Network penetration tests involve an ethical hacker, or pen tester, examing a network and identifying vulnerabilities and gaps in security that would allow a real bad actor to breach it.
Unlike a vulnerability scan, a penetration test is exploitative in nature, to mimic the actions of someone really looking to do damage, so a company can better address their weak areas and improve its security posture.
Pen testers will use a variety of common malicious techniques used by hackers to breach systems, such as malware, phishing and advanced persistent threats and record any vulnerabilities these uncover.
Network penetration testing can be performed via two main approaches: internal and external. In an external pen test, the tester will try to breach the network perimeter to identify any security weaknesses within internet-facing assets.
An internally focused test, on the other hand, examines the internal company network and could look at the potential risk of common threats like insider attacks, among others. These tests mimic a scenario where the hacker has already gained access to your internal network.
The Benefits of a Network Penetration Test
Penetration tests have numerous benefits for an organisation. Most importantly they allow you to identify if there’s anything going wrong with your security and what needs to happen to fix it.
Pen testers will be able to tell you how critical a particular vulnerability is so you can prioritise your remediation and focus your security measures where you most need them.
Unlike other security audits, penetration tests involve the actual exploitation of vulnerabilities, giving you a clear picture of what a hacker would really do and the damage that would be caused. This gives you a stronger appreciation for the importance of preventative security measures and the capabilities of threat actors.
Penetration tests can also aid in compliance with industry standards and regulations. For example, network pen tests will often shed light on vulnerabilities that would prevent you from aligning to recognised standards like Cyber Essentials and ISO 27001.
What’s the Process?
Network penetration tests are generally carried out in 5 main stages:
At this stage, your pen test provider will establish what exactly you will be testing and which methodologies will be used. The overall aims and goals of the testing will be laid out and it will also likely be decided whether white, grey or black box testing will be performed at this stage.
- Black Box: This form of pen testing requires the pen tester to have no internal knowledge of the system, nor access. A black box pen test is designed to detect vulnerabilities that are exploitable outside of the network. The pen tester uses scanning tools and methodologies to try and breach the perimeter. This method is the least time-consuming but less exhaustive as it does not focus on internal services.
- Grey Box: Grey box pen testers typically have some knowledge of the internal system, which may include coding. Normally these tests are performed with credentialed access so the pen tester will be able to access what a standard user would. Grey box testing allows for a more focused pen test, with more time spent on areas with the greatest known risk so reporting is often more valuable.
- White Box: The most comprehensive form of pen testing, white box approaches usually allow the pen tester access to source code, design documentation, architecture etc. Since there is a lot of data available to the pen tester, these tests are the most time-consuming. White box testing looks at internal and external vulnerabilities and is likely to identify many more than black or grey box tests.
RECONNAISSANCE & DISCOVERY
During this stage, pen testers will need to gather intelligence and start to implement tools like port scanners to start to identify ways of getting into the network. Pen testers will then look for potential vulnerabilities to exploit on the basis of the information collected.
This is where the bulk of the testing will happen. Based on the vulnerabilities uncovered during the Discovery phase, the testers will attempt to exploit that vulnerability using various methods to see if any may successfully grant them access to the network. Techniques may include social engineering, brute force attacks, web application attacks and SQL injections. The pen testers want to see the extent of the damage they could potentially cause to know just want an impact a real attack would have on your business.
Throughout this stage, the testers will keep a record of the results of these exploits so they can show you which vulnerabilities pose the greatest risk to your business.
REPORTING & ANALYSIS
The final stage of the process involves analysing the results of the pen test to see which vulnerabilities are most critical and which were successfully exploited to allow access to your network.
A good report will provide both a technical and a business summary that includes details about the risks uncovered and the impact if an attack was successful.
You should then be given remedial recommendations so you know exactly what must be done to address the vulnerabilities identified during the pen test. This might involve improving policies and training, applying certain security patches or upgrading old devices that are no longer supported.