Cybercriminals are increasingly using more sophisticated attacks. If we want to ensure that we are evaluating our security effectively, it is necessary to copy the tools, tactics and procedures that attackers use in the real world. The way to do this is by performing a network penetration test , they are also known as Penetration Testing or Pentesting. Today we are going to give you some simple tips to improve these penetration tests.
Offensive teams to perform pentesting
When we are doing cyber security exercises, we call offensive or red teams, those members of the team that are conducting the penetration test. Its mission is to carry out attacks replicating the techniques, tactics and procedures (TTP) of cybercriminals. Apart from this, that red team will start their actions without prior knowledge about that company.
On the other hand, the organization will also not be notified of when exactly those tests will be performed. This red team is going to get going trying to bypass an organization’s security controls, while avoiding detection. In addition, it will perform an assessment on how well that company can identify, manage, resolve attacks and also assess the incident response procedures they have.
Things to consider in penetration testing
When a penetration test is performed, a set of established procedures is followed and within a predefined time frame. On the other hand, it is up to the company to establish which assets should be tested. Then, a report will be produced highlighting security issues and vulnerabilities found.
Traditional penetration tests are an important element of cybersecurity for many organizations because they provide a reliable measure of their security measures. However, sometimes a customer may classify assets as out of reach, and then the penetration test may not provide a true reading of the situation.
Therefore, in a penetration test approach with pre-defined ranges, it is quite likely that they will not measure the true ability of an organization to identify and act on suspicious activity and traffic. Another aspect to take into account is that imposing limits on the scope or duration of a test can make it little useful. The reason is that neither time nor scope is important to attackers. This is going to translate into results that are not going to be entirely reliable.
The objectives of the penetration test
Incorporating target-oriented penetration testing can enhance typical penetration testing systems. In this sense, the first thing we have to do is agree on the possible objectives of the attackers and establish a reasonable period of time.
The attacking team to achieve its objectives could:
- Perform a physical penetration test to gain unauthorized access to a building or office for the purpose of testing from there.
- Combine penetration testing of networks, web applications and mobile devices to gain unauthorized access to the internal network or private data.
- Use phishing and social engineering attacks to compromise company credentials.
The advanced penetration test
It should be noted that not all companies are prepared to carry out a test of this type. If we want to carry them out, some action frameworks must first be implemented.
The first thing we are going to need are regular security assessments . Thanks to them, you can determine if your information security posture is resilient and mature, and you have made progress in addressing identified vulnerabilities. Advanced penetration tests and assessments uncover more realistic threat profiles and attack scenarios. However, in the event that periodic evaluations are not performed, it is better than doing traditional penetration tests.
Another thing to count on is security awareness training . In that sense, without a mature awareness program for employees, an attacking red team could compromise the organization’s credentials through social engineering, or gain unauthorized access to mission-critical infrastructure through a physical penetration test.
You must also have mature security operations and intrusion detection . If the company does not have a good control and solution for intrusion detection, it will be impossible to measure the effectiveness of attack detection. Finally, a vulnerability management framework must be established to ensure that vulnerabilities are properly addressed in a timely manner and prioritized according to the risk they represent.
