Application Security Penetration Testing Pre-Engagement

May 08, 2020

 Application Security Penetration

 Testing Pre-Engagement

Conducting a regular penetration test is a helpful way to identify serious vulnerabilities within your IT
environment. A trusted ethical hacker performs the penetration test using a methodical and thorough
approach.

The Six Phases of a Penetration Test:

These six phases are critical to the successful planning and execution of a penetration test.
Learn more about each of the phases of penetration testing in the points below.

1. Pre-Engagement Interactions

One over-looked step to penetration testing is pre-engagement interactions or scoping. During this pre-
phase, a penetration testing company will outline the logistics of the test, expectations, legal implications,
objectives and goals the customer would like to achieve.

During the Pre-Engagement phase, the penetration testers should work with your company to fully
understand any risks, your organizational culture, and the best pentesting strategy for your organization. You
may want to perform a white box, black box, or gray box penetration test. It’s at this stage when the planning
occurs along with aligning your goals to specific pentesting outcomes.

2. Reconnaissance or Open Source Intelligence (OSINT) Gathering

Reconnaissance or Open Source Intelligence (OSINT) gathering is an important first step in penetration
testing. A pentester works on gathering as much intelligence on your organization and the potential targets
for exploit.

Depending on which type of pentest you agree upon, your penetration tester may have varying degrees of
information about your organization or may need to identify critical information on their own to uncover
vulnerabilities and entry points in your environment.

Common intelligence gathering techniques include:Search engine queries
  • Domain name searches/WHOIS lookups
  • Social Engineering
  • Tax Records
  • Internet Footprinting – email addresses, usernames, social networks,
  • Internal Footprinting –Ping sweeps, port scanning, reverse DNS, packet sniffing
  • Dumpster Diving
  • Tailgating
A pentester uses an exhaustive checklist for finding open entry points and vulnerabilities within the
organization. The OSINT Framework provides a plethora of details for open information sources.

3. Threat Modeling & Vulnerability Identification

During the threat modeling and vulnerability identification phase, the tester identifies targets and maps the
attack vectors. Any information gathered during the Reconnaissance phase is used to inform the method of
attack during the penetration test.

The most common areas a pentester will map and identify include:



  • Business assets – identify and categorize high-value assets
    • Employee data
    • Customer data
    • Technical data
  • Threats – identify and categorize internal and external threats
    • Internal threats – Management, employees, vendors, etc.
    • External threats – Ports, Network Protocols, Web Applications, Network Traffic, etc.

A pentester will often use a vulnerability scanner to complete a discovery and inventory on the security risks
posed by identified vulnerabilities. Then the pentester will validate if the vulnerability is exploitable. The list
of vulnerabilities is shared at the end of the pentest exercise during the reporting phase.

4. Exploitation

With a map of all possible vulnerabilities and entry points, the pentester begins to test the exploits found
within your network, applications, and data. The goal is for the ethical hacker is to see exactly how far they
can get into your environment, identify high-value targets, and avoid any detection.

If you established a scope initially, then the pentester will only go as far as determined by the guidelines you
agreed upon during the initial scoping. For example, you may define in your scope to not pentest cloud
services or avoid a zero-day attack simulation.

Some of the standard exploit tactics include:


  • Web Application Attacks
  • Network Attacks
  • Memory-based attacks
  • Wi-Fi attacks
  • Zero-Day Angle
  • Physical Attacks
  • Social engineering
The ethical hacker will also review and document how vulnerabilities are exploited as well as explain the
techniques and tactics used to obtain access to high-value targets. Lastly, during the exploitation phase, the
ethical hacker should explain with clarity what the results were from the exploit on high-value targets.

5. Post-Exploitation, Risk Analysis & Recommendations

After the exploitation phase is complete, the goal is to document the methods used to gain access to your
organization’s valuable information. The penetration tester should be able to determine the value of the
compromised systems and any value associated with the sensitive data captured.

Some pentesters are unable to quantify the impact of accessing data or are unable to provide
recommendations on how to remediate the vulnerabilities within the environment. Make sure you ask to see
a sanitized penetration testing report that clearly shows recommendations for fixing security holes and
vulnerabilities.

Once the penetration testing recommendations are complete, the tester should clean up the environment,
reconfigure any access he/she obtained to penetrate the environment, and prevent future unauthorized
access into the system through whatever means necessary.

Typical cleanup activities include:



  • Removing any executables, scripts, and temporary files from compromised systems
  • Reconfiguring settings back to the original parameters prior to the pentest
  • Eliminating any rootkits installed in the environment
  • Removing any user accounts created to connect to the compromised system

6. Reporting

Reporting is often regarded as the most critical aspect of a pentest. It’s where you will obtain written
recommendations from the penetration testing company and have an opportunity to review the findingsfrom the report with the ethical hacker(s).
The findings and detailed explanations from the report will offer you insights and opportunities to
significantly improve your security posture. The report should show you exactly how entry points were
discovered from the OSINT and Threat Modeling phase as well as how you can remediate the security issues
found during the Exploitation phase.
Your penetration report will also include a helpful overall security risk score. It may be inspired by ITIL, FAIR, or DREAD methods and look something like this:



Your next penetration test can be an eye-opening exercise to improve your overall security posture. Imagine
having the peace-of-mind knowing exactly where your vulnerabilities are and how to remediate them over
the course of the next few months. Across each stage of the penetration test, your final report will glean
many informative results for your organization.


Did you enjoy this blog article? Comment below with your feedback.

No comments

Subscribe to: Post Comments ( Atom )