Internal Penetration Testing
What is an Internal Penetration Test?
An Internal Penetration Test is a simulated cyber attack on an organisation’s internal network and systems. The goal of the test is to identify and demonstrate weaknesses in an organisation’s environment in order to remediate those vulnerabilities. Penetration tests may also be referred to as pen-testing, ethical hacking, red-teaming, offensive security, or adversarial simulations.
During an Internal Penetration Test, security professionals simulate the actions of real attackers by attempting to exploit weaknesses in the network and gain access to sensitive data or systems. They may use a variety of tools and techniques, such as scanning for open ports, attempting to guess passwords, or exploiting known vulnerabilities in software or operating systems.
The outcome of an Internal Penetration Test is a comprehensive report, detailing the findings of the engagement and recommendations for remediating any identified weaknesses. It’s important to note that penetration tests are not meant to identify all weaknesses, as much of the engagement will be spent attempting to exploit the vulnerabilities that will have the greatest impact or allow the attacker to reach their goal the soonest. Therefore, a penetration test should not replace a robust, ongoing Vulnerability Management program.
How do Internal Penetration Tests work?
Scoping of the Penetration Test
A well-thought-out scope is imperative for the success Internal Penetration Test. Without developing and aligning on the scope, there is a risk of unauthorised testing of systems, wasted time and effort, or unexpected disruption (including permanent damage) to the organisation. The scope of the test should include the following:
- The list of assets or targets in scope. This could include domain names, URLs, hostnames, or IP addresses. Anything not listed in the scope should not be tested without first seeking approval to have it added to the scope.
- The timeframe for the engagement.
- The objectives (also known as flags) of the penetration test. For example, an objective may be to gain domain administrator access or access to a certain system that holds sensitive information.
- Whether the test is full-knowledge, zero-knowledge, or partial-knowledge.
During a full-knowledge penetration test (also known as a whitebox penetration test), the penetration testers will be provided with complete documentation of the network. This may include descriptions of all systems, such as their IP addresses, the services running on them, and the security controls implemented. Full-knowledge penetration tests allow the penetration testers to spend more time attempting to exploit vulnerabilities and less time performing reconnaissance and discovery.
In zero-knowledge penetration tests (also known as blackbox penetration tests), the testers will need to start by performing reconnaissance tasks such as network and port scanning. Zero-knowledge penetration tests are usually more realistic but not as thorough as full-knowledge tests as the testers are more likely to miss weaknesses.
In partial-knowledge penetration tests (also known as greybox penetration tests), the testers are given some information about the target network.
We follow a structured Penetration Testing methodology to ensure a comprehensive and systematic approach to identifying vulnerabilities and assessing the security of a system. While all engagements will vary based on the organisation or the nature of the test, there are many similarities in the approach. We have integrated several industry recognised Penetration Testing frameworks into our methodology:
- Open Source Security Testing Methodology Manual (OSSTMM)
- Penetration Testing Execution Standard (PTES)
- Mitre ATT&CK Framework
- Lockheed Martin Cyber Kill Chain
- Understand the scope and objectives of the penetration test.
- Gather information about the target system, including IP addresses, domain names, network architecture, and application details.
- Conduct passive reconnaissance, such as searching for publicly available information, open ports, or DNS records.
- Identify potential attack vectors and prioritise them based on their risk and impact.
- Determine the level of access and knowledge available to the penetration tester (e.g., blackbox, graybox, or whitebox).
- Define the rules of engagement and establish clear boundaries for the test.
- Perform automated scans using specialised tools to identify common vulnerabilities like outdated software versions, misconfigurations, or weak encryption algorithms.
- Conduct network scanning to discover open ports, services, and potential entry points.
- Attempt to exploit identified vulnerabilities manually or using exploit tools to gain unauthorised access, escalate privileges, or manipulate the target system.
- Exploit weaknesses in applications, networks, or other components to determine the extent of potential damage.
- Maintain access and conduct further exploration of the compromised system.
- Collect evidence of the successful exploitation for later reporting and analysis.
- Identify potential pivoting points for lateral movement within the network.
- Evaluate the impact and severity of the vulnerabilities identified during the penetration test.
- Document all findings, including detailed descriptions, screenshots, and steps to reproduce the issues.
- Provide recommendations and best practices to address the identified vulnerabilities.
- Prepare a comprehensive report summarising the test, findings, and remediation suggestions.
- Collaborate with the organisation's stakeholders to prioritise and address the identified vulnerabilities.
- Validate that the recommended remediation steps have been implemented effectively.
- Conduct retesting or verification activities to ensure that the security weaknesses have been resolved.
Should my company have an Internal Penetration Test?
Ultimately, organisations should take a risk-based approach when deciding whether to undergo a penetration test: Evaluate the potential risks and impact of a security breach on your organisation’s systems, data, and reputation. Consider the sensitivity of the information you handle, such as customer data, intellectual property, or financial information. If a security incident could have severe consequences, an Internal Penetration Test can help identify vulnerabilities before malicious actors exploit them.
Here are some further considerations:
Contact Endure Secure
Endure Secure is available to answer your Internal Penetration Test enquiry within 8 business hours. Please include as much information as possible for your request.
Please contact us using this form, email us at [email protected], or call us on 0420 231 893.