Your Guide to Penetration Testing -PlutoSec - Cyber Security Canada

Eiusmod enim tempor incididunt aut labore et dolore magna aliua ruis nostrud exercitation ullamco laboris.

Guide to Penetration Testing

The purpose of this post is to offer an in-depth guide on Infrastructure Penetration Testing, explore its connection to Objective-Based Penetration Testing, and address some frequently asked questions about penetration testing and its value. As the premier penetration testing company in Canada, PlutoSec brings unmatched expertise to these critical security practices.

This guide includes:

MCSL   Fundamentals of penetration testing

MCSL  Advantages of performing a penetration test

MCSL  Scope and methodologies of penetration testing

MCSL  Factors affecting the cost

MCSL  Insights you can gain from a penetration test report

MCSL  The penetration testing process

MCSL  Choosing the right cybersecurity company to partner with

In 2021, companies faced an astounding $6 trillion in damages from cybercrime. Consequently, organizations are bolstering their cybersecurity budgets and adopting more proactive measures to mitigate cyber-risk exposure. According to an IBM report, the average cost of a data breach in 2021 was $6.75 million CAD per incident, a significant increase from the approximately $4 million CAD average in 2018. Cyber-attacks can lead to operational downtime, damage to brand reputation, loss of business relationships, and substantial fines and class action lawsuits.

The average cost of a data breach reached up to $6.75 million CAD in 2021.

In today’s digital age, it is crucial for organizations to establish robust security programs to achieve defensive goals and mitigate cyber-risk. Understanding penetration testing and its role in reducing cyber-risk is vital for IT professionals at all levels, particularly senior management. This guide will be beneficial to organizational leaders like CEOs, CTOs, and CISOs, as well as senior team members, including security engineers, network engineers, and administrators. Additionally, it serves as a valuable resource for other IT professionals such as MSPs, IaaS, PaaS, and SaaS providers.

Who Will Gain from This Guide

MCSL  C-level executives responsible for IT security (CISOs/CSOs/VP of Security)

MCSL  Senior management (CEOs/Business Owners/Business Executives)

MCSL  Managed Service Providers (MSPs)

MCSL  Cybersecurity Architects, Network Architects, and Network Administrators

What is Penetration Testing?

Penetration testing involves simulating a cyberattack on an organization to ensure the effectiveness of its security controls, identify and address any vulnerabilities, and provide a detailed attack narrative to assess the environment’s cyber resilience. Each organization’s unique circumstances necessitate a tailored penetration testing approach. The specific process and activities (known as the test scope) vary greatly depending on the organization’s business model, network topology, and risk objectives.

Here are the primary ways penetration testing engagements can be broadly categorized:

MCSL  White-box / grey-box / black-box – These categories are determined by the amount of information provided to the penetration testing entity beforehand. In white-box tests, full information is given before the tests begin. In black-box tests, no information is provided. In grey-box tests, only partial information is shared.

MCSL  Internal / External – These categories are determined by the position of the simulated attack, either from outside the network (external) or from within the network (internal).

MCSL  Objective-based / Infrastructure – These categories are determined by the scope of the testing tactics applied during the test.

This article will focus on Infrastructure penetration testing, but first, let’s clarify the distinction between Objective-based and Infrastructure pentest approaches.

Infrastructure Penetration Testing

The primary aim of Infrastructure testing is to uncover how an attacker might navigate within the LAN and what sensitive data could be compromised or affected. Consequently, Infrastructure penetration testing focuses more on lateral movement, privilege escalation, and maintaining command and control (C2C) rather than gaining initial access through physical breaches, social engineering, phishing, or credential stuffing attacks. This makes it particularly suited for evaluating internal network security controls. In essence, Infrastructure pentests “cut to the chase” by concentrating on simulating malicious activities that occur after an initial breach or by an insider.

By narrowing the focus, organizations can better allocate time and budget resources. Efficiency can be further enhanced by conducting white-box credentialed tests, where internal infrastructure details and credentials for remote access services (such as VPN, RDP, or SSH) are provided beforehand. Black-box testing, on the other hand, might reveal unknown network assets as the pentesting entity builds its own topography map. During an Infrastructure pentest, the testing team may deploy their own penetration appliances into the target network, which can be controlled remotely to facilitate remote work.

The Infrastructure pentesting methodology also aims to identify misconfigurations and deviations from IT security best practices as outlined by industry standards like NIST and SANS CIS Controls. This includes assessing legacy protocols (often enabled by default), verifying proper access controls, and ensuring strong encryption for protecting internal network resources and data.

Typically conducted on production network environments—due to the difficulty and time required to replicate these environments—Infrastructure testing ensures that the environment being assessed mirrors the production setup. When testing production environments, specific limitations should be established, such as halting the test and immediately reporting findings if necessary. Testing production environments can also evaluate an organization’s threat detection and disaster recovery capabilities, as well as provide valuable experience for the defensive security team. Pre-production environments may change before deployment, so Infrastructure testing is most valuable when applied to the actual operational environment.

The outcome of an Infrastructure penetration test is an audit report detailing identified vulnerabilities, including technical descriptions and remediation instructions. Like Objective-based testing reports, Infrastructure test reports document results from each stage of the test, such as information gathering, host discovery, vulnerability assessment, exploitation, and post-exploitation.

Objective-Based Penetration Testing

Objective-based penetration testing focuses on achieving a particular goal, and the most common goal is to gain access to unauthorized systems, or steal sensitive data. Objective-based penetration testing typically starts by testing the security controls that protect external attack surfaces. 

During an Objective-based engagement, tactics such as social engineering, phishing / spear-phishing, and physical penetration are usually considered in-scope activities to tell the story of where a compromised credential or installed executable could take an attacker. In addition to phishing, an Objective-based pentest includes a full  Infrastructure pentest, an active directory assessment to identify weaknesses in passwords and configurations, and a ransomware assessment that will identify potential impacts of a ransomware attack with the current configuration and security controls.

Objective-based testing is good when you want to have a red team with a full pentest, which is not a unique offering to Plutosec and adds the most value to our clients.

Why Is Infrastructure Penetration Testing Important?

Cybercriminals are becoming smarter and more malicious, deploying attacks that impose increasingly higher costs on victim organizations. A single security gap can lead to critical data being ransomed or even worse, permanently destroyed, and business operations being interrupted. Penetration testing is one part of a broader risk management program that seeks to ensure that an enterprise can sustain business operations indefinitely.

Penetration testing can increase security posture and attest the effectiveness of existing security controls and recovery plans across an organization. Pentesting can create more security awareness in an organization’s staff, spawn a better understanding of how cybersecurity interacts with an organization’s risk profile, and give defenders perspective on how attackers perceive opportunities presented by the network environment.

Although vulnerability scans may identify some types of known vulnerabilities, they are limited in scope and do not simulate an actual attack. Therefore, vulnerability scans alone cannot assure the effectiveness of existing security controls against a group of skilled and resourced human attackers who may be able to combine several low severity weaknesses together to gain access to sensitive systems and data to cause damage. Penetration testing is considered an important extension of an enterprise vulnerability management program. 

Some organizations are required to conduct pentests or have a continuous pentesting regimen to meet industry or regulatory compliance standards such as PCI-DSS for processing payment card data, HIPPA for organization’s that handle personal health information.  Alternatively, some companies seek compliance recognition as evidence of their strong security posture to their customers and partners such as SOC-2 for companies that handle financial information. Organizations also need to be audited and certified as compliant to be eligible for government contracts, and standards compliance displays a leading approach to security to existing and new potential customers. 

Infrastructure Penetration Testing Scope

Penetration testing scope is determined by the tactical goals and limitations of a pentesting engagement. In general, the scope of a test clearly outlines which infrastructure and approaches are considered in-bounds, and which are excluded. 

The scope of an Infrastructure pentest can include both internal and external attack positions. Infrastructure testing does not include vectors such as social engineering tactics, phishing / spear-phishing, or exploiting physical security weaknesses. This is because Infrastructure testing assumes that the attacker is an insider, or has already penetrated external defences.

It may be beneficial to conduct Infrastructure pentests as white-box or grey-box, and credentialed vulnerability scans to identify gaps in hardening and patching that otherwise wouldn’t be uncovered if not credentialed. White-box and grey-box testing also enable organizations to direct attention towards their own risk priorities, and gain assurance where it matters most to them. Setting a narrow scope has the added effect of making a pentest less intrusive, because high-value target systems are identified beforehand and so false leads or non critical assets are not probed or exploited. 

Penetration Testing Methodology

Penetration testing methodologies are designed to replicate real cyber-attacks from a range of threat actors, from low-complexity attacks by script-kiddies to the highly sophisticated capabilities of nation-states and advanced persistent threat actors (APTs).

The most common types of threat actors, ranked from least to most sophisticated, are:

MCSL  Script Kiddies

MCSL  Hobbyists

MCSL  Hacktivists / Terrorist Groups

MCSL  Cyber-criminals

MCSL  Insider Threats

MCSL  Nation State / APT

Simulating a less complex script kiddie attack might involve preloading a USB device with a malicious script and attempting to connect it to systems that penetration testers can physically access, such as guest terminals, point-of-sale (POS) devices, or customer service desk systems. Simulating an insider threat could involve placing a weaponized USB extension cable in a restricted area to capture keystrokes and steal passwords. Simulating an advanced persistent threat (APT) might include reverse engineering open-source or proprietary software to find exploitable vulnerabilities, searching for exploits on the dark web, or developing custom exploits.

Penetration testers continually update their knowledge of techniques, tactics, and procedures (TTPs) used by real-world attackers. These TTPs are organized into frameworks such as the Cyber Kill Chain, MITRE ATT&CK, and MITRE Common Weakness Enumeration (CWE). Penetration testers use these frameworks to create strategies that replicate real-world attack scenarios.

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a framework that details attacker behaviors and how TTPs are employed at different stages of a cyber-attack. It helps pentesters visualize the attack process as a series of interconnected attacks aimed at achieving the attacker’s objectives. The stages of a successful attack typically involve (1) gaining initial access, (2) escalating privileges to increase access levels, (3) identifying and targeting high-value assets, (4) exploiting those assets, and, if necessary, (5) pivoting laterally to compromise additional systems on the network.

Penetration Testing Tools

Penetration testing utilizes a diverse array of specialized proprietary and open-source tools, along with standard software development and business applications. The ecosystem of pentesting tools is continually updated by the global security research community and includes dedicated operating systems designed for penetration testing, such as Kali Linux, Parrot OS, and BackBox.

These tools serve various functions, including information gathering and network scanning to map the target’s attack surface, automated vulnerability scanning to detect weaknesses in endpoints or applications, sniffers and connection proxies to intercept and manipulate network traffic, and exploit frameworks to execute attacks against authentication services, protocols, and software applications. These attacks aim to gain initial access, escalate privileges, pivot to high-value systems, and exfiltrate or destroy sensitive data.

A comprehensive pentest toolkit also features stealers for extracting password hashes from devices, password cracking tools to decode these hashes, automated tools for executing brute-force attacks like password stuffing, and many other specialized tools and custom scripts. Additionally, penetration testing often employs standard OS tools such as Bash and PowerShell for a Living Off The Land (LOTL) approach.

Automated vs Manual Testing

Penetration testing encompasses both automated and manual methods. However, achieving a high level of security assurance primarily relies on manual techniques. Automated tools can efficiently scan network environments, devices, and applications to map attack surfaces and detect known vulnerabilities. Yet, manual techniques are essential for the actual exploitation process. These manual methods involve in-depth analysis of the target environment and may utilize pre-built exploit frameworks and custom exploit kits.

In fact, automated testing constitutes only 5% of a typical PlutoSec penetration test. The remaining 95% involves manually executed, real-life attack simulations that focus on exploiting identified vulnerabilities and misconfigurations.

How Frequently Should Testing Be Conducted?

Scheduling penetration testing is crucial for effectively managing an enterprise security program. Exposure time refers to the interval between vulnerability scans or penetration tests, during which new vulnerabilities may be disclosed or changes to the network environment or configuration might introduce new risks.

While large enterprises may implement continuous penetration testing programs, organizations without such programs should conduct testing at least once a year, and also after significant changes to infrastructure or business operations. This is particularly important for Infrastructure penetration testing, as testing should be performed following any substantial changes.

Penetration testing may also be mandated by regulations or industry standards aimed at enhancing overall security. For instance, companies handling payment card data must adhere to PCI-DSS, which requires penetration tests every three months or after major infrastructure changes. Similarly, SOC-2 Type 2 requires ongoing attestation of IT security compliance, necessitating a penetration testing program aligned with the organization’s operational and risk objectives.

Additionally, when considering a merger or acquisition (M&A), it’s advisable to request information about the frequency of penetration tests, reports, and remediation activities. This due diligence can offer valuable insights into the risk management practices and security posture of potential partners.

Pentesting Testing Cost?

The cost of a penetration test can vary significantly based on the scope and complexity of the engagement, with a typical range for a high-quality professional test falling between $5,000 and $150,000.

The key factors that most significantly impact the cost of a penetration test include:

MCSL  The complexity of the target environment

MCSL  The scope of the test

MCSL  The type of testing conducted (white-box, grey-box, black-box, internal, external)

MCSL  The extent of manual testing performed

MCSL  The length of the engagement

All these factors are discussed formally between the target organization and the penetration testing provider before testing begins.

By narrowing the focus to a specific set of assets or providing detailed information in advance (as in a white-box test), the cost of the test can be reduced. Organizations considering the value of penetration testing might start with a narrowly scoped test to evaluate its return on investment.

The Return on Security Investment (ROSI) metric is the appropriate method for calculating the ROI of penetration testing. ROSI is an alternative ROI calculation tailored for security-related investments. It compares the total avoided costs of potential security breaches against the cost of the penetration test. A generalized version of the ROSI equation is:

ROSI = (Avoided security costs – Testing cost) / Testing cost

For instance, if your company could potentially avoid a security breach costing $100,000 over the next year, and the penetration test is estimated to cost $10,000, the ROSI calculation would be 9 times the testing cost:

ROSI = ($100,000 – $10,000) / $10,000 = 9

What to Expect from a Penetration Test Report?

A penetration test report is the final deliverable provided by the pentest consultant once the testing is complete. This report aims to improve cybersecurity by addressing identified vulnerabilities and increasing security awareness within the organization by offering context for these issues.

The report is structured to prioritize vulnerabilities by severity and includes evidence of successful exploits, such as exfiltrated data, cracked passwords, or screenshots of unauthorized access.

Typically, the report starts with an executive summary that explains the test’s objectives, goals, limitations, and rules of engagement (ROE). It also details the methodology used to identify each vulnerability, provides descriptions of the vulnerabilities, suggests remediation steps, and gives an overview of the overall security posture of the tested environment.

After receiving the report, organizations generally have the chance to ask for clarifications. They may then decide to request further testing or begin the remediation process. It is advisable to perform follow-up penetration tests after remediation to confirm that security gaps have been effectively addressed.

Internal vs External Pentesting

The scope of a penetration test can be confined to internal, external, or both attack perspectives. The primary objective of an external penetration test is to identify sensitive information accessible from outside the network, determine if initial access can be achieved, evaluate whether sensitive data can be exfiltrated, and assess if the breach can be extended to other high-value systems.

Internal penetration tests focus on what an attacker can accomplish after gaining initial access, thereby assessing the effectiveness of internal network security controls. Given that employees already have access to internal resources, it’s crucial to ensure that the principle of least privilege is properly enforced, restricting access to only the services necessary for each job role. Additionally, it’s important to verify whether existing security controls can detect unauthorized access attempts and if vulnerabilities exist that could allow an insider to escalate their access privileges.

What Are the Phases of the Penetration Testing Process?

The penetration testing process begins with a discussion between the target organization and the testing entity. The initial aim is to outline the organization’s objectives for the penetration test, specify whether it will be conducted on production or development infrastructure, define the scope, and establish any rules of engagement (ROE).

During this initial consultation, other aspects of the testing process are also clarified, such as whether the test will be internal, external, or a combination of both, and whether it will be white-box, grey-box, or black-box. Once the engagement parameters are agreed upon, all penetration tests typically follow a consistent process, comprising the following stages:

MCSL  Information Gathering

MCSL  Discovery and Vulnerability Scanning

MCSL  Penetration Testing of Application and Network Layers

MCSL  Report Generation and Delivery

MCSL  Remediation of Identified Vulnerabilities

MCSL  Retesting of Target Infrastructure

How Long Does the Process Take?

Penetration testing engagements can range from a few days to several months in duration, with some large organizations even running continuous penetration testing programs. The length of the testing process can be influenced by specific goals, scope, types of testing requested, and the complexity of the target infrastructure.

Providing information before testing starts (e.g., for white-box or grey-box testing) can help save time by reducing the effort needed for information gathering. For instance, an organization might provide a comprehensive map of their internal network environment, including details on services and resources hosted on each node.

The time required to gain initial access can be unpredictable, potentially impacting efforts to test internal security controls. Infrastructure testing aims to streamline the process by focusing more on internal security controls and minimizing the time spent on initial access techniques.

Who Will Conduct My Penetration Test?

The role of a pentester, also known as an ethical hacker, is a specialized IT security position that demands specific training and certification. Ethical hackers can be generalists with broad penetration testing skills or specialists with advanced expertise in particular aspects of the pentesting process. Specialists may focus on specific exploitation frameworks, protocols, operating systems, or types of exploits.

The OSCP (Offensive Security Certified Professional) is a leading and globally recognized ethical hacking certification offered by Offensive Security. While Offensive Security provides several certifications, the OSCP is the most comprehensive and well-regarded. At PlutoSec, our team of dedicated ethical hackers holds the industry’s most advanced certifications.

All PlutoSec pentesters are required to have at least the OSCP certification. Although OSCP is the minimum requirement, many team members pursue additional certifications to further enhance their expertise, including:

MCSL  Evasion Techniques and Breaching Defenses (OSEP)

MCSL  Offensive Security Wireless Attacks (OSWP)

MCSL  Windows User Mode Exploit Development (OSED)

MCSL  Offensive Security Web Expert (OSWE)

MCSL  Certified Information Systems Security Professional (CISSP)

MCSL  Certified Information Systems Auditor (CISA)

MCSL  GIAC Web Application Penetration Tester (GWAPT)

MCSL  GIAC Mobile Device Security Analyst (GMOB)

MCSL  GIAC Systems and Network Auditor (GSNA)

MCSL  GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

MCSL  GIAC Certified Incident Handler (GCIH)

This enables our team of OSCP-certified penetration testing professionals to showcase their industry-leading, hands-on mastery of penetration testing.

How to Choose a Cybersecurity Company

There are numerous reasons to outsource penetration testing, with the primary one being that an external team can offer a fresh perspective on the target environment, potentially uncovering security weaknesses that an internal security team might overlook. Internal teams can develop assumptions and blind spots, whereas a motivated and specialized external pentesting team brings an unbiased viewpoint.

While many internal security programs rely on automated scanning tools to detect known vulnerabilities and misconfigurations, these tools cannot identify all vulnerabilities and may create a false sense of security if relied upon exclusively. Therefore, it is crucial to assess a cybersecurity firm based on their proficiency in advanced manual testing techniques.

Given the rising threat of ransomware, which increases the potential value of a cybersecurity breach, threat actors are now highly skilled and dedicated to developing custom exploits and mastering every trick in the cyber-attack playbook. A professional penetration testing team, equipped with specialized knowledge, skills, and tools, can simulate a wide range of realistic attacker tactics, techniques, and procedures (TTPs), providing more robust security assurances.

When choosing a penetration testing consultant, consider factors such as their reputation, trustworthiness, size, level of experience and professionalism (including certifications and statuses), and specialized skills relevant to the target organization’s environment.

Business Case

At PlutoSec, our Penetration Testing services assess the security of your IT systems by simulating a cyber-attack to uncover vulnerabilities that may be missed by other approaches.

Cybersecurity services

Simulate an attacker within your environment so you can focus on what you do best.

Concentrate on advancing business technology, addressing active business initiatives, and enhancing systems, rather than being concerned with identifying vulnerabilities.

Collaborate closely with you and your team

Functioning as both a red and blue team to bridge the gap between offensive tactics and defensive response efforts.

Detect potential attack scenarios

Stay informed about the latest trends in viruses, ransomware, spam, phishing, and malware that could jeopardize your system.

Cybersecurity services

Empowering engagement through meaningful dialogue.
visit us, phone, or email for personalized assistance.

Subscribe to Newsletter

Follow on social media: