Objective-Based Penetration Testing

In 2021, companies faced an astonishing $6 trillion in damages due to cybercrime. As a result, many are ramping up their cybersecurity budgets and adopting a more proactive approach to mitigate cyber-risk exposure. The average cost of a data breach in 2021 was $6.75 million CAD per incident, a significant increase from the average of $4 million CAD in 2018. The repercussions of cyber-attacks encompass operational downtime, damage to brand reputation, loss of business relationships, and substantial fines and class action lawsuits.

The average cost of a data breach reached $6.75 million CAD in 2021.

In today’s digital age, it is increasingly vital for organizations to develop robust security programs to achieve defensive targets and mitigate cyber risk. Understanding penetration testing and its role in risk mitigation is essential for IT professionals at all organizational levels, particularly top management. This guide will benefit leaders such as CEOs, CTOs, and CISOs, as well as senior team members, including security engineers, network engineers, and administrators. Additionally, it will be informative for other IT professionals, such as MSPs, IaaS, PaaS, and SaaS providers.

This guide includes:

 The fundamentals of Objective-Based Penetration Testing (OBPT)

 OBPT methodology focusing on the four pillars: Physical, logical, social engineering, and ransomware technical assessment

 Differences between OBPT, infrastructure penetration testing, application security testing, and red teaming

 Comparison of manual vs. automated testing processes

 Factors influencing the cost of OBPT

 What to expect from an OBPT report

This guide aims to offer a comprehensive overview of Objective-Based Penetration Testing (OBPT), its relationship to other types of penetration testing, and answers to common questions about its value. By the end of this guide, you should have a solid understanding of the various activities, methodologies, and benefits of OBPT, as well as what to expect from an OBPT engagement. Additionally, it will provide valuable information to enhance your awareness of the pentesting process.

Who Will Benefit from This Guide

• C-level executives responsible for IT security (CISOs, CSOs, VPs of Security)

• Other high-level management (CEOs, Business Owners, Business Executives)

• Managed Service Providers (MSPs)

• Cybersecurity Architects, Network Architects, and Network Administrators

This guide will benefit an organization’s leaders, such as CEOs, CTOs, and CISOs, as well as senior team leaders including security engineers, network engineers, and administrators. It will also be informative for other IT professionals, including MSPs, IaaS, PaaS, and SaaS providers.

What is Objective-Based Penetration Testing?

Penetration testing involves simulating a cyber-attack on an organization to evaluate the effectiveness of security controls, identify and mitigate vulnerabilities, and provide a detailed attack narrative to assess the environment’s cyber resilience. Each organization’s unique circumstances necessitate a tailored penetration testing approach. The specific processes and activities (known as the scope of the test) vary significantly based on the organization’s business model, network topology, and risk objectives.

Here are the fundamental ways that penetration testing engagements can be broadly categorized:

 Whitebox / greybox / blackbox – These categories are based on the amount of information provided to the pentesting team beforehand. In a whitebox test, complete information is given before testing begins. In a blackbox test, no information is provided. In a greybox test, only partial information is provided.

 Internal / External – These are determined by the location of the simulated attack, with internal tests simulating attacks from within the network and external tests simulating attacks from outside the network.

 Objective-based – This category is defined by the specific tactics applied during the test and the overall goals or objectives to be achieved.

Objective-based Penetration Testing

Objective-based Penetration Testing is a highly adaptable testing method tailored to an organization’s specific infrastructure and risk needs. As the name implies, this approach aims to achieve particular objectives, often focusing on unauthorized access to systems and sensitive data. It provides a comprehensive evaluation of an organization’s security posture by examining people, processes, and technology. This method goes beyond identifying known software vulnerabilities and misconfigurations, considering all potential ways an attacker could compromise sensitive systems and data.

The goals, scope, and methodologies of an Objective-based engagement are shaped by the organization’s unique risk requirements. This testing approach can encompass elements from both Infrastructure Penetration Testing and Application Security Testing (AST). Given the numerous methods an attacker might use to infiltrate a network, Objective-based Penetration Testing allows for a wide range of tactical approaches, each carefully chosen to meet the target’s specific needs and objectives.

Typically, Objective-based Penetration Testing begins with evaluating security controls protecting external attack surfaces. These surfaces might include company websites, public-facing web applications, APIs, cloud-based applications, remote access services like RDP and VPN, wireless access points, physical premises, and human factors—such as assessing the vulnerability of personnel to social engineering tactics.

Objective-based Pentesting may also aim to evaluate internal security posture by addressing “what if” scenarios, such as:

• What if an attacker gained access to a specific system?

• What actions could an attacker take with stolen credentials?

• What if an insider initiated a cyber-attack on the organization?

• What if a zero-day vulnerability were exploited to compromise a system?

• What if an attacker successfully performed a session hijacking attack on a website user?

• What if an attacker connected a malicious device to an exposed Ethernet port?

Answering these questions illustrates how a compromised credential, system, rogue device, or socially engineered employee could be exploited by an attacker, uncovering previously unknown techniques that could bypass an organization’s security measures.

Many Objective-based pentests also include a comprehensive Infrastructure Pentest, which features an Active Directory (AD) assessment to identify weaknesses in passwords and configurations, as well as a ransomware assessment to evaluate the potential impact of a ransomware attack and assess the organization’s “ransomware readiness”—its ability to detect and respond to such an attack.

Organizations may also choose to assess their ability to detect and respond to cyber-attacks through a “red team” exercise. This combines a red team operation with a thorough pentest, offering deeper insights into the performance of the defensive IT security team and its incident response capabilities. Plutosecs uniquely provides this combined pentest and red team approach, delivering exceptional value to our clients.

Methodology for Objective-Based Penetration Testing

The methodology for Objective-Based Penetration Testing is tailored to specific goals and is defined during an initial consultation between the organization and the penetration testing team. Each organization has a unique mix of technology, infrastructure, structure, data, and processes, so internal risk assessments will highlight the most critical components that need evaluation and fortification.

The approach taken—whether white-box, grey-box, or black-box testing—or a combination thereof, depends on the organization’s risk priorities and the chosen external and internal testing techniques. Rules of Engagement (ROE) are established to outline communication and escalation procedures for reporting critical findings before testing begins.

Objective-Based Penetration Testing methodologies are designed to simulate real-world cyber-attacks, emulating various threat actors from simple attackers to sophisticated nation-state and advanced persistent threats (APTs). For example, a basic attack might involve inserting a malicious USB device into accessible systems like guest terminals or POS devices, while an APT simulation could involve reverse engineering software or developing custom exploits.

Organizations should also simulate insider threats to assess risks from management, staff, third-party contractors, or visitors. Insider threat simulations might include placing a weaponized USB extension cable to capture keystrokes, attaching rogue devices to ethernet ports for remote control, or running malicious files on workstations.

Penetration testers continuously update their knowledge of techniques, tactics, and procedures (TTP) used by real-world attackers, leveraging frameworks like the Cyber Kill Chain, MITRE ATT&CK, and MITRE Common Weakness Enumeration (CWE) to develop strategies that reflect current attack methodologies.

With this understanding, let’s explore the most common tactical approaches used in Objective-Based Penetration Testing.

Physical Penetration Testing

Physical penetration testing assesses the effectiveness of an organization’s measures to protect its assets from physical access by potential attackers. Organizations often use a range of physical security controls, including locks, fences, surveillance systems, security guards, safes, proximity card readers, and biometric identification systems. If an attacker manages to bypass these controls, they could gain direct access to critical systems, deploy rogue devices for remote network access, or steal valuable equipment. Testing these physical controls with a specialist in physical penetration is crucial to ensure that these measures provide actual threat prevention rather than just serving as a deterrent.

Techniques commonly used in physical penetration testing include:

 Evaluating the effectiveness of physical locks against picking or other bypass methods

 Attempting to gain unauthorized access by tailgating or socially engineering employees entering restricted areas

 Cloning employee access cards to enter secured zones

 Assessing the responsiveness of surveillance systems to detect and alert security personnel about intrusions

 Impersonating staff or contractors to gain entry to restricted areas

Logical Penetration Testing

Logical penetration testing assesses how an attacker might compromise information systems either remotely or from within the network. The primary objective is to evaluate the security of critical IT environments, ensuring they can withstand cyber-attacks and that any potential breaches are detected and addressed swiftly and effectively.

From an external perspective, any service exposed on the public internet is vulnerable to remote attacks, which minimizes the risk of detection for the attacker. A single vulnerability in an external attack surface could lead to sensitive data theft, system disruption, or ransomware deployment, which could lock critical data and demand payment for its release.

To mitigate this risk, organizations must thoroughly map their external attack surfaces, identify all publicly accessible services, scan for known vulnerabilities, and ensure proper configuration. However, only by simulating real-world cyber-attacks can an organization truly gauge its security posture, as this provides the highest level of assurance that external attack surfaces are adequately fortified.

Internally, logical penetration testing aims to uncover potential security weaknesses that could be exploited by someone with access to the network—whether it’s an external attacker who has breached the perimeter or an insider. Properly segmenting data and controlling access through network configuration and access controls is complex, and without testing, it’s challenging to gauge the effectiveness of these measures. By simulating sophisticated cyber-attacks from within the network, organizations can gain critical visibility into their internal security defenses.

Logical penetration testing tactics often include: 

 Testing web servers to ensure systems are patched against known vulnerabilities, misconfigurations, and that web applications are resilient to OWASP Top 10 vulnerabilities and beyond.

 Testing network infrastructure to uncover known software vulnerabilities, misconfigurations, and weaknesses related to legacy protocols.

 Testing for any suspicious activity that might indicate an ongoing compromise within the network.

 Testing cloud-based resources to verify resilience against OWASP Top 10 Cloud-Native Application Security vulnerabilities and beyond.

 Testing email servers to ensure proper configuration to prevent email spoofing and that authentication processes are secure against bypass attempts.

 Testing remote access services such as RDP and VPN solutions to confirm they are resilient against known vulnerabilities, misconfigurations, and authentication bypass attacks.

 Testing wireless access points and network configurations to ensure proper segmentation between guest and departmental networks and sensitive internal resources, and to verify strong access controls on internal wireless networks.

 Testing IoT devices and other peripherals on the network to ensure they are properly configured, have default passwords changed, and are protected against potential attacks.

Social Engineering Penetration Testing

Social engineering penetration testing mimics real-world tactics used by cyber-attackers to deceive individuals into performing actions that, while seemingly harmless, can lead to network compromise. By deploying social engineering techniques during a penetration test, organizations can gauge the effectiveness of user awareness among their staff and identify areas where additional training or security controls might be necessary. This approach also evaluates the resilience of the organization’s overall security posture.

According to IBM, phishing was the initial attack vector in 40% of successful network breaches. The report highlights that Microsoft, Apple, and Google were the most commonly spoofed brands. In a phishing exercise, testers craft and send email templates that mimic well-known web applications. More advanced spear-phishing simulations involve emails that appear to come from managers, colleagues, or third-party vendors. If recipients open attachments or click links, malicious payloads are delivered to compromise their systems.

While phishing is a prevalent method for attackers to gain initial access, social engineering can take various forms. For instance, cybercriminals might create deceptive websites promoting fake software that promises to enhance productivity, improve performance, or protect against malware. These sites are designed to trick victims into installing trojanized software. Attackers may also use advertisements or social media to lure victims. Once installed, the malware can steal files, capture passwords, exfiltrate screenshots and keystrokes, and deploy additional malware, such as ransomware.

Social engineering tactics employed during an engagement can encompass various activities designed to exploit human behaviour:

• Phishing / Spear-phishing / Smishing – Using deceptive emails, SMS messages, or other communication methods to trick the victim into performing an action that compromises their computer or reveals sensitive information.

• Whaling – Targeting senior management or C-level executives with specialized phishing attacks.

• Baiting – Enticing the victim into performing an action that seems beneficial, such as installing trojanized software or plugins.

• Vishing – Manipulating the victim over the phone to divulge sensitive information or grant unauthorized access.

• Pretexting – Persuading the target to comply with fabricated scenarios, such as posing as a high-ranking individual or someone in need of assistance.

• Physical – Using techniques like tailgating or pretexting to gain unauthorized access to restricted areas.

The human factor—encompassing staff, managers, and even C-level executives—is often the primary target for many real-world attackers. While social engineering techniques themselves may not involve high technical complexity, they serve as a gateway for more sophisticated attacks. To ensure an organization’s resilience against such threats, it is essential to test both the people and processes involved.

Ransomware Technical Assessment

With ransomware attacks on the rise and increasing in cost, it’s crucial for organizations to enhance their cybersecurity measures to address the specific threats posed by ransomware. Effective mitigation involves not only reducing the likelihood of a successful attack but also ensuring rapid and complete recovery if an attack does occur.

A Ransomware Technical Assessment, included in an Objective-based Penetration Test, focuses on evaluating an organization’s resilience against ransomware by simulating the tactics used by ransomware threat actors. Additionally, a comprehensive Ransomware Penetration Testing engagement encompasses both a Technical Ransomware Assessment and a Non-Technical Ransomware Assessment, offering a thorough evaluation of both technical defenses and organizational preparedness.

The objectives of a Ransomware Technical Assessment encompass:

 Evaluating the potential impact of ransomware attacks on an organization’s specific infrastructure and data.

 Identifying vulnerabilities in policies and processes that could permit ransomware to breach the network.

 Ensuring that backups are secure, reliable, and readily deployable when necessary.

A comprehensive Ransomware Penetration Test offers extended assurances beyond the Ransomware Technical Assessment included in an Objective-based Penetration Test. This full-scale test provides a thorough evaluation of both technical and non-technical aspects of an organization’s cybersecurity posture. The technical component mirrors the assessment in the Objective-based Penetration Test, while the non-technical component reviews policies, standards, and procedures to identify administrative vulnerabilities.

Additionally, the full Ransomware Penetration Test benchmarks the organization’s security program against the Cybersecurity Framework Profile for Ransomware Risk Management (NISTIR 8374) and includes a detailed technical assessment of security controls and a comprehensive penetration test.

For a solid foundation in mitigating ransomware risk and preparing for rapid recovery, Plutosecs’ Ransomware Prevention and Response Checklist is an excellent starting point.

What Makes Objective-Based Penetration Testing Essential?

Cybercriminals are evolving, employing increasingly sophisticated attacks that drive up costs and pose severe risks to organizations. A single security vulnerability can lead to critical data being held for ransom, destroyed, or result in significant operational disruptions. Penetration testing is a crucial element of a comprehensive risk management strategy designed to ensure business continuity.

Objective-based Penetration Testing enhances security awareness among staff, improves understanding of how cybersecurity measures align with an organization’s risk profile, and provides insights into how attackers might exploit network vulnerabilities.

By simulating attacks from a variety of threat actors—ranging from novice attackers to advanced persistent threats and nation-state hacking groups—Objective-based Pentesting helps organizations identify and address security gaps. This approach allows IT security teams to strengthen defenses, mitigate vulnerabilities, and verify the effectiveness of security controls. Ultimately, the goal is to rigorously test an organization’s security posture through realistic simulations, ensuring that its people, processes, and technology offer robust cyber resilience and enabling the organization to sustain its operations effectively.

How Does Objective-Based Pentesting Differ from Infrastructure Pentesting, Application Security Testing, and Red Teaming?

Among the core types of penetration testing—Objective-Based Penetration Testing, Infrastructure Penetration Testing, and Application Security Testing—Objective-Based Penetration Testing has the broadest scope. This approach may encompass all the elements of Infrastructure and Application Security Testing, and go further to include any offensive strategy, tactic, or technique that could reveal security weaknesses within an organization.

Common tactics in Objective-Based Penetration Testing include testing physical infrastructure, external and internal logical systems, wireless networks, and social engineering scenarios.

Objective-Based Penetration Testing also differs from Red Teaming. In a red team exercise, the penetration testing team conducts a covert cyber-attack campaign on an organization’s infrastructure, aiming to compromise systems and data while evading detection. This process generally takes more time due to the goal of remaining undetected. Conversely, during Objective-Based Penetration Testing, organizations collaborate with the testing team by permitting certain test activities, such as allowing phishing emails to bypass content filters or providing user email lists. In red teaming, defensive IT security measures like content filtering proxies and intrusion detection systems remain active throughout the engagement. Red teaming may not always identify vulnerabilities but instead focuses on evaluating how effectively an organization’s IT security team can detect and thwart attacks.

How Long Does It Take?

Penetration testing engagements can range from a few days to several months, with some large organizations opting for continuous testing programs. The duration of the testing process is influenced by factors such as the specific goals, scope, types of testing requested, and the extent of the target infrastructure.

Providing information before testing begins, such as in whitebox or greybox testing, can streamline the process and reduce the time spent on information gathering. For instance, organizations can offer a detailed network topology, including services and resources on each node.

Achieving initial access can be time-consuming and may impact the focus on testing internal security controls. Objective-Based Penetration Testing engagements are highly customizable, allowing them to be tailored to an organization’s specific risk requirements and security priorities.

Manual vs Automatic Testing Processes

Penetration testing includes both automated and manual techniques. While automated tools can quickly scan network environments, devices, and applications to map attack surfaces and identify known vulnerabilities, achieving a high level of security assurance relies heavily on manual methods. Manual testing involves detailed analysis of the target environment and may use pre-built exploit frameworks and custom exploit kits for the actual exploitation process.

In fact, automated testing typically makes up only 5% of a Plutosecs penetration test. The remaining 95% involves manually executed real-life attack simulations aimed at exploiting identified vulnerabilities and misconfigurations.

What Should Be Tested?

Despite the ever-evolving cyber-threat landscape, the IBM X-Force Intelligence Index 2022 provides CTI statistics that highlight key goals to include in an Objective-based penetration test to address the most common attacks in today’s cyber environment:

• Ransomware – In 2022, ransomware attacks accounted for 21% of all cyber-attacks.

• Phishing / spear-phishing – Phishing was responsible for 41% of initial access compromises.

• Software vulnerabilities – Exploitation of software vulnerabilities was the second most common method for initial access, representing 34% of cases.

• Stolen credentials –Stolen credentials were used in 9% of successful network breaches.

• Weak or reused passwords – Weak or reused passwords, either brute-forced or obtained from publicly available breached data, comprised 7% of initial access methods.

• Insider attacks – Malicious insiders were behind 5% of attacks in 2022.

Given that a determined attacker will perform targeted reconnaissance to uncover security gaps in an organization’s infrastructure, a penetration test should replicate a wide range of real-world attack scenarios to thoroughly evaluate the effectiveness of the organization’s existing security controls.

The key tactics typically involved in an Objective-based penetration test include:

 Physical – Can an attacker gain unauthorized physical access to sensitive areas within the organization’s premises?

 Logical – Can an attacker exploit a publicly exposed system to gain initial access to the internal network or sensitive data? Once inside the network, can the IT security team effectively detect and prevent further malicious activities?

 Social Engineering – Can an attacker deceive an insider into performing actions such as clicking on a malicious link, opening a document with malware, installing a trojanized application, disclosing sensitive information, or granting unauthorized access?

 Ransomware – Is the organization equipped to detect a ransomware attack early to prevent it, or to recover swiftly and completely if their files are encrypted by ransomware?

How Much Does It Cost?

The cost of a penetration test can vary significantly based on the scope and complexity of the engagement, typically ranging from $30K to $60K for a quality professional service.

Key factors influencing the cost of an Objective-based penetration test include the depth of methodologies employed, the duration of the engagement, and the extent of manual testing conducted. These factors are discussed and agreed upon between the organization and the penetration testing provider before testing begins.

Focusing on a narrower scope or providing detailed information upfront can help reduce the overall cost of the test. Organizations considering penetration testing may start with a limited-scope test to evaluate the value it provides.

To assess the Return on Investment (ROI) for penetration testing, the Return on Security Investment (ROSI) metric is commonly used. ROSI is a tailored ROI calculation for security investments, comparing the total avoided costs of potential security breaches against the cost of the penetration test. The general formula for ROSI is:

ROSI = (Cost of avoided security breaches – Cost of prevention) / Cost of prevention

For instance, if your organization anticipates avoiding a minor security breach with a potential cost of $100,000 over the next year, and the cost of a penetration testing engagement is $10,000, the ROSI calculation would be 9:

ROSI = ($100,000 – $10,000) / $10,000 = 9

What Should You Expect from an Objective-Based Penetration Testing Report?

A penetration test report is the comprehensive document delivered by the penetration testing consultant upon completion of the assessment. This report is crucial for enhancing an organization’s cybersecurity defenses by addressing identified vulnerabilities and increasing security awareness by understanding the context of these vulnerabilities.

The report typically prioritizes identified vulnerabilities based on their severity and includes evidence of successful exploits, such as extracted data, cracked passwords, or screenshots of unauthorized system access.

It usually begins with an executive summary that explains the purpose of the test, outlines specific goals, limitations, and rules of engagement (ROE). The report further details the methodologies used to uncover each vulnerability, describes each vulnerability, provides remediation steps, and offers insights into the overall security posture of the environment tested.

After receiving the report, organizations usually have the chance to ask questions for clarification. Based on the report’s findings, organizations may request additional testing or initiate the remediation process. It’s recommended to conduct follow-up penetration tests after remediation to ensure that security gaps have been effectively addressed.

For more information, you can download a sample Objective-Based Penetration Testing report here.

When choosing a penetration testing consultant, consider their reputation, trustworthiness, size, experience, and professionalism, including relevant certifications and specialized skills pertinent to your organization’s environment.