As technology advances hackers employ increasingly complex schemes to penetrate organizations’ cyber defenses and wreak havoc on the system. To prepare for this evolving threat you have to get into the mind of the hacker—you have to think like they do. And the best way to do this is by performing an internal penetration (pen) test.
But what’s the process that goes into an internal network penetration test? Let’s discuss.
What is Internal Network Penetration Testing?
Internal network pen testing simulates an attack on your organization based on the premise that the hacker already has access to your internal network. From there, the test aims to document and analyze exactly what the attacker can do once inside.
All pen testing takes one of two forms:
- Black hat – The pen tester is not provided information and starts from scratch, just like an outside hacker with little or no access to company data.
- White hat – The organization discloses some information to the pen tester. So the attacker starts with an advantage.
All internal pen testing is white hat by definition, since it begins within the organization. As such, it provides a predictive preview of the later stages of attacks launched by:
- Bad actors who gain access via compromised security
- Current personnel, clients, or other associates
- Former associates with lingering access
Since the hacker has already gained access to the system the purpose of the internal pen test is to determine how he or she might cause harm once there. The pen test determines what assets are at risk and how they might be targeted. This allows you to bolster your inner defenses before an actual hacker can take advantage.
Knowing what an attacker may do enables you to formulate a plan to thwart them.
Penetration Testing: Offense Informs Defense
For pen testing to be effective, you have to willingly let your guard down. The more realistically you can simulate an attack and expose valuable assets, the more effectively you can safeguard against one. An internal penetration test can teach you:
- What vulnerabilities exist for hackers to exploit
- Which of your security measures are working and which aren’t
- How quickly can bad actors access your valuable information
For an internal pen test to be effective all security measures must be relaxed. Although it might seem counterintuitive the more damage your simulated hacker is able to do, the more room you’ll have to improve. In one recent study on internal penetration tests hackers were able to gain complete control of infrastructure in 100 percent of simulations—in just four steps, on average.
So, even though the results of a pen test can be alarming, they are illuminating.
External vs. Internal Penetration Testing
The biggest differences between an external and internal pentest come down to premise and purpose. While they are similar, internal and external pen tests happen at different stages and use different breaching methods. Each one has its own implications as to the strengths and weaknesses of your cyberdefense:
- External pen testing – Whether black or white hat, the simulation begins with a hacker on the outside of the organization seeking access to internal networks and systems. The main purpose is to see how easy it is to break in. The most important elements it gauges include:
- Early stage activities of the attacker
- Vulnerabilities on the perimeter of your cyber defenses
- Endpoint access through compromised devices
- Access through applications
- Efficacy of targeted attacks on personnel
- Internal pen testing – Always white hat, the attacker begins from a privileged position within your organization’s networks. The primary purpose is to see what a hacker can do once inside the system. The critical elements it analyzes include:
- Late-stage activities of the attacker
- Vulnerabilities in interior security
- Interconnectedness of systems and networks
- What the hacker can gain control of, and how
- How quickly and easily the hacker can gain control
In the simplest terms possible, external pen testing is more about preventing attacks from happening. On the other hand, internal pen testing is more about damage control once an attack has happened. Each has its benefits, but they work best in concert with each other.
Let’s review how an internal pen test process plays out.
How Internal Penetration Testing Works
A pen test is practically identical to an actual attack. A hacker penetrates the systems and attempts to either take control of as many assets as possible or reach a specific target. The higher the fidelity—the more closely it mirrors the methods of a genuine malicious hack—the deeper the insights it can provide. Therefore, the hacking needs to be as realistic as possible to be effective.
Ethical hacking is still hacking, so it’s important to establish rules and expectations before you begin.
The National Institute of Standards and Technology (NIST) specifies recommended procedures for all pen testing in special publication SP 800-115: Technical Guide to Information Security Testing and Assessment. Per NIST, pen testing should consist of four stages:
The second and third stages feed into each other as a continuous feedback loop. Discovery enables attacking, which leads to further discovery, which then facilitates and diversifies further attacks. That said, these steps are flexible, functioning more as guidelines than rules. This pertains to all pen testing (not just internal).
So what do they look like in practice?
Stage 1: Planning
This first stage is where all legal and regulatory expectations are set. In the initial phase, the organization and contracted hacker negotiate rules and parameters, including:
- Purpose(s) of the test
- Duration and overall scope of attack
- Practices or information that are off-limits (if any)
- Specifications required for reporting
- What protections are in place for the aftermath of the attack
For internal pen tests, this is where the exact specifications of baseline information and starting positions are established. The organization may provide the hacker with a general sense of what kinds of vulnerabilities they’re most interested in analyzing. Also, the hacker may indicate a particular plan of attack.
Or both parties may prefer to disclose less up-front information to maximize potential discovery.
Stage 2: Discovery
This stage focuses on analyzing your defenses. The attacker will use provided information to exploit discovered weaknesses. Actionable information includes:
- IP addresses
- Locations of ports and end-points
- Names of systems and entities
- Application and network data
Once information is compiled, the attacker will analyze it to understand active and potential vulnerabilities. To that end, they will also leverage resources like the National Vulnerability Database (NVD) and utilize proprietary tools to aid their efforts.
With external tests, this stage is more robust, seeing as the hacker is attempting to compile as much information as possible. With internal testing, the hacker begins with a base of information. However, the hacker may still perform additional discovery to fill in any gaps or uncover additional vulnerabilities that go above and beyond that which was originally provided.
Once the hacker understands the lay of the land, it’s time to start the attack itself.
Stage 3: Attack
This stage is the main focus and point of a pen test. The hacker launches the actual attack on your systems, then attempts to get in and seize control. All the while they’re documenting the entire process from step to step.
With an external pen test this stage is all about getting into your systems. To do so, the hacker will systematically move through the list of vulnerabilities generated in the discovery phase. This is a process of trial and error, and the hacker will log the efficacy of each exploit attempted:
- Upon failure, a new exploit will be tried
- Upon success, the hacker may immediately move forward (inward) to other layers
- Or, the hacker may attempt other exploits even after a successful attempt
With an internal pen test this stage is about getting complete control of all systems, or hitting another predetermined goal, as quickly as possible. The hacker will move through the list of internal security vulnerabilities in a similar trial-and-error manner. Depending on the specifications negotiated, analysis may be focused on factors like:
- The efficiency of a given path to complete control
- Number of possible paths to control
- The relative difficulty of infiltration
In any kind of pen testing, an additional step hacker may take is to install backdoor measures to facilitate future attacks.
The major payoff for the attack phase, and the pen test as a whole, is the reporting it generates.
Stage 4: Reporting
The reporting phase is the final wrap-up of the pen test. Depending on the terms agreed to by hacker and organization, it involves some combination of:
- Compiling findings
- Summarizing and highlighting key information
- Offering suggestions and tools for defending against uncovered vulnerabilities
The reports don’t simply show the final result, they also illustrate how the hacker behaved throughout the entire process
In the end, the report is the ultimate payoff of the test. This is where its benefits become readily apparent.
Benefits of Internal Penetration Testing
Pen testing is one of the most effective ways to protect your organization against threats posed by cybercrime. This is why the practice is growing in popularity and why some compliance standards such as PCI-DSS or HIPAA require some form of it.
However, when people hear the word penetration test, most automatically think of external penetration testing.
There’s a common assumption that external pen testing is more valuable and important than internal. That may be because external pen testing is more commonly practiced. However, internal pen testing offers unique benefits that external tests are incapable of providing.
Since internal pen testing begins from within it’s both more efficient and effective at providing insights about internal networks and system security.
Internal penetration testing can provide significant value to your organization in several ways, including:
- Understanding the scale and scope of your internal vulnerabilities
- Assessing efficacy and ROI of your current cyber-defenses
- Locating and addressing gaps in coverage
- Enabling preparation for and prevention of attacks
External pen testing produces a breadth of insight, whereas internal pen tests create a depth of insight. Ultimately, your best bet is to combine the unique insights of both internal and external pen testing to gain a better picture of the threats cybercriminals pose to your organization. For that, RSI Security is here to help.
Professional Cybersecurity You Can Trust
Internal penetration testing is one of the best ways to safeguard your organization from the threats of cybercrime. Understanding how far a hacker can get once already inside your network will help you shore up your internal security and make it harder for bad actors to gain access in the first place.
We can help with that, too.
Here at RSI Security, we offer a robust suite of security solutions for organizations of all sizes, including comprehensive penetration testing services encompassing both external and internal testing. We have over 10 years of experience offering pen testing and other vital security services to countless organizations. Unlike many of our competitors, our pen testing:
- Minimizes disruption to your services
- Identifies not just vulnerabilities but root causes
- Yields actionable insights and reports
And that’s not all. Beyond pen testing RSI Security is your first and best option for all your cybersecurity needs. Whether you need help maintaining compliance or bolstering your overall cyber-defenses, we’re here to help. For all your cybersecurity needs contact RSI today!