There are several different methods for penetration testing. At the very least, there should be three phases: pre-test, test, and post-test. However, the seven-step method breaks it down into easier to manage pieces. In this article, we will discuss the seven-step method and how it can help you with discovering more about your company's IT set-up.
Seven Phases of Penetration Testing
When it comes to penetration tests, there are several approaches. The seven-step method [2] breaks the process up into smaller pieces that are easier to manage. Those steps are:
- Pre-Engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post-Exploitation
- Reporting
Pre-Engagement Interactions
Pre-Engagement interactions, also known as scoping, is one of the most often overlooked steps in the pentesting process. During this phase, the pentest company will discuss several things with their client including: the logistics of the test, legal implications, and expectations, objectives, and goals of the testing.
The penetration testing company will work with yours to help you fully understand risks associated with pentesting, and your organizational culture as well as the best strategy for your company. You have several options: black box, gray box, and white box [3] penetration test. This is where the planning will occur as well as aligning your goals to outcomes of the testing process.
Intelligence Gathering
This step is also known as reconnaissance and is a critical step in the penetration testing process. This is where the pentester will gather all of the intelligence they can on your company as well as any potential targets.
The amount of information the pentester has about your organization will depend upon the type of test you agree on. They may also need to identify vital information on their own to discover any vulnerabilities and/or entry points in your system.
Some of the common ways they will gather this intelligence are:
- Social engineering
- Search engine queries
- Internet footprint
- Domain name searches
- Internal footprint
- Tailgating
- Tax records
- Dumpster diving
The pentester will have an exhaustive checklist to complete in order to discover your vulnerabilities and entry points.
Threat Modeling and Vulnerability Analysis
Many times, threat modeling and vulnerability analysis are put together in the penetration testing process. This is where the pentester will identify any potential targets and map attack vectors. The information gathered during the intelligence gathering stage will be the basis for these steps.
Some of the most common areas that will be identified and mapped include:
- Employee data
- Business assets
- Technical data
- Customer data
- Internal & external threats
Many times, the pentester will implement a vulnerability scanner to complete their discovery and inventory of security risks posed by these vulnerabilities. They will then determine if a hacker will be able to exploit that vulnerability. The pentester will share the list of vulnerabilities with you during the reporting phase at the end of the process.
Exploitation
Now that the map of potential entry points and vulnerabilities has been established, the pentester will begin testing. The goal is for them to see how far they can get into your system, avoid being detected, and identify any high-value targets.
If you determined a scope during the pre-engagement interactions phase, the pentester will go as far as your boundaries state. For example, you might wish to have them not test cloud services or avoid simulating a zero-day attack.
Some of the most common tactics used in this stage are:
- Memory-based attacks
- Network attacks
- Social engineering
- Zero-day angle
- Web application attacks
- Physical attacks
- Wi-Fi attacks
Additionally, they will review and document how they were able to exploit the vulnerabilities and tactics that are typically used to gain access to high-value targets. Finally, during this stage, the pentester will clarify the results of exploitation of high-value targets.
Post-Exploitation
Once the exploitation stage of the penetration test is completed, the methods used to gain access to your IT environment are documented. They should be able to ascertain the value of your compromised systems, and the value associated with the data that was captured.
In some cases, the pentester will not be able to quantify the impact of the exploitation of data or provide you with recommendations on how to fix the vulnerabilities. Request a sanitized penetration report outlining recommendations to repair security breaches and vulnerabilities.
Once the recommendations are made, the pentester should clean things up by doing the following:
- Removing executables, temporary files, and scripts from compromised systems
- Eliminating rootkits installed in the system
- Reconfiguring settings back to original parameters
- Removing user accounts created to get into the system
Reporting
This is the final stage of penetration testing and is often thought of as the most critical because it's where the penetration testing company will provide you with their written recommendations. You will be able to sit down with your pentester and discuss their findings.
These findings will help you understand where and how to improve your security. The report should define how entry points were discovered, as well as how to remediate those issues.
Conclusion
Penetration testing is one of the best ways to discover any security issues within your system and figure out how to fix them. It is said that there should be at least three phases of a penetration test , but it can be broken down even smaller into seven stages as outlined here.
Footnotes: [1] https://www.imperva.com/learn/application-security/penetration-testing/ ; [2] https://upadhyayraj.medium.com/life-cycle-of-penetration-testing-4e7d36a6f74; [3] https://www.greycampus.com/blog/information-security/penetration-testing-step-by-step-guide-stages-methods-and-application