Oct
18

“Ma’am/Sir, we need to order a penetration test.”

There are a lot of thoughts and emotions that arise when someone says that sentence at a company. Whether it is an initial occurrence, a scheduled event, or because of an incident or breach, the feelings and thoughts tend to be the same. In order to break down the decision-making at this point, it is important to understand the situation. And more importantly, to understand what a penetration test is. 

At the most basic level, a penetration test is when an individual or team investigates your organization from the mindset of a malicious actor attempting to steal information or disrupt your business. The most common actions we see in the news in this regard are data breaches and ransomware attacks, sometimes both together. In either case, the results of this type of incident can be a loss of millions of dollars and a loss of customer trust.

The industry has developed a few models to describe the steps of a penetration test or a cyber attack, and they tend to work much the same. A well-known example includes Lockheed Martin’s Cyber Kill Chain. These models tend to look very similar to one another. They begin with reconnaissance, move to exploitation, then include some levels of internal action, and end with exfiltrating information or business disruption. Looking at all of those steps, a penetration test is having a trusted actor play the part of a malicious party while attempting to emulate this process against your organization, with full oversight, proper authorizations, and avoiding business interruption in the process. 

Why would you choose to have this done?
An organization likely has built a certain level of both physical and cyber security into normal operations. Money has been spent to ensure that data and personnel are safe. Perhaps some of that money was spent on automated tools to scan for vulnerabilities, or to monitor and prevent any malicious actions. But, has it actually been tested in a realistic manner?

That is why it is called a penetration test, because it is a controlled manner of examining the current security configuration of an organization from the perspective of an attacker with minimized risk to the business operations. Therein lies the value. Many industry professionals throw around the idea that approximately 15% of the organization’s budget should be spent on cyber security, and it can be difficult to see where there is a return on investment. At the same time, companies are happy to pay for locks on the doors, security systems throughout the facility, lighting, desks, cleaning services, and more. This is because those are seen as the price of doing business. In 2021, cyber security is part of the price of doing business. 


Often, penetration testing looks like an expensive single budgetary line item. In today’s landscape, that amount is a steep discount compared to the cost of a customer data breach or ransomware attack. REvil, in its latest series of attacks, set ransoms as high as $70 million. While their results and settled payments differed greatly from that initial price, a large U.S. company recently paid close to $4.5 million for a single ransomware attack. This price doesn’t reflect the added expense of lost production time, reputation impacts, B2B customer loss, down time, and legal fees, among a slew of other costs. Had a penetration test been utilized as a preventive measure, it would have been pennies on the dollar. 

A large concern besides price is often potential loss of data or loss of business operations during a penetration test, which is a considerable risk. This is mitigated by contractually setting scope limitations within the Service Level Agreement. Setting certain rules on what actions may be taken by the technicians and what sections of the business or network they have access to can help prevent these problems. It is common for a long discussion on these topics to precede a penetration test, to ensure business continuity, and a penetration testing team must gain authorization to act before engaging in any “hacking” or cyber attack activity against the target organization.

What does it all look like in action? 
Lockheed Martin’s Cyber Kill Chain is broken up into Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. These steps can help dissect an incident and explain the steps to emulate a threat actor. To more easily visualize these steps, these concepts will be compared to a theoretical Las Vegas casino heist.

In Reconnaissance, the objective is to collect as much information as possible to learn about the target and prepare for future actions. This can be gathering information about the company in general, their website and other domain information, as well as any information about employees that may be useful. Or, it could be scouring social media or pulling usernames and passwords from past breaches, in hopes of using those credentials in some form later. For the heist example, this would be “casing the joint” to understand entrances, cameras, workers, possible underground entry, cleaning companies, food vendors, and more. Any of these could be a later method of gaining entry.

The Weaponization stage involves finding a use for the gathered data and coupling it with a backdoor to create a payload to give the attacker access to a company resource, like the web server or a user’s computer. The payload is then packaged for Delivery, which could be uploading a malicious file to the website or sending it in a phishing email to an employee, whose email address was found from a previous breach, social media, or on the company website itself. That file opens a backdoor on the computer by taking advantage of a vulnerability in underlying configurations or code, known as Exploitation. The malicious code runs on the system, Installation, and installs malware, like a backdoor or a reverse connection. With this backdoor or reverse connection, the attacker gains remote access to the target system, Command and Control.

In the heist example, the team might identify a big event with many caterers who have excessive access to both public and secure areas of the hotel. By impersonating a caterer, a heist team member can sneak past security and leave a door cracked open for the rest of the team to gain access. It could also include cracking the safe. Often there are a series of vulnerabilities to exploit.

The final stage, Actions on Objectives, involves stealing credentials, downloading files, gaining access to other systems on the network, or implanting ransomware. This is equivalent to the heist team removing the gold from the vault and bringing it out through the caterer vans.

In the end, a company can expect a report and debrief of the penetration test that includes all of the research found during intelligence gathering and reconnaissance. It should include the vulnerabilities found, including ones not utilized. And it likely will, most importantly, include remediation actions for risk mitigation moving forward. These are often broken down into price or value options.

The end goal for a penetration tester is to help an organization better prepare itself against potential threats by thinking like a threat actor and emulating their behavior. It is a mindset that enjoys researching adversary tactics, techniques, and procedures and then using the skills to emulate the Threat Actors within your target network. While difficult at times, it is something that anyone willing to put in the time and effort is capable of achieving.

Josh Mason
About Josh Mason

Josh Mason is a former US Air Force C-130 pilot turned cyberwarfare officer. Following a tour managing enterprise IT and security at the USAF Special Operations Command Headquarters base, Josh developed and instructed at the USAF Special Operations School. Following his Air Force career, Josh instructed at the DoD Cyber Crime Center - Cyber Training Academy, teaching hundreds of US military service-members and civilians in Digital Forensics, Threat Hunting, and Cyber Threat Emulation. Josh is now a Red Team Instructor here at INE building penetration testing and threat emulation content. Josh also runs the training information and giveaway organization, Cyber Supply Drop.

Subscribe to INE Blog Updates

New Blog Posts!