No matter where you have worked in the last decade or more, knowing that cybersecurity threats can pose great danger to your business shouldn’t be a surprise. This is where Penetration Testing Execution Standard (PTES) helps us to get a better understanding of where these threats can come from, thanks to cybersecurity specialists in different fields, working together to perform the baseline requirements of a business’s preparedness for a cyberattack.
In this article we will take a closer look at what the Penetration Testing Execution Standard is, the 7 sections of a PTES, and how you can get one done for your organisation.
What is the Penetration Testing Execution Standard?
The Penetration Testing Execution Standard is the most recent penetration testing methodology to date.
Developed by a team of information security practitioners, its aim is to address the needs for a complete and up-to-date standard in Penetration Testing – an ethical simulated cyber attack on your systems. It helps guide security professionals to the threats and weaknesses in a system, and helps to inform businesses with what they should expect from a Penetration Test, and guide them in scoping and negotiating successful projects. It covers what and when, but goes much deeper into the how.
The PTES is made of two main parts which complement each other. The Penetration Test guidelines describe the main sections and steps of a Penetration Test, while the technical guidelines discuss the specific tools and techniques to be used in each step.
7 Sections of the Penetration Testing Execution Standard
The PTES standard prioritises a basic set of norms that govern the minimum requirements for all Penetration Tests.
These norms are broken down into seven distinct areas, which correspond to the order of steps taken in any Penetration Testing agreement:
- Pre-Engagement Interactions
- Intelligence Gathering
- Threat Modelling
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
- Pre-Engagement Interactions
This is where the main issues are outlined and discussed before any initial test begins. Testers will gather all the main tools, required OS and software to begin the Penetration Test. The required tools will vary depending on the type and scope of engagement, but this will be clarified by the tester at the time.
Goals are agreed and defined through this initial stage, and there is a common agreement reached with all parties involved. The main items discussed at this point:
- Scope Definition
- Time and Budget Estimation
- Dealing with Third Parties
- Communication Channels
- Incident Handling
- Rules of Engagement: times and locations, evidence handling, permission to test and legal considerations
- Intelligence Gathering
The initial gathering phase is also called open source intelligence (OSINT). This is the compilation of all the information that may be useful in later stages of the testing process.
There are three levels of reconnaissance used at this stage:
Level 1: Compliance – based (mainly) on automated tools
Level 2: Best practice – includes automated and some manual tools
Level 3: State sponsored – full scope, includes automated and detailed manual analysis
The main steps of reconnaissance are defined as:
- Target Selection
- Open Source Intelligence (OSINT)
- Covert Gathering
- Footprinting
- Identification of Protection Mechanisms
- Threat Modelling
This is the more traditional model of understanding assets and attacker’s approach. It sets out to define the assets as business assets and business processes, and the attackers as threat communities and their capabilities. It then prioritises the information for modelling purposes.
Effective Penetration Testers will work with the host organisation to simulate more realistic attacks and be done in co-operation with the client organisation:
- Business Assets
- Data
- People
- Business Processes
- Infrastructure
- Information
- More
- Threat Community Identification
- Internal
- External
- Threat Capability Analysis
- Available Tools
- Threat Motivators
- Vulnerability Analysis
In vulnerability analysis, the Penetration Tester will be trying to identify the weaknesses in the target systems and processes, which would allow an attacker to compromise on the security controls to an asset.
The scope of the Penetration Test (agreed in the first stage) will define the breadth and depth of vulnerability assessment. For some, it will be a single vulnerability in a single system, whilst other tests will be broad and wide-ranging to uncover where all the relevant vulnerabilities lie.
PTES involves two main models:
- Passive
- Automated
- Minimal human involvement
- Active
- In-depth activity from the attacker using vulnerability scanners
These initial results are followed by validation (correlation, manual testing and attack tree creation) and research (evaluating the exploitability of identified vulnerabilities).
Exploitation
Exploitation is arguably the most important part of the whole testing process. It begins with identifying the least path of resistance into the organisation without detection, and having the most impact on the organisation’s ability to generate revenue (PTES 2012).
The attacker will use all of the compiled insight and information to launch one or more targeted attacks. By the end of the attacks, the Penetration Tester should be able to identify a set of the attack vectors which allow bypassing security controls and compromising the organisation’s assets.
What is important to note here, is that the form of the attacks are determined by what has been learned in the previous stages of the Penetration Test.
The main points uncovered in this phase include:
- Awareness of Counter-Measures
- Evading Detection
- Customised Exploitation
- Zero-Day Exploits
Post Exploitation
Post exploitation is equally as important as the previous stage.
The post exploitation phase helps the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and set up one or more methods of accessing the machine at a later time.
This phase helps the organisation to get a greater understanding of what is required to shore up their cybersecurity requirements such as:
- Determining value and functions of resources compromised
- Opening additional vulnerabilities for future re-exploitation
- Maintaining ongoing control of resources
- Avoiding recognition upon exit
- Reporting
This is a relatively straightforward part of the process which helps both the testers and organisation set out what issues are required to be addressed. The reporting phase involves documenting the entire process in a format that’s appropriate for the client.
A standard Penetration Testing report includes – an executive summary which describes the specific goals of the Penetration Test and its main findings. It’s written as an overview, and aimed at the organisation’s management. The technical report which describes in sufficient technical detail the scope, information, attack path, impact and remediation suggestions of the test. It is aimed at the organisation’s technical staff.
PTES for Internal and External Penetration Testing
There is a need for both internal and external Penetration Testing and as covered in detail on our blog. You can see the reasons why an organisation would choose to do some of the tests in-house and call in experts for the external tests as well.
As described in our blog, both approaches to Penetration Testing (internal and external) complement each other, and are essential to determine how vulnerable your systems are to attacks.
However, internal threats are rarer, whereas external threats are ever-evolving, more common and potentially more damaging to deal with. With external Penetration Tests, organisations can focus more on their most prominent vulnerabilities.
Internal and external Penetration Testing can help discover flaws in your cybersecurity program, and also validate your existing security policies and procedures.
How to Get a PTES Pen Test
For many organisations, getting a PTES Penetration Test can be confusing, but standards such as PTES can give you a better idea of what to expect when a Penetration Tester hunts for your organisation’s vulnerabilities.
The importance of external and internal penetration testing to an organisation cannot be underestimated. Whether conducted by an internal team or expert third-party consultants like BlueFort Security, Penetration Testing is a necessary tool to determine how vulnerable your systems are to cyber attacks.
In Conclusion
Penetration testing has become the industry standard for understanding the threats posed to your cybersecurity,and how you can better protect your organisation from such attacks.
If you are looking to get a better understanding of where your organisation’s cyber weaknesses lie, BlueFort’s Evolve IT Services can not only help you to get a much better understanding of these threats, but also provide you with the solutions to protect your organisation in the long term.
Call 01252 917000, email enquiries@bluefort.com or get in touch with us via our contact form.