No matter what business you’re in, one of the most important (and worrisome) aspects from a technology standpoint is keeping your data secure. Not to mention that of your customers. But the unfortunate reality is that hackers are working day and night to break into systems and gain access to valuable financial, health, or intellectual property-related data. The question is, how do you figure out where (and how) they might get into your systems, so you can set up barricades ahead of any cyber attack?
About 50 percent of small businesses will be the victim of some kind of cyber attack at some point, and out of those upwards of 60 percent will actually go out of business within six months. Nevermind the fact that medium and large businesses are on hacker’s radars as a potential treasure trove of valuable private data. One needn’t look any further than recent high-profile hacks such as the ones on Equifax, Yahoo, and the National Security Agency (NSA).
The good news is, many businesses large and small are now turning to external penetration testing as a means to prevent these kinds of system and data breaches. With external network penetration testing, you’re basically working with an experienced cybersecurity partner, who will act as a potential hacker, to have them “break in” to your systems to determine where your biggest vulnerabilities are.
But what is external penetration testing in detail, and how exactly does it work? Here, we’ll break down external vs. internal penetration testing, the basic aspects to an external penetration test, and how you can use external penetration tests to ensure that your system is secured against outside users and hackers.
External vs. Internal Penetration Testing
Before diving into how external infrastructure penetration testing works, it’s important to understand how it compares to internal penetration testing. External penetration (pen) testing is the more common approach of the two and is designed to address the ability of a remote attacker to gain access to your internal network. The goal of an external pen test is to access specific servers and the “crown jewels” of your data by trying to exploit servers, clients, and even people. This could be exploiting a vulnerable web application, or even tricking one of your employees to divulge their password via a spam email.
Internal pen testing, on the other hand, simulates what an attacker might do once they’re already inside your system. The target of an internal pen test is typically the same as an external one, but the key difference is that the “attacker” already has some sort of authorized system access or is starting from a point of access within the system. While external pen tests seek to pinpoint ways into your system, internal pen tests aim to assess how much damage can be caused once inside the system. While internal pen testing can (and should) be a part of your cybersecurity solutions, external pen testing seeks to keep attackers out in the first place.
With that being said, below are the specific steps, phases, and aspects you can expect as it relates to external pen testing.
1. Contract Agreement
Before commencing with an external pen test, you’ll want to explore the right vendors and/or partners that you’ll allow access into your system. In the agreement phase, you’ll work with your partner to cement high-level details of what will occur, what methods will be used, and level of exploitation that will occur. The “attacker,” for instance, should agree to not to bring critical infrastructure during (even during non-peak hours). While this would be a true simulation of an attack, it would simply interfere with normal business activities.
The agreement phase should also cover what types of data can be viewed and/or changed during the simulated attack. There should also be a non-disclosure (NDA) agreement signed so that any confidential or sensitive data that is viewed during the pen test is legally protected. Most (if not all) experienced pen testing partners have standard agreements, contracts, and NDAs that will ensure that your data stays confidential and that none of your systems are actually affected during the simulated attack. Nevertheless, it’s still important to not overlook the agreement phase, and make sure all the I’s are dotted and T’s are crossed.
2. Planning & Reconnaissance
In this second phase, the simulated attacker’s goal is to gather as much information about the target as possible. This normally includes (but is not limited to) IP addresses, web domain details, email servers, and network architecture. This is actually where most experienced real-world hackers spend most of their time, effectively “measuring twice and cutting once” to ensure the actual attack is as swift and precise as possible.
During this phase, you and your partner will define the specific scope and goals of the test. Which systems will be tested? What methods will be used to try and break in? The more time you invest with your pen testing partner in this phase, the better actionable results, and outcomes you’ll receive at the end of the test. During the planning phase, your partner may also identify critical information available within the public domain that you may (or may not) have known to exist. Things like tax records, social media activity, and even physical “dumpster diving” are all fair game, and will help shore up both your physical and digital security footprints.
3. Target Scanning
This is the phase where your system will begin to see some activity. The attacker will begin interacting with your targeted systems to identify vulnerabilities that can be exploited to enter the system. THey’ll also send probes into the target, and record system responses to various inputs. This will help the attacker see how your defenses might respond to various inputs once the actual attack commences. This normally includes the use of various network scanning tools, identification of open/shared drives, services currently running on your network, and open file transfer protocol (FTP) portals.
In the event that the target is a web application, the attacker’s scanning may be either static or dynamic. In static scanning, the application code is usually scanned by an expert application vulnerability analyst that your partner employes. The goal is to identify vulnerable functions and logic within any web applications that operate on your system. In dynamic analysis, the pen tester will pass various inputs into the web application and record responses. The attacker will be scanning for vulnerabilities such as cross-site scripting and remote code execution, and try to determine how these might be exploited.
4. Gaining Access
Once the vulnerabilities have been scanned for and identified, the next step is to exploit those vulnerabilities in order to gain access into the target. Depending on how you’ve mapped out the pen test with your partner, the target could be a system, firewall, secured zone, or cloud/on-premise server. Also be aware that just because a potential vulnerability exists, doesn’t mean that it’s easily exploitable by a hacker. During the access phase of the pen test, it’s important to prioritize vulnerabilities and focus on exploiting those that are weakest or most critical to your target.
Most of the common vulnerabilities that are spotted during this phase are related to network configuration. Many of the default systems organizations use to communicate over their network actually allow malicious actors to capture information as it travels through the network. This leaves your organization vulnerable to a data breach. Another typical vulnerability stems from device and service configurations. For example, leaving the default configuration on a copy machine might seem insignificant, but it gives attackers the ability to access documents scanned by the printer (and other network information) that is stored on the device itself.
5. Maintaining Access
Similar to breaking in through the window of a house, getting in is just half the battle. Criminals need to go undetected long enough to carry out whatever malicious activity they intend, whether it be the theft of your customer’s banking information or the installation of viruses and malware. The goal of hackers (and your pen test attackers) will be to ensure persistent access to your systems, even if it’s rebooted, reset, or modified. will always anticipate a response once their presence is detected, and already have a backup plan to mitigate or avoid your efforts to give them the boot.
It’s this maintaining persistent access phase where planning and reconnaissance (phase two) typically pays dividends for attackers. They’ve simulated what it’s like to “live” in your systems, gained a plethora of knowledge over time, and know how to navigate around the system either undetected or unaffected by your safeguards. This phase is critical for attackers because they will be constantly monitoring your systems environment from the inside to determine when is the right time to strike. Your pen testing partner will help you determine how long hackers can maintain access to your systems, and help you develop strategies and tactics that will detect and remediate them prior to exploitation.
If the pen test attacker has been able to successfully gain (and maintain) access to the target, they’ve successfully mapped out all of the entry points and vulnerabilities into the “vault” that contains whatever valuable data they’re after. In this stage, the goal of your pen test partner will be to see exactly how close they can get to your high-value data/targets while avoiding any and all detection. This is when the agreement phase kicks in, as the pen tester will only go so far as to what has initially been determined in the scope of the project. This will ensure that none of your sensitive data is exposed during the pen test, while still effectively identifying vulnerabilities.
Some of the typical external pen testing exploits include:
- Web Application Attacks
- Network Attacks
- Memory-based attacks
- Wi-Fi attacks
- Zero-Day Angle
- Physical Attacks
- Social Engineering
Your pen testing partner will also review and document which vulnerabilities they’ve exploited (and how), as well as detail the techniques and tactics they used to gain access to your most high-value targets. The point of the exploitation phase is to gain a clear, in-depth understanding of how the most sophisticated of hackers might seek to operate within your systems.
7. Forensic Reporting
After the attacker has successfully exploited your security vulnerabilities, your pen testing partner will conduct a forensic analysis and review reports to help you take the appropriate action steps. You’ll collect evidence and review what took place with executive management to come up with a game plan on how these risks should be addressed. Moreover, the penetration tester will sanitize and “clean up” the environment, restoring everything to how it was prior to the test.
Reporting is regarded by many is the most important aspect of a pen test, as it will provide you with the most actionable insights. You’ll obtain written recommendations from you pen test partner, and review the findings with the ethical hackers themselves. Effective pen test reports should show you exactly how entry points were discovered and security vulnerabilities exploited, as well as concrete steps to prevention and remediation. Many pen testing partners will also assign you one of the following risk categories upon conclusion: Low, Moderate, Elevated, High, or Extreme.
The basic concept of external penetration testing is a fairly simple one. You hire an outside, expert company to act as if they’re a hacker and have them try to break into your systems. External pen testing is often seen as more useful than internal pen testing, as most of the cyber threats you’ll encounter come from the outside, and not within. By understanding the basic steps and concepts to an external penetration testing assessment, from the agreement and planning to exploitation and reporting, you’ll be able to correctly identify (and fix) the weakest links in your cyber defense chain. The most important thing to remember when conducting a pen test assessment with your partner is to be crystal clear in prioritizing which targets are most critical to you and/or your customers so that you’ll both be laser-focused on getting the best results and reports at the end of the day. For more information on our cybersecurity solutions and our penetration testing tools, contact RSI Security today.