What do we mean by ‘Penetration Test’?

The term penetration test has long been used by the security industry to mean anything from an elite assessment that simulates a real life attack, to little more than an analyst pressing 'start' and 'stop' on an off-the-shelf scanning solution.

It’s important for organizations to be informed, so they can make better risk-based decisions. With that in mind, here are four different levels of security assessment and their appropriate uses that organizations can employ:

Vulnerability assessment

A vulnerability assessment makes use of automated tools to identify technical vulnerabilities in systems, either through their configuration or maintenance. These vulnerabilities are found by testing for known conditions, and are typically related to outdated software or default configurations that can be actively exploited.

Advantages:

• Broad coverage
• Minimal resources
• Simple fixes

Disadvantages:

• Risks are generic and without business context
• Time consuming to process results
• Likely to contain false-positives

System-driven penetration test

A system-driven penetration test builds on the vulnerability assessment by performing additional manual security testing. This involves exploring any exploitable vulnerabilities further to compromise the system or information exposed. It also identifies whether any access gained could be used as a pivot to target further systems.

Advantages:

• Verification of vulnerabilities and ease of exploitation
• Enables compliance tracking and metrics

Disadvantages:

• Limited business context
• Full coverage is resource intensive
• Attacks may not be realistic

Goal-driven penetration test

As the name suggests, goal-driven penetration test looks at attacker goals, not IT systems. The penetration test then seeks to achieve these goals through various means, identifying which attack paths are viable to achieve such a goal and which aren’t.

The scope is much broader (usually the entire organization) and supported with knowledge of the organization, but provides a more realistic view of how an attack would be conducted.

Advantages:

• Identifies real attack paths
• Lists business impact

Disadvantages:

• Attacks are conducted by ‘shortest path’ and may not cover all systems
• Doesn’t assess detection and response capabilities

Targeted attack simulation

A targeted attack simulation (TAS) looks to achieve the same objectives as the goal-driven penetration test but is conducted in line with how a real cyber attack would occur.

All stages of an attack, from target enumeration through to post-exploitation and exfiltration of data are executed. Acting with a degree of stealth allows the organization to determine not only if an attack’s possible, but whether their capabilities are sufficient to detect and respond to the attack within a reasonable time frame.

Advantages:

• Highlights detection and response capabilities
• Techniques used are aligned with the most likely threat actors

Disadvantages:

• Resource intensive