5 tips for a successful penetration testing program

With the rise in enterprise data breaches and ransomware cyberattacks making headlines, conducting thorough security assessments has become an inevitable part of running a business operation that handles customer data. The data protection requirements brought forth by compliance bills, both in the US and around the world have further put onus on organizations to improve security controls and harden the systems handling proprietary information.

These developments, however taxing in the short-run, should be welcomed as planning a cybersecurity strategy early on can be helpful in saving your company from hefty fines, embarrassment and the overall distress that could arise from a breach.  

A well-thought out security assessment, of course, involves a comprehensive penetration test of critical assets. We interviewed ethical hacking experts and network security specialists to provide insight on the matter. Below are some tips for a successful pentesting program.

1. Identify high-risk assets and business workflow

Understanding what high-risk assets are present in your organization and how they fit into the overall business logic is the key, moreso than using a standard security assessment checklist. When identifying high-risk assets and network segments to put through a pen-test, it helps to have a fuller picture of the weaknesses in your organization, which may require thinking outside the box. 

“When modeling good penetration testing methodology, testers should aspire to craft a specific model for their organization or the organization that they are testing against,” explains John Jackson, the founder of ethical hacking group, Sakura Samurai. “For example, penetration testers may know that they should be evaluating the login and logout functions of a web application or looking for out-of-date versioning on a server that could lead to remote code execution. The functions that most know to test for are low-hanging fruit, a given.”

“What about business logic flaws, or methodology that can lead to damaging business continuity or a loss of money/assets in unintended ways?” says Jackson. “What about privacy vulnerabilities that can damage the reputation of the organization, thus affecting stakeholder trust and overall reliability of services provided? Threat actors are crafty, and they don’t care about scope, nor intended versus unintended functionality.”

2. Vary pentest providers or expand their circle

“Even if you’ve found the best pentesters in the world, their approach, skills and tooling are not a superset of every other pentesting service. Different perspectives will uncover different issues. Be willing to try a new provider to see what value they offer, or cycle through a set you’ve been happy with before,” says David Maxwell, software security director at BlueCat Networks. Although this may mean stepping out of your comfort zone at times, it can also aid in keeping up with the latest cybersecurity trends and promote collaboration.

Jackson also elaborated on this point when it comes to expanding the pentesting team—whether in-house or a contracted one, stressing that offensive security is a team effort. “Facilitating and instructing team members to actually work as a team will be the make it or break it for an organization’s ability to learn adequate defense methodology.”

“A tester may be skilled in the art of web application hacking, while another may have a heavy software engineer background, or IoT hacking capacity,” says Jackson. “Penetration testing models should stress the importance of combining these skills for escalating vulnerabilities to achieve maximum impact. For example, a penetration tester may achieve remote code execution on a web application but may not be able to obtain a reverse shell on the server because of network filtering rules, etc.”

Although remote code execution is already a critical finding, Jackson points out that the next level escalation may require a more experienced team member with background in bypasses and vulnerability chaining. Therefore, varying pentest providers, or encouraging in-house penetration test teams to collaborate both internally and with externally contracted teams can help you get optimal value from a pentest that would now emulate a realistic exploitation scenario by sophisticated threat actors.

3. Know the IT and cybersecurity infrastructure

An in-depth knowledge of your cyber infrastructure and what devices belong on the production network and where are vital before even hiring a penetration tester. “Remember to periodically do a deep dive on infrastructure elements—e.g., for DNS, are you protecting against tunneling/exfiltration, typosquatting domains, or using threat intelligence to apply policy? The same applies to your firewalls, identity management, authentication, and storage,” says Maxwell.

The ongoing cyberattacks by the Clop ransomware group against companies using the vulnerable Accellion FTA devices further substantiate this point. The Accellion breach has resulted in extortion attempts against multiple companies that used its file-transfer product, FTA.

One of the latest victims of the Accellion series of attacks is cybersecurity firm Qualys. According to one news report: “The Accellion FTA device was located at fts-na.qualys.com, and the IP address used by the server is assigned to Qualys. Qualys has since decommissioned the FTA device, with Shodan showing it was last active on February 18, 2021.”

By exploiting the internet-facing FTA device, the Clop ransomware group could breach Qualys’ networks, impacting a small number of its customers. However, advance infrastructure planning by Qualys saved the day because this appliance was deployed on a demilitarized zone (DMZ), a separate network from its production systems. “There was no connectivity between the Accellion FTA server and our production customer data environment (the Qualys Cloud Platform),” explained Ben Carr, CISO of Qualys.

This marks a real-world example of how knowledge of your network infrastructure and segregating devices appropriately can help, even if a vulnerable device on a particular subnet was to get breached, the security controls in place make a penetration tester’s or threat actor’s job harder to reach mission-critical targets.   

4. Define what’s in the pentest scope

Once you have performed an in-depth mapping of your networks and systems and understood what lives where on your enterprise network, the next step is defining what should be in scope for the pentest and writing out the rules of engagement. Would this be a white-box or black-box pentest? Will it only cover targeting employee workstations or target production servers at off-hours too? Should you include domain-takeover risks as a part of the scope?

This is not much different from companies crowdsourcing security via bug bounty programs, for which companies explicitly dictate what systems are okay to test and what remains off-limits. Doing this protects both your assets and can help minimize legal liability for your penetration test providers.

5. Watch out for evolving threats and regulation changes

In the last decade, threat actors have constantly evolved their tactics, targets and attack vectors. Even the incentives have largely changed. For example, whereas most sophisticated threat actors behind ransomware attacks have been interested in extortion as their motivation was monetary gain, the ones behind the SolarWinds supply chain attack were interested in nation-state espionage. As a consequence of these widespread supply chain attacks, regulators have stepped up globally to enforce additional rules on software vendors. The Monetary Authority of Singapore (MAS), for example, now demands all financial institutions to assess their software vendors; and demonstrate that the software source code is thoroughly tested and adheres to safe programming practices.

Whereas previously threat actors were exploiting publicly known vulnerabilities, newer threats which are harder to detect in advance, like zero-day exploitation and supply chain attacks like “dependency confusion,” are becoming the norm and prompt for newer pentesting strategies. Malicious copycat attacks appeared shortly following Alex Birsan’s proof-of-concept attack that had hit over 35 tech organizations including Microsoft, Apple, Tesla and Uber.

Therefore, whereas previously pentesters may have only focused on exploiting known vulnerabilities in systems, the efficacy of supply chain attacks and the novel dependency confusion attacks opens up room for more possibilities for the pentester. This also means, pentesting providers need to account for this added surface vector and ensure this is covered by the scope of their engagement.