What Is The Penetration Testing Execution Standard?
No matter where you have worked in the last decade or more, knowing that cybersecurity threats can pose a great damage to your business shouldn’t be a surprise. This is where Penetration Testing Execution Standard (PTES) helps us to get a better understanding of where these threats can come from thanks to cybersecurity specialists in different fields working together to perform the baseline requirements of a businesses preparedness for a cyberattack.
In this article we will take a closer look at what the Penetration Testing Execution Standard is, the 7 sections of a PTES and how you can get one done for your organisation.
What is the Penetration Testing Execution Standard?
The Penetration Testing Execution Standard is the most recent penetration testing methodology to date.
Developed by a team of information security practitioners, its aim is to address the needs for a complete and up-to-date standard in penetration testing - an ethical simulated cyber attack on your systems. It helps guide security professionals to the threats and weaknesses in a system and helps to inform businesses with what they should expect from a penetration test and guide them in scoping and negotiating successful projects. It covers ‘what’ and ‘when’, but goes much deeper into the ‘how’.
The PTES is made of two main parts which complement each other. The Pentest guidelines describe the main sections and steps of a penetration test, while the Technical guidelines discuss the specific tools and techniques to be used in each step.
7 Sections of the Penetration Testing Execution Standard
The PTES standard prioritises a basic set of norms that govern the minimum requirements for all pen tests.
These norms are broken down into seven distinct areas, which correspond to the order of steps taken in any pen testing agreement -
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modelling
- Vulnerability Analysis
- Post Exploitation
This is where the main issues are outlined and discussed before any initial test begins. Testers will gather all the main tools, required OS and software to begin the penetration test. The required tools will vary depending on the type and scope of engagement but this will be clarified by the tester at the time.
Goals are agreed and defined through this initial stage and there is a common agreement reached with all parties involved. The main items discussed at this point;
- Scope definition
- Time and budget estimation
- Dealing with third parties
- Communication channels
- Incident handling
- Rules of engagement – times and locations, evidence handling, permission to test and legal considerations
The initial gathering phase is also called open source intelligence (OSINT). This is the compilation of all the information that may be useful in later stages of the testing process.
There are three levels of reconnaissance used at this stage:
- Level 1: Compliance - based on automated tools (mainly)
- Level 2: Best practice - includes automated and some manual tools
- Level 3: State sponsored - full scope, includes automated and detailed manual analysis
The main steps of reconnaissance are defined as:
- Target selection
- Open Source Intelligence (OSINT)
- Covert gathering
- Identification of protection mechanisms
This is the more traditional model of understanding ‘assets and attackers’ approach. It sets out to define the assets as business assets and business processes and the attackers as threat communities and their capabilities. It then prioritises the information for modelling purposes.
Effective PEN testers will work with the host organisation to simulate more realistic attacks and be done in cooperation with the client organisation.
- Business Assets
- Business Processes
- Threat community identification
- Threat capability analysis
- Available tools
- Threat motivators
In vulnerability analysis, the PEN tester will be trying to identify the weaknesses in the target systems and processes which would allow an attacker to compromise on the security controls to an asset.
The scope of the PEN test (agreed in the first stage) will define the breadth and depth of vulnerability assessment. For some, it will be a single vulnerability in a single system whilst other tests will be broad and wide ranging to uncover where all the relevant vulnerabilities lie.
PTES involves two main models:
- Minimal human involvement
- In depth activity from the attacker using vulnerability scanners.
These initial results are followed by validation (correlation, manual testing and attack tree creation) and research (evaluating the exploitability of identified vulnerabilities).
Exploitation is arguably the most important part of the whole testing process. It begins with ‘identifying the least path of resistance into the organisation without detection and having the most impact on the organisation’s ability to generate revenue’ (PTES 2012).
The attacker will use all of the compiled insight and information to launch one or more targeted attacks. By the end of the attacks, the PEN tester should be able to identify a set of the attack vectors which allow bypassing security controls and compromising the organisation’s assets.
What is important to note here is that the form of the attacks are determined by what has been learned in the previous stages of the PEN test.
The main points uncovered in this phase include:
- Awareness of countermeasures
- Evading detection
- Customised exploitation
- Zero-day exploits
Post exploitation is equally as important as the previous stage.
The post exploitation phase helps the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and set up one or more methods of accessing the machine at a later time.
This phase helps the organisation to get a greater understanding of what is required to shore up their cybersecurity requirements such as:
- Determining value and functions of resources compromised
- Opening additional vulnerabilities for future re-exploitation
- Maintaining ongoing control of resources
- Avoiding recognition upon exit
This is a relatively straightforward part of the process which helps both the testers and organisation set out what issues are required to be addressed. The reporting phase involves documenting the entire process in a format that’s appropriate for the client.
A standard pen testing report includes;
- An executive summary which describes the specific goals of the penetration test and its main findings. It’s written as an overview and aimed at the organisation’s management.
- The technical report which describes in sufficient technical detail the scope, information, attack path, impact and remediation suggestions of the test. It is aimed at the organisation’s technical staff.
PTES for Internal and External Pen Testing
There is a need for both internal and external pen testing and as covered in detail on our blog, you can see the reasons why an organisation would choose to do some of the tests in house and call in experts for the external tests as well.
As described in our blog, “both approaches to penetration testing (internal and external) complement each other and are essential to determine how vulnerable your systems are to attacks.
However, internal threats are rarer, whereas external threats are ever-evolving, more common and potentially more damaging to deal with. With external pen tests, organisations can focus more on their most prominent vulnerabilities.
Internal and external pen testing can help discover flaws in your cyber security program, and also validate your existing security policies and procedures.
How to Get a PTES Pen Test
For many organisations, getting a PTES Pen Test can be confusing but standards such as PTES you can get a better idea of what to expect when a penetration tester hunts for your organisation’s vulnerabilities.
The importance of external and internal penetration testing to an organisation cannot be underestimated. Whether conducted by an internal team or expert third-party consultants like BlueFort Security, penetration testing is a necessary tool to determine how vulnerable your systems are to cyber attacks.
Wrap Up Paragraph
PEN testing has become the industry standard for understanding the threats posed to your cybersecurity and how you can better protect your organisation from such attacks.
If you are looking to get a better understanding of where your organisation’s cyber weaknesses lie, Bluefort’s Evolve IT Services can not only help you to get a much better understanding of these threats but also provide you with the solutions to protect your organisation in the long term.
Call, 01252 917000 , email firstname.lastname@example.org or get in touch with us via our contact form.