A penetration test takes a vulnerability assessment to the next level. One of the initial phases performed by a penetration tester is to perform discovery and vulnerability scans to learn the IP addresses, device types, operating systems and vulnerabilities present on the systems. However unlike a Vulnerability Assessment, the penetration tester does not stop there. The next phase of a penetration test is exploitation which takes advantage of the vulnerabilities identified in the system to escalate privileges gaining control of the network, maliciously modifying data, or exfiltrating sensitive data from the system. The exploitation phase starts with automated tools which the penetration tester can configure to execute automatic exploits against the systems—script kiddie attacks. However, one key differentiator for sophisticated LP3 penetration testers is their ability to also perform manual exploits on the system that an automated tool may have not identified and exploited. All exploits are not incorporated into commercial and open source scanning tools. An effective APT penetration test is a combination of automated and highly customized manual processes.
Penetration tests are categorized as white hat, grey hats or black hat tests. White hat tests are performed with full knowledge of the target organization’s IT Department. Ahead of time, information is shared with the tester such as network diagrams, IP addresses and system configurations. The white hat approach tests the security of the underlying technology. The black hat test closely represents an external uninformed hacker attempting to gain unauthorized access to a system. The IT staff may not be aware a test is being performed and the tester is not provided detailed information about the target environment. Black hat penetration testing evaluates both the underlying security technology configurations as well as the people and processes in place to detect, identify, and mitigate real world attacks.
Penetration tests should be performed by a skilled penetration tester that has experience with not only commercial and freeware tools but also with manual exploits to compromise systems. The penetration test is only as good as the knowledge and ability of the penetration tester.
A pentest team may also perform Vulnerability Research Exploitation (VRE). VRE is a manual process assisted by automated tools. VRE may be used to create exploits such as buffer overflows. VRE is based on how the system under attack is currently configured. VRE is modeled after the Offensive Certified Security Expert (OSCE) methodology. VRE activities can be lengthy in scope and are recommended as a continuous activity even after the formal pentest completes.
Both the vulnerability assessment and penetration test should be performed against internal and external servers and network devices. Testing the external interfaces simulates a hacker attempting to gain access from the Internet through publically available interfaces. The internal test simulates a rogue employee or unauthorized user who has access to the internal network attempting to escalate their privileges to gain access to internal systems or data—insider threat simulation using a standard user account.