Penetration (pen) testing is a method of testing network or application security. Executed by a third-party service, experienced testers attempt to access a network utilizing the same tools and attack vectors as threat actors to identify any gaps in a company’s cyber defenses. Their findings are then reported back to the company in detail.
Types of Penetration Testing
This type of pen testing focuses on assessing any internal network weaknesses.
One kind of internal pen testing is blackbox testing. This is when a company provides the pen tester an IP address. They attempt to use that address to gain access to the network.
Alternately, during an assumed breach test, a pen tester is given both an account and a machine to access the network replicating what could happen if an employee clicked on a malicious link or gave away their credentials. In this case, the tester assumes a breach has already happened and the threat actor has successfully gotten through the firewall and into a user’s account.
From there, it’s a question of what can the penetration tester do? Can they escalate privilege? Are they able to get domain admin? If so, that actor can now do anything they want. Achieving domain admin is considered the gold standard for bad actors.
Using the same methods, external testing targets any internet or public-facing assets. This includes data, IoT devices, and cloud services.
A web app is anything that a user can lot into on the internet, like online banking, school accounts, online ordering, etc. This type of pen testing is focused on what a tester can do in these environments.
Unauthenticated black box testing attempts to gain access to the web app to either steal stored data or use it as a steppingstone into an internal network.
Authenticated testing, like assumed breach testing, provides the tester with a basic user account which they try to use to escalate privilege to steal data or gain internal network access.
Why Should Get a Company Pen Test?
The goal of penetration testing is to assess existing security protocols to see what works, and more importantly, what doesn’t work. This service allows companies to discover vulnerabilities in their network in a safe and controlled environment, instead of finding out something was misconfigured after ransomware has already been deployed.
Organizations should always use a third-party service because they are unfamiliar with the network—just like the threat actors. The more realistic the scenario, the stronger the results.
Once testing is complete, companies will receive a detailed report. If there are critical findings, the report should include recommendations for remediation.
At minimum, reports should answer the following questions:
- What tools were used?
- What results came from those tools?
- What IPs were checked?
- What was the time frame of the test?
How Often to Test
Internal, external, and web app penetration testing should be done once a year. Additionally, testing should occur anytime there are significant changes to a network like new firewalls or web apps.
Pen tests are often a result of compliance requirements (for external testing more so than internal), but we recommend that if an organization is testing externally, they should also test internally.
Choosing a Penetration Tester
There are several factors to consider when choosing a pen tester or pen testing organization.
It’s most important to consider their reputation. Are they known to be reputable testing group? A good pen tester needs to have good experience. While they don’t necessarily need a certification or college degree (though both of those are nice to have), their experience is what truly matters.
Questions to ask:
- Do they have testimonials?
- Can you see a sample report?
- What kind of experience do they have?
- What is their testing methodology?
- What tools do they use?
It is an industry best practice to rotate penetration testing companies every three years to keep fresh eyes looking at the network.
Penetration Testing vs Vulnerability Scanning
Companies need to know the difference between these two services because some businesses will pass off vulnerability scanning as pen testing, due to lack of education on the differences.
Unlike manual hands-on pen testing, vulnerability scanning is an automated tool that scans a chosen IP address, and it reports back on anything on that IP range and what it is vulnerable to.
Vulnerability scanning should be a part of penetration testing. When prepping for an attack, threat actors will run vulnerability scans to determine the best tools to access a network in case they cannot get in via phishing.
How Much Should it Cost?
Pricing varies between service providers and the specific type of test they are doing. It also differs between pen testing and vulnerability scanning, with pen testing costing more because it is not automated.
At Blue Team Alpha, we take several factors into consideration when pricing a pen test.
- Internal pricing is based on the number of servers in the environment and how many endpoints (desktops and laptops) there are.
- External considers what assets are internet-facing and the number of web apps the company uses.
- Web app testing is priced differently than external testing due to the complexities involved in the testing process. First, we determine whether it is authenticated or unauthenticated. If it is authenticated, we test both a privileged and nonprivileged account. Additionally, web app pen tests also consider the number of weeks the organization wants us to test the apps.
A typical external network pen test cost:
- Small networks (1-5 IPs): $5,000-$8,000
- Larger networks: $15,000-$20,000, depending on scope
A typical internal network pen test cost:
- Small networks: $7,000-$10,000
- Larger networks: $15,000-$30,000
Blue Team Alpha’s pen testers come with a plethora of experience to help you find out where you are most likely to face an attack and proactively shore up any weaknesses before an attack occurs.