For many years of existence of this service, clients got used to calling penetration tests in a different way such as pen test, pentest or even paintest. A penetration testing is simply a simulation of a real cyberattack (with some restrictions that we will cover below). The main goal is to find a way to obtain access to a company’s or a persons’ assets (funds, important data, etc.)
The main difference between pentest and a real hacker attack lies in its restrictions:
- Law. All activities are performed only based on the contract and approval documents from the client. Black hat hackers do not ask for any permissions.
- Time. Black hat hackers are usually not limited by time, they can track the “victim” for years, identifying new security holes (vulnerabilities) in the systems they use, sending hundreds of phishing emails on by one. White hat, ethical hackers provide professional service, so they tend to have strict deadlines, usually limited to a maximum of a few weeks.
- Budget. Black hat hackers may invest heavily in offensive tools, so-called cyber weapons (malware), including purchasing exploits (0-day, malicious viruses, available only to hackers). White hat hackers are limited by their clients’ budgets.
- The depth of penetration. Black hat hackers do not limit themselves by the systems they are able to hack into. Ethical hackers have limitations – the list of systems that can be accessed is limited by the client (although it may not be limited, but it is less frequent).
To compensate for these restrictions white hat hackers receive some “benefits” comparing to black hackers:
- The amount of known information about the client and the client’s involvement. In penetration testing terminology, we call it a white, gray and black box. The white box implies full disclosure about infrastructure, processes, systems (sometimes even source code for auditing) and client’s staff is aware of testing. The black box means a minimum amount of data (for example, name of the organization, website, etc.) and only a limited number of staff is aware of a penetration test (sometimes only top managers).
At some point, customers became unsatisfied by penetration tests in its classic form – white hackers would find one or a chain of vulnerabilities, got the required access and the project would end. The customer wanted white hat hackers to find all or the maximum number of vulnerabilities in their system. That is how a new service appeared – a cybersecurity audit, but in most cases, it is still called a penetration test, but penetrationS test would be more correct 🙂
A penetration test for a website, mobile application or regular software is the name given to services that are essentially application security checks. Sometimes source code audit (source code analysis) can be added here.
As crowdsourcing became popular, bug bounty programs incorporated this trendy approach. These kinds of programs work all over the world. Clients: the largest international companies, contractors: white hackers around the world. Idea – a company places an application for testing his company or product (application security) on the platform, indicates the limitations and the amount of reward for the vulnerabilities found (depending on their criticality), an ethical hacker looks for vulnerabilities and, if successful, receives a reward. There is also a special case of bug bounty – bug bash, a time-limited event, usually a part of a large conference, with the same conditions – the reward is given for hacking the product. But there are some disadvantages to these approaches:
- A hacker doesn’t always motivated to reveal identified vulnerability to the owner of the product, as he/she can sell it for a better price on the darknet (“underground” Internet) or to the organizations that use these vulnerabilities to create cyberweapons. There are companies that make money selling found vulnerabilities to the intelligence agencies, such as French Vupen, Italian Hacking Team, Israeli Celebrite, etc.
- In theory, product developers can collude with bug hunters by intentionally leaving security holes in the product, which are quickly “found” by the right hackers, which then would share the rewards…
– Is there any way to make the pentest cheaper? Can’t you just scan our resources with automatic scanners for vulnerabilities and give us a report?
– Yes, we can!
This is how a vulnerability scanning service was born, which is often sold under the name of penetration testing, although it is only a small part of it.
Pentesting can also take place under close supervision and even active counteracting attacks. These are the types of “test cyberwars” called red-blue-teaming or redteaming. The red team is the attacking team, usually an external, and the blue team is the defending team, usually an internal one.
What can be included in a full-fledged pentest?
It could include the following stages:
- Reconnaissance. The passive part is a search for all available information in publicly available sources (OSINT), it is invisible to the client. The active part is the use of specialized tools for scanning the client’s resources, it can lead to a discovery by intrusion detection systems.
- Analysis of the information received from the previous stage and planning future attack scenarios.
- Carrying out attack attempts planned in the previous stage. Attacks are conducted within the limits of the restriction and, if necessary, under the supervision of the customer’s technical staff, in order not to cause a serious failure and unavailability in the various systems.
- Preparation of the test results, in the form of a multi-layered report, that contains information understandable to the general business managers, technical managers, as well as information for the technical specialists.
Penetration testing can cover the full range of customer technologies – network, web, applications (mobile, desktop), Internet of Things (IoT), operating technologies (OT, ICS, SCADA), etc. Hacking simulation may also include internal penetration testing (development of an attack after the network perimeter is breached), social channels (social engineering) as well as physical intrusion into the client’s territory using technology (ID card cloning, hacking into radio communication of access control systems, etc.), and sometimes even with a bypass of mechanical door locks (lock picking).
A good pentest practice is to check the business logic of applications and the impact of their vulnerabilities on the company’s business processes. In such a case, a report will contain more useful information for the client, which will be understood not only by technical specialists but also will allow determining the criticality of particular vulnerability for business more accurately.
The pentesting market is growing. According to some studies, it will reach $3.2 billion by 2023. What affects this explosive growth? First, an increase in the number of connected devices worldwide. Second, the growth of the web and cloud-based business applications in organizations. The growing need for Internet security of things (IoT) and the growing trend of Bring Your Own Device (BYOD) are expected to drive the penetration testing market in the coming years.