration Testing Has Come Of Age - How to Take Your Security Program to the Next Level). Larger organizations may have multiple assessments per year, each focused in a different area.
Within the year, the timing of the penetration test is usually pretty flexible. You will want to make sure that the right people from your organization are available to initiate and manage the test - and to receive results and begin implementing changes. Based on your organization's change control procedures, you may need to work around system freezes or other activities. Testing in December can be difficult due to holidays and vacation, along with year-end closeout activities, especially for organizations in retail, e-commerce, and payment processing.
If you have significant upgrades planned for the systems that will be tested, it is typically best to schedule the test for a month or two after the upgrades are due to be finished. This will allow some time for the inevitable delays in deploying the upgrades as well give the upgraded systems (and their administrators) a bit of time to "settle in" and get fully configured before being tested.
Who (part 2)
The other "who" question to consider is who will perform the penetration test? We recommend considering the following when selecting a penetration testing provider:
- What are the qualifications of the organization and the individuals who will be performing the test? What differentiates them from other providers?
- To what degree does their testing rely on automated vulnerability scanners vs. hands on manual testing?
- How well do they understand the threat actors that are relevant to your environment? How well are they able to emulate real world attacks?
- What deliverables will you receive from the test? Are they primarily the output of an automated tool? Ask for samples.
- Are they unbiased? Do they use penetration tests as a means to sell or resell other products and services?
No doubt, there are other questions that you will want to consider when scoping a penetration test, but we hope that these will help you get started. If you'd like to read more about Mandiant's penetration testing (and other) services, you can do so here. Of course, also feel free to contact us if you'd like to talk about your situation and how Mandiant can best assess your organization's security.