A penetration test identifies vulnerabilities by simulating an attack by hackers. Tools, types of pentests, scope, visibility, here’s everything you need to know.
It’s hard to talk about cybersecurity without addressing penetration testing. It’s one of the most widely used vulnerability detection techniques by companies.
What is a penetration test ?
Penetration testing is a technique that aims to simulate an attack to test the security of a digital asset – applications, websites, IoT, complete information systems, etc. In other words, with a pentest, an organization calls on pentesters or ethical hackers (white hats) to put themselves in the shoes of malicious hackers (black hats) in order to test the security of its assets. Like bug bounty, this is an active approach to digital security.
Pentest and security audit, two different methods
Pentesting should not be confused with security auditing, even though it is commonly accepted that a pentest is itself a form of audit. The security audit is a diagnosis, where the pentest is a simulation.
An audit identifies the strengths and weaknesses of an IT system. It is a systematic study of the Information System security level through tests, exchanges with internal teams and analysis of technical documentations. It can highlight flaws and malfunctions, but it does not seek to exploit them to prove their dangerousness.
However, with a penetration test, pentesters act like malicious hackers to identify exploitable vulnerabilities, those that constitute very real threats. The objective is to sort the vulnerabilities by criticality, in order to prioritize corrective actions.
Defining a scope, a first step in the pentest
One of the first steps of a pentest is to precisely define its scope, its perimeter. It sets a framework for pentesting, by delimiting which areas of the target can or cannot be tested. The company can thus exclude all or part of certain assets that could be considered too sensitive, or of which it already knows the fragility of the perimeters. The scope can also exclude vulnerabilities from the pentest, for example by prohibiting DDoS or brute force attacks.
It’s also at this stage of the pentest process that a legal framework must be established. A contract must be signed between the company that wants the pentest and the ones who will carry it out. Said contract generally includes Non-Disclosure Agreements (NDA) to ensure data’s confidentiality.
Black, Grey and White Box: 3 visibility conditions for a penetration test
Once the scope has been clearly established, it is necessary to set a visibility for the pentest kick-off. It can be launched with more or less opacity. Pentesters may have more or less information about their target, as well as different access rights. There are typically three approaches:
- Black Box pentesting
- White Box pentesting
- Grey Box pentesting
Black Box pentest
The pentester is in a real situation. He/she does not have any specific information on the organization and the targeted ecosystems. This test simulates the attack of a hacker outside of the company, who would have no element on which to base his offensive. The reconnaissance and information gathering phase can be laborious.
White Box pentest
The exact opposite of the Black Box approach. The pentester works hand in hand with the company’s IT department, and he has access to a lot of informations about his target – source code, authentication credentials, etc. This approach is similar in many ways to a traditional security audit, but it allows testing the deepest levels of security of an ecosystem.
Grey Box pentest
A technique halfway between the two previous ones. The pentester does not start from scratch and begins its intrusion with a few elements available. For example, he can have access to a username and password to simulate an attack coming from the inside – an employee, a service provider from its supply chain, etc.
The Red Team, a strategy not to be confused with pentest
The Red Team concept is sometimes presented as an approach to pentesting. Although similar in many ways, these are two quite distinct things.
A Red Team is a team responsible for breaking through the defenses of a company or a digital asset, with no perimeter limit and over a much longer period of time than a pentest – often several months. Just like with a pentest, a Red Team simulates an offensive of malicious hackers trying to exploit vulnerabilities. Yet, even though they use common tools, red teamers have a much larger TTP arsenal than pentesters (Tactics, Techniques & Procedures). Unlike a pentest, a Red Team strategy can:
- attack physical infrastructures, such as the web server used by the company;
- use physical intrusion, e.g. by breaking into a company offices or stealing its equipments;
- use social engineering methods, e.g. by manipulating employees, service providers or suppliers.
In this, the Red Team strategy has similarities with pentesting but also with bug bounty – especially with regard to the duration of the search.
What tools are used to perform a penetration test ?
Pentesters use softwares and environments specific to their profession. Pentest tools are numerous and varied, reflecting their needs. The purpose of these few lines is not to list all the tools that can be used during a penetration test, but simply to give an overview:
- Kali Linux: a GNU/Linux distribution based on Debian which natively offers various security testing tools;
- Burp Suite: a well-known professional vulnerability scanner for hackers. There are competitors like Nessus, or free ones like OpenVas, Zed Attack Proxy (ZAP) and Nikto;
- Maltego: a software that collects information about a person or an organization, very useful for social engineering;
- aircrack-ng: a tool for cracking WiFi networks;
- Nmap (Network Mapper): an open-source port scanner;
- sqlmap: an open-source SQL injection tool.
Who conducts a penetration test ?
Penetration tests are conducted by cybersecurity experts. They are mostly self-taught or come from an engineering or IT background. They can work for a security consulting firm, or on their own as pentesters or bug hunters.
It is too often accepted that calling a penetration testing company is the best solution, if not the only one. Yet, this is just the most traditional form of pentesting.
The 3 Types of penetration testing
- Internal pentest: the company decides not to call on any third party and conducts an internal pentest. This model is quite rare as it requires significant in-house expertise and human resources, which is often not the case for small and medium-sized organizations.
- Traditional pentest: the company goes for an IT security consulting firm. Both parties sign a contract, then the provider conducts a pentest over a chosen period – often a week or two. At the end of the test, the company receives a report which lists the conclusions of the pentest, the identified vulnerabilities and a remediation plan – sometimes charged extra.
- Penetration Testing as a Service (PtaaS), or crowdsourced pentest: the company calls on ethical hackers with a variety of skills, such as the Yogosha Strike Force. This approach is faster and more flexible than a traditional pentest.
Penetration Testing as a Service, a more modern approach to pentesting
Pentest as a Service is a new form of pentesting that has many advantages over its traditional counterpart:
- A much faster launch of the program: less than a week for a crowdsourced pentest against 3 to 6 weeks for a classic one;
- Permanent communication with security researchers throughout the program, where a classic pentest allows exchanges with the project manager but not necessarily with the pentesters;
- A diversity of skills. If digital threats are legion, so are the talents of ethical hackers. Each profile has its own specificities, and collaborative pentests therefore make it possible to multiply skills where traditional pentests rely on smaller and less eclectic teams;
- More agile control of the program and the budget allocated to the pentest.
This is just a quick overview of the benefits of Penetration Testing as a Service. If you want to read more about it: