By following the Penetration Testing Execution Standard (PTES), companies of all sizes are capable of executing an effective pen test that exposes any issues in their cybersecurity. By conducting penetration (pen) testing, you can determine how a hacker would attack your systems by watching an assault unfold in a controlled environment. And the only way to ensure that this kind of test will work is to make sure it meets certain standards.
What is the Penetration Testing Execution Standard?
It’s a standardized set of procedures meant to guide all pen testing. Pen testing has been around for quite some time, but there weren’t many rules and regulations guiding the work of early pen testers. Businesses didn’t know what to expect, so results varied widely.
Ethical hacking was still hacking, so foul play could run amok. There was little to no quality control.
That came to an end when, in early 2009, a group of experts in the field of cybersecurity got together to form the Penetration Testing Execution Standard (PTES). This standard is made up of rules and guidelines that help businesses know what to expect and how to evaluate pen testing, should they conduct pen tests themselves or hire external services.
This guide will walk through the guidelines, breaking down their main components. But first, let’s discuss some basic elements of what a pen test is.
What is a Penetration Test?
A pen test is a form of ethical hacking. It’s a way to understand the weaknesses in your cybersecurity by purposely exploiting them to showcase how a malicious hacker could damage your company. The higher the complexity of an attack you simulate, the more information you can gain. And the more information you gain, the more you can bolster your security.
As the saying goes: the best defense is a good offense.
In order to maximize its benefits, any offense needs to operate under specific guidelines. A controlled attack is still an attack, and hackers need to be sure they meet certain safety parameters and don’t overstep boundaries when pen testing. For that reason both the clients and agents in a pen testing scenario benefit from the clear guidelines set out by the PTES.
To that end, there are multiple kinds of pen tests governed by the PTES.
Different Kinds of Pen Tests
Penetration testing as an overall umbrella refers to any kind of analysis that involves the intentional simulation of an attack on your systems. But there are numerous ways to go about ethical hacking.
The two main categories that all pen tests fall into are:
- “White box” or “white hat” pen testing – The attacker is supplied with information that is used to inform the attack. Often, the resulting attack focuses internally (see below).
- “Black box” or “black hat” pen testing – The attacker begins from scratch, without any information provided by the client. Often, it focuses on the external (see below).
In some cases, attacks are neither squarely white or black box/hat. In “grey box” attacks, the hacker may be given a certain amount of information but also expected to conduct rigorous reconnaissance. The specific balance of information provided upfront is up for negotiation.
In addition to information provided at startup, pen tests also vary in terms of overall focus. There are two main areas where a pen tester may focus, to varying purposes:
- External pen testing – The attacker begins from “outside” your company and focuses most of the testing resources on ways to enter into your systems.
- Internal pen testing – The attacker starts from inside your company and focuses on how much damage can be done, and how quickly, from that privileged position.
As with the distinction between white and black box/hat techniques, these focuses of pen testing are not always completely separate. An individual test may incorporate both internal and external methods, and the balance between them is a key part of the negotiation process.
Now let’s really dive into what the standards governing all these kinds of tests look like.
Penetration Testing Execution Standard 101
The mission of the pentest execution standard is to create a uniform set of baseline expectations for the process that all pen testers should follow.
The standard doesn’t cover every single possible scenario or consideration that might occur in a given pen test case. Instead, it prioritizes a basic set of norms that govern the minimum requirements for all pen tests.
These norms are broken down into seven distinct areas, which correspond to the order of steps taken in any pen testing agreement:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation
Let’s take a closer look at each section of the PTES:
#1 Pre-engagement Interactions
The first section of the PTES governs standard procedures for pre-engagement interactions. In most cases these interactions span from the first contact between the client and the pen testing body to the final negotiation before the pen test begins.
The PTES specifies particular guidelines for the following parameters in these meetings:
- Goals of the pen test – The tester and client must establish the specific goals of the pen test. The PTES recommends the following priorities:
- Primary goals should be related to security, not compliance
- Secondary goals should entail compliance and legal accountability
- Scope of the analysis – After establishing goals, the pen tester and client must agree on the scope and scale of the pen test. Elements to consider include:
- Identifying areas to be analyzed
- Quality and quantity of test procedures
- Duration, as well as start and finish times
- Rules of engagement – The pen tester and client must also establish key expectations and limitations regarding what behaviors are permissible. Considerations include:
- Whether any particular resources are “off limits”
- What boundaries exist for social engineering scams
Once these initial meetings are complete, the pen tester is ready to begin the first key stage of the testing itself: reconnaissance.
#2 Intelligence Gathering
Next, the PTES lays out specifications for the intelligence gathering stage of a pen test.
At this stage, the pen tester will utilize all publicly available information and perform basic searches following the rules of engagement. This process, also called open source intelligence (OSINT), compiles all information that may be useful in later stages of the testing process.
The intelligence gathering stage consists of three levels of reconnaissance:
- Level 1 – Compliance-driven, this level is basic and can be automated. It collects the bare minimum information about a company’s required security measures.
- Level 2 – Focusing on best practices, this level goes beyond the surface and uncovers the particular practices or measures the organization is prioritizing beyond compliance.
- Level 3 – State sponsored, this level involves a deep dive into the various organizational complexities and business relationships that may not be apparent until searched for.
Once the information is gathered, it’s time to begin planning out the potential targets for attack.
#3 Threat Modeling
The next step of a pen test process is threat modeling. This entails mapping out what particular assets are most likely to be targeted by the ethical hacker, as well as what resources (human and otherwise) may be used to target these assets. In this stage, the pen tester will mobilize the data found in the previous stage to begin planning the attack.
The PTES specifies a distinct four-step process for threat modelling of high-level attacks:
- Gathering documentation
- Categorizing assets (primary and secondary)
- Categorizing threats (primary and secondary)
- Mapping threat communities corresponding to assets
The hacker will identify what assets are most valuable and which are most vulnerable. This step sets the stage for the next one by identifying individual actors and motives that may be exploited, as well as any software or hardware that may be exploitable.
The next step then moves into analyzing how to capitalize on these threats.
#4 Vulnerability Analysis
The next stage, vulnerability analysis, involves further gathering of information, this time related to specific flaws or weaknesses in the client’s cybersecurity systems.
The final payoff of the intelligence gathered in previous steps, this stage finally uses all intelligence to prioritize specific known or suspected vulnerabilities
The analysis comprises two main modes:
- Passive – Analysis that’s automated or otherwise requires little to no activity on the part of the hacker. Examples include:
- Metadata analysis
- Traffic monitoring
- Active – More pertinent analysis that involves in-depth activity on the part of the attacker. Some components are:
- Port-based network scans
- Application flaw scanning
- Directory listing or “brute forcing”
Through these and other means, the attacker compiles a targeted list of vulnerabilities that will be prioritized during the attack. This concludes the planning stages.
Now the hacker is finally ready to begin the attack itself.
All the preparation above finds its payoff in the exploitation stage. This is arguably the most important step of a pen test, as it includes the actual integration of the attack.
The attacker will use all information available to launch one or more targeted strikes. These attacks will differ in nature depending on the goals outlined in the pre-engagement interactions. But generally, the guiding principles for the attacker are:
- Stealth, evading alert
- Speed of infiltration
- Depth of penetration
- Breadth of exploitations
The attacker will want to remain undetected for as long as possible, ideally throughout the entire offensive. They will want to act quickly, diving as deeply into the client’s systems as possible. And they’ll want to identify and exploit as many branching paths of access as possible.
By sticking to these principles, the pen tester will maximize the findings and insights of the attack. The more robust the attack, the more robust the ultimate insights generated.
But the exploitation isn’t the end of the pen test.
#6 Post Exploitation
In the post-exploitation stage, the hacker moves into a new mode of attacking, from penetrating and then exploring the full capacity of any control seized. This crucial step is the main focus of certain pen tests, especially internal-based analysis.
In this stage, the hacker’s goals will vary depending on the scope agreed to with the client. But the main functions of the stage always include a combination of the following:
- Determining value and functions of resources compromised
- Opening additional vulnerabilities for future re-exploitation
- Maintaining ongoing control of resources
- Avoiding recognition upon exit
It’s crucial that both parties have well defined expectations for this stage. If exploitations unveil deeper and more complex weaknesses that the client did not anticipate, the compounding revelations in the post-exploitation stage can lead to scope influx and other potential conflicts.
But as long as the pre-engagement interactions were completed diligently, this stage gives way to the final step: reporting.
The final stage, reporting, comprises a relatively straightforward process as long as the prior stages have been completed up to requisite standards.
The client will have documented all processes undertaken throughout the planning and attacking stages, and all of that information is processed and included in the report. Importantly, the report will also present key findings related to:
- Security posture and risk ranking
- Breakdown of risks uncovered
- Detailed plan for correction
Reporting being the end of any pen test, this is where the PTES guidelines run their course.
The PTES is necessary because of the complexity, difficulty, and sensitivity inherent in the pen testing process. These same qualities are the reason you need qualified professionals to help make pen testing seamless for your business.
For that, we’re here to help.
RSI Security, Penetration Testing Execution Standard Experts
At RSI Security we offer a robust suite of penetration testing services that meet and exceed the guidelines established in the Penetration Testing Execution Standard. Our experts are qualified vets in the pen testing world, and we will customize a solution that’s perfect for your business’s specific needs.
Our services include all of the following, in any combination you choose:
- Mobile pen testing
- Firewall pen testing
- Hardware pen testing
- Compliance pen testing
- Web application pen testing
- Network security pen testing
- Cloud computing pen testing
Rigorous pen testing isn’t all we offer; RSI Security is an industry leader that has provided cyberdefense solutions to companies of all shapes and sizes for over a decade. Whether it’s pen testing, compliance, or overall cybersecurity strengthening, we’re here to support you.
Contact RSI Security today to see how powerful your cyberdefenses can become!