Holistic Penetration Testing – What Does It Mean?
One of the things you’ll hear us say a lot is that we try to ensure all of our tests are as holistic as possible, to help you truly understand the cyber risk to your organization. But what does that really mean? Are our penetration testers using herbs and essential oils rather than our standard technical tool-set to conduct penetration tests? First, to baseline, this really comes down to our core value of partnering with our clients and making sure they not only get the most bang for their buck from every assessment, but also that they have as a clear a picture of their risk as possible when we’re done. Let’s break down holistic penetration testing a little further and discuss how we try and accomplish this.
What contributes to holistic penetration testing?
We try and uncover all vulnerabilities and weaknesses within the target scope – A penetration test is a lot more than just a capture-the-flag exercise. To perform a thorough test we try and identify EVERY way into your network, not just one way and then call it a day. This thorough approach starts with dedicated Open Source Intelligence (OSINT) for each assessment we perform. By gathering information about technologies in use, the company culture, and the employees, the attack team can perform a more realistic test from the perspective of a sophisticated attacker.
We emulate attackers, using real tools and techniques – Our goal is to assess our clients resilience against the attacks being observed in the wild. This ranges from low-level attacks launched by “script kiddies” just looking for an open door (think default credentials) to advanced exploit chains that may be perpetrated by a nation state. While you may not be as concerned about the latter scenario and not want to invest as many resources to prevent those types of attacks, we want to give you all the information you need to make educated decisions about allocating your security resources.
We encourage clients to look at their organization’s risk as a whole – By combining multiple types of services into one assessment, you can get a more clear snapshot in time of where your security posture may be weakest. Additionally, with multiple activities (i.e. external, internal, social) we will try and chain exploits to exemplify a realistic attack path, showing how a set of vulnerabilities can be used in an attack from start to finish. This visualization often helps communicate risk/severity to upper management, allowing security to make a better pitch for securing budget where it’s most needed.
We encourage clients to choose realistic scope – While we can’t force every test to be holistic in the sense that we are allowed to test all organizational assets, we highly encourage our clients to consider doing so where possible. Considering all available hosts/systems/devices helps avoid blind spots, understand true risk, and ultimately helps an organization to make more informed decisions about resource expenditures.
What we don’t mean by holistic penetration testing
So you don’t use a defined scope during testing? No, this is definitely not the case. As penetration testers, we have to strictly adhere to the scope of the assessment including the targets, testing windows, etc. And sometimes for compliance purposes or to meet a specific organizational goal, you’re going to have a specific subset of assets you need testing or a restricted scope. We will still perform holistic penetration testing of the assets that are in-scope based on the details of testing we discussed above.
Do you combine services? While we encourage combinations (e.g. external pen and social engineering if you’re concerned about external, Internet-based threat actors), we’re never going to go out of scope and do something you didn’t ask for during an assessment. The exact services we will provide during an assessment are detailed in our proposal and statement of work. Our methodologies are always provided as part of our services proposal (and are available as blogs, too!) and we’re going to stick to the activities described in the scope.