You’ve done your research on the different types of penetration testing, now you’re ready to conduct an engagement and let the pentesters do their best to breach your systems.
But what exactly happens after you give ethical hackers the chance to bypass your strongest defences? Where do they start? How long does the test take? What information will they offer once they’re done?
To get your answers, let’s review the four phases of the penetration testing process, step-by-step:
1. Planning Phase
As you begin the penetration testing process, a practice lead will start by defining the scope of your security assessment. There’s a lot that goes into defining this, such as the criticality of the applications being tested, whether it’s on or off-site testing, and how many servers or devices will be involved— just to name a few.
During this planning stage, the timing and duration of the penetration test is also determined. It’s crucial for both the assessment team and for the company to outline a clear timeline for the testing window, so that evaluation doesn’t drag out and so that timely remediation can be used to strengthen defenses.
It’s during this initial conversation that your business must decide whether to alert employees of the penetration test or not; our team recommends keeping the engagement private so that your employees behave as they normally would. This fosters more accurate results, revealing a true reflection of your security posture. Occasionally, a handful of individuals may be “in the know” about the test, but this is not common.
2. Pre-Attack Phase
Before testing begins, the pre-attack phase is critical. To plan for a successful exercise, the pentesting team must work through an extensive plan. In our case, this plan is overseen by Kevin Mitnick, who helps lay the groundwork for strategic execution. Oftentimes, bad actors begin by gathering whatever data they can on your company (or from the individual employees they choose to target).
The cyberattackers look for Open Source Intelligence (OSINT), or any publicly available information that they can gather to use against you. They usually start with free information, or data that isn’t blocked by paywalls. Unfortunately in our growing digital age of social media usage, it can be shocking how much data can be accessed by doing a simple Facebook or LinkedIn search.
This data grants the bad actors the tools they need to guess passwords, fool you or your employees with clever social engineering attempts, and more.
People aren’t the only targets. At Mitnick Security, we use sources like WHOIS databases and DNS servers to breach systems as well. We locate the IP blocks and use WHOIS lookups to gather information relating to personnel and hosts. Coupled with extensive network scanning, this information then aids us in the creation of detailed network diagrams and target identification. After identifying the system targets, we perform port scanning to find open ports. This is followed by service identification. After that, we scan for vulnerabilities in the target and often find a way in.
3. Attack Phase
After the security assessment team discovers and qualifies a list of vulnerabilities to exploit, the penetration attempts (or “attacks”) begin.
Depending on the type of engagement, your pre-attack plan may have a variety of starting points and many different tests may be employed. Social engineering and web application exploits, however, are the two most common vectors that a real threat actor employs— which is why most pentesters pursue these two vectors first.
From a social engineering perspective, a pentester will research your company and employees. They’ll look for people within your corporation who may easily be manipulated into sharing access to private data. Once a human target has been determined, the assessor will attempt to gain higher privileges through phishing emails and pretext phone calls, etc.
Some assessors will go the extra mile and test your physical security, attempting to gain entry into your office or to discover important information about your business through installing hardware implants or cloning access control cards. Check out our blog on four ways hackers use social engineering to trick your employees, you, or your C-suite team into gaining access to your systems.
As far as web application attacks go, there are a few ways bad actors can strike. Commonly, cyber criminals will spoof website domains, creating a very similar URL to a trusted site using a fake domain lookalike (think zoom.com when the real site is zoom.us). Once you click a link in a sneaky phishing email to hop on a Zoom video conference, you're prompted to download an update for your streaming software. This update is really a weaponized package, which installs malicious malware onto your computer. It also contains the real software update, so many users are none-the-wiser that they were even breached.
Often, pentesters will leave some sort of signature on the system or network that has been compromised to denote evidence of breach, for review in the post-attack analysis.
4. Post-Attack Phase
After your testing timeline is complete, the penetration tester will restore the systems and network configurations to their original states.
You’ll receive a full report detailing what the ethical hackers discovered, including a list of vulnerabilities, an analysis of the findings, conclusion of the findings, remediation measures and recommendations, log files from tools as evidence of findings, and an executive summary for sharing across corporate levels..
This report will often explain the probability of each exploit occurring, as well as the potential monetary or brand impact of every security compromise.
There Are No Assessors Like The Global Ghost Team
At Mitnick Security, we do things a bit differently than other security teams . Our Global Ghost Team welcomes the challenge of escalating privileges on your target system or network, while causing no disruption to your normal business operations.
We use senior security specialists with at least 10 years experience (or similarly revered individuals within the information security community) to manually scan your systems in addition to automated scanning— so you know you’re always getting top-notch testing from world-class security masterminds.
Explore our Penetration Testing Services and take a big step towards mitigating your risks today.