What is the best penetration testing methodology to follow in 2019?
Penetration testers are constantly in high demand as there is not enough supply for this valuable skill to businesses today.
With the rise of internet based companies and organizations developing larger networks for communication, document sharing among others…
There is a constant need to ensure all these information does not land into the wrong hands.
However, because of the rapidly changing nature of penetration testing, it has been hard to find a proper penetration testing methodology that always works.
This is compounded by the fact that there are different kinds of penetration testing and each one needs its own pentesting methodology.
If you are particularly interested in pentesting networks, then read my network penetration testing checklist.
In this article we are going to look at the penetration testing methodology and standards that you should follow in 2019.
Before we get right into the pentesting methodology, let’s look at 3 reasons why you should always follow a pentesting standard.
- A pentesting methodology would ensure you carry out a thorough test of operations so that every important check is run.
- A pentesting methodology helps you create maximum value to your client and ensure they get quality services that are measurable and repeatable.
- You’ll be able to deliver pentesting reports that other pentesters find detailed and meaningful if you follow a pentesting standard.
Now that you know why you should follow a penetration testing methodology, let’s now dive into the 7 step pentesting methodology.
It is important to note that, while there is not one methodology that fits all pentests, this methodology simply acts as a guide for you pentesting efforts.
You can always modify it depending on your current organization requirements.
During this first stage of the penetration testing methodology, you will gather all the tools, operating systems and software you’ll need to run your pentest.
The tools you choose will depend on the type and depth of penetration testing that you want to run.
It is also at this point that you establish a common understanding and agreement with the client about the major points of the task.
You’ll discuss, among other things, the scope of the pentest, time and budget estimations, communication channels and the rules of engagement.
From the combined years for experience of some of the most successful pentesters, some of the tools you’ll need at this stage include: Vmware, Linux or Windows based OS, a wifi adapter and spectrum analyzer.
Information gathering is the first stage of actual engagement in this pentesting methodology.
It is where you carry out a reconnaissance against your target in order to produce a highly effective plan to attack your target.
You’ll gather any relevant information about the organization or its staff that can help you gain access into the system.
Using automated tools you can get to know if the organization complies to certain compliance standards.
You’ll also combine manual analysis to get additional information about the business like physical location, business relationships, organization flow charts etc.
During the threat modelling stage of the penetration testing methodology, you use the information gathered in the previous stage to formulate an attack vector.
By analysing the information gathered before, you’ll be able to assess the targets in the organization for a vulnerability assessment.
While assessing the possible vulnerabilities, you are simply scouting for possible security loopholes…
… without really going ahead to prove if they are really explitable.
Determining actual exploitability if the vulnerabilities is determined at a later stage in this pentesting standard.
With an effective thread modelling, you’ll be able to simulate a more realistic attack on your target assets.
After developing a plan, you’ll launch a vulnerability assessment run on your target at this stage.
Vulnerability analysis is where you analyze the results from the vulnerability assessment you run in the previous stage of the pentesting methodology.
So you’ll first begin by discovering the vulnerabilities from the reports generated by the assessment tools previously used.
After which you’ll analyze the vulnerabilities according to their risk level to see which ones are worth paying attention to.
This will help you avoid wasting time on vulnerabilities that have low impact on the target network operation.
It is from these vulnerabilities that you’ll you’ll proceed to prove if they are actually exploitable by carrying out a real attack at a later stage on this pentesting methodology.
By using manual methods you’ll be able to validate false positives and create an attack tree.
After putting down a list of high risk vulnerabilities, you’ll then go ahead and launch a real attack on them to see if they are exploitable.
There are various automated software, frameworks and tools that are recommended by successful pentesters for exploiting systems to breach their security.
Your main goal is to establish access to the system or resource by bypassing security restrictions.
So you want to establish a backdoor entry point into the system so that you can compromise these high value assets or resources.
If your formulated a proper attack vector in the previous penetration testing standard stage, you’ll have prioritized high success and high impact targets.
Here are some of the tools that you could use to launch your actual exploitation: Metasploit Framework, SQLMap, Netsparker etc.
After exploiting the vulnerabilities and identifying your compromisable assets, you’ll need to analyze the results.
At this point you’ll determine the value of the machine compromised and it’s probability to be used to compromise the network further.
You’ll assess its value based on the sensitivity of the data stored in it and how this breach can impact the organization or business.
So you will want to identify sensitive data, configuration settings, communication channels and relationship with other devices that can be used to gain further access to the network.
These are the weak points that can be used to set up more methods of accessing the network at a later time by a malicious hacker.
Reporting is the final stage of this penetration testing methodology.
At this stage of the pentesting methodology, we’ll look at how to report your findings in a way that is understandable by the target organization.
It will detail the security flaws that will enable a potentially malicious hacker to compromise the system as well as recommendations on how to remedy them.
Your final report should focus on business impact while outlining the overall security posture, risk profile and recommendations.
Also remember to detail the technical aspect of your pentest including the scope, attack methods, impact and remedies of the pentest.
Penetration testing is a field that has attracted some of the best brains in the technology industry.
However, you can’t really train someone to become a great pentester…
Because penetration testing is not only an art but also requires you to be always inquisitive, at your top game, attentive, creative, patient and a very quick learner.
Not only does it require knowledge of various technologies and operating systems, but you also need a deep understanding of how things work.
This is why it important to always follow penetration testing standards to ensure every scope is covered in full.
Some clients might also ask you for your plans and skills, so you should be able to describe your pentesting methodology.
If you want to learn further how to actually implement these pentest standards, check out these penetration testing courses online.
Through these tutorials you’ll learn from expert penetration testers how to launch a thorough pentest on a network, web application, mobile app etc.
Have you used any of these penetration testing standards before? What do you think about this penetration testing methodology?
Please share your experience in the comments below.