How to Run a Successful Penetration Test
These seven tips will help ensure a penetration test improves your organization's overall security posture.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt3d741e1e57b5cd25/64f0d315b87aa7a68015ae30/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Penetration tests are an important part of any security program. Indeed, most companies in the Fortune 200 – maybe even the Fortune 2000 – are well along in their security maturity model to include at least an annual pen tests, experts say.
Jim O'Gorman, chief content and strategy officer at Offensive Security, says the best pen tests are tailored to the company's goals, delivering actionable results that help it establish clearly identified next steps to continue improving their security.
"A tailored assessment ensures that what the assessment team looks into is what matters to your business," O'Gorman says. "It's really the difference between buying a product that's easy to deliver versus buying one that matches what your company needs to correctly improve its security posture."
Bottom line: It's not just about basic vulnerabilities. Pen tests should be for improving overall security posture. Anything less is not worth the time, effort, and money.
Here are some tips to get you started.
Offensive Security's O'Gorman says to start like this: Determine why you want a pen test. Is the main goal to ensure compliance with standards such as HIPAA or PCI DSS? Or do you want to improve your overall security, such as detecting malicious events more quickly, minimizing the attack surface, and isolating successful breaches to limit the impacted areas? Is it about setting better policies that are more realistic for your threat environment? Or do you want to target the security of specific applications?
Pen tests are done as part of a security life cycle, O'Gorman says, and for validating controls that are already in place. If your organization has known issues with its controls, why would you pay someone to reiterate what you already know about your systems? Slow down and define the goals of the assessment first.
Now that you've established the pen test's goals, what resources do you have? How much can you spend? When does the work need to be completed?
No way around it, a good pen test can get expensive, says O'Gorman. A basic assessment is cheaper and easier to schedule. But if you need a thorough assessment of all major systems and applications, pen testing firms book far into the future -- and they don't come cheap. While some pen tests cost as little as $1,000, others can break six figures, sometimes up to $5 million, he says. The average small or midsize business with 100 to 500 employees should plan on spending at least $30,000 for a quality job. The price tag goes up from there.
Jay Paz, director of pentest operations and research at Cobalt, recommends that companies conduct a pen test at least once a year. However, companies with rapid development teams for their production servers and applications should budget for quarterly pen tests. "The greater the risk, the greater the need for testing," Paz says.
If your organization has run pen tests before, review the results and any follow-up taken at the time, Offensive Security's O'Gorman says. Talk to your incident response team (if you have one) and see how many and what types of incidents they worked on. What's the status of your vulnerability management program? Get this level of information together in case the pen test provider asks for it.
Once you select a vendor, set the scope of work and rules of engagement. Realistically, this will make or break the pen test, says O'Gorman. So if you opted for a compliance-based assessment, don't include anything in the scope of work beyond what the regulatory requirements call for. Work with the vendor to cover the approach they will take and what they will (or should) prioritize while testing.
For example, if something goes wrong during the assessment, what should the vendor do? Who should they call? Once they compromise a system, should they stop? Or should they try to escalate, go deeper into the network, chase important IP, or move laterally to expand access into more systems?
You may or may not want a defender to work with the pen tester the entire time to answer questions and keep the assessment moving forward. It's very important to set such parameters before the work starts.
While the assessment proceeds, you should require regular updates -- but still give the vendor room to work. Offensive Security's O'Gorman recommends establishing a primary point of contact for clarifications or any logistical issues that may arise.
When responding to questions, though, consider what information to share with the vendor and whether it will help or hurt the project's goals. How much do you want to help them find the company's "crown jewels"? After all, attackers would have to figure that out on their own. But also consider whether not giving the vendor enough information takes time away from other work they could be doing, O'Gorman says.
Shay Nahari, vice president of red team services at CyberArk, suggest a simple rule of thumb on choosing between pen tests and red teaming: Penetration testing can help uncover vulnerabilities and mitigation in a clearly defined scope, such as an application or specific set of systems. However, a red team exercise can help simulate specific tactics, techniques, and procedures attackers might use to go after a company's crown jewels. Red team exercises will show the company which data is most vulnerable and how attackers might get there.
Another way to look at it: Nahari says much depends on the scope of the project. For example, if a company plans to roll out a new product and just wants to see how the product holds up under stress, limited-scope pen tests are affordable and more appropriate.
Companies have to decide how far they are willing to go, says Cobalt's Paz. For example, do you want to put your people through a red team exercise? These exercises can sometimes cast them in a bad light, so top managers have to create a culture where workers are not singled out or fear for their jobs.
Management also has to decide whether they want red teamers snooping around their offices. Red teams will do things like get to know when the UPS or FedEx trucks come so they can sneak in during deliveries, Paz says. They may also hang out with people who smoke until they're part of the group and get let into the building. "Management has to decide that they are OK with exposing these weaknesses," Paz says.
Companies have to decide how far they are willing to go, says Cobalt's Paz. For example, do you want to put your people through a red team exercise? These exercises can sometimes cast them in a bad light, so top managers have to create a culture where workers are not singled out or fear for their jobs.
Management also has to decide whether they want red teamers snooping around their offices. Red teams will do things like get to know when the UPS or FedEx trucks come so they can sneak in during deliveries, Paz says. They may also hang out with people who smoke until they're part of the group and get let into the building. "Management has to decide that they are OK with exposing these weaknesses," Paz says.
Penetration tests are an important part of any security program. Indeed, most companies in the Fortune 200 – maybe even the Fortune 2000 – are well along in their security maturity model to include at least an annual pen tests, experts say.
Jim O'Gorman, chief content and strategy officer at Offensive Security, says the best pen tests are tailored to the company's goals, delivering actionable results that help it establish clearly identified next steps to continue improving their security.
"A tailored assessment ensures that what the assessment team looks into is what matters to your business," O'Gorman says. "It's really the difference between buying a product that's easy to deliver versus buying one that matches what your company needs to correctly improve its security posture."
Bottom line: It's not just about basic vulnerabilities. Pen tests should be for improving overall security posture. Anything less is not worth the time, effort, and money.
Here are some tips to get you started.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024