We work with your executive team to identify the scope of the testing, the desired outcomes (report only, report and recommendations, or report, recommendations and remediation), the style of testing that is most appropriate and finally, the rules of engagement; identifying what is permitted, what systems or techniques are off-limits and the extent of the testing to be done, for example: should a domain admin privilege escalation vulnerability be exploited to it’s full potential by taking control of your active domain, or is a proof of concept sufficient, i.e. a “Kilroy Was Here” domain admin user is created .
Once the engagement has been agreed and scheduled, the reconnaissance and discovery phase begins.
This will include using automated scanners to identify open ports and network services that are available. Dependent on the type of testing being carried out, multiple scans may be completed from inside and outside your network.
These scans will help to identify the services that are running as well as discover potential vulnerabilities that could be exploited to get access to your network.
If the scope of testing includes user targetting, social engineering may be used to manipulate individuals into divulging confidential or personal information. This information can then be leveraged to exploit your network or applications.
With the reconnaissance completed, this information is aggregated and a plan is created on how the network or application will be attacked.
Using the potential vulnerabilities identified in the previous stage, our tester will then perform the test against them.
This can involve exploit tools in platforms like metasploit, or custom coded scripts to take advantage of specific vulnerabilities. Testing is usually carried out in order of ease of exploit and criticality, i.e. an easy to execute exploit that gains the highest level of access would be one of the earliest items tested.
During this part of the test our testing team will be in constant contact with your stakeholders. This keeps the relevant personnel up to date with the exploit process. Occasionally, a client may want to terminate this portion of the test early if a serious exploit is located in order to secure it immediately.
Once a particular vulnerability has been exploited, it may provide additional access into the network or application for further investigation.
If personnel exploits are included in scope, social engineering may be used to gain access by convincing a member of your staff to download and run a piece of software. USB drives, may be deliberately placed by our team around your premises. These drives would contain malicious software that would be installed automatically when connected to a computer. Allowing us to capture passwords, create users and extract sensitive data from your network.
Arguably, the most important part of penetration testing is communication. Our reports are written in plain english, explaining to the project stakeholders the vulnerabilities that were identified, how they were exploited and the outcomes or potential outcomes of such an exploit. Our reports contain non-technical descriptions of issues, as well as detailed technical deep-dives (where appropriate) into how the vulnerability was exploited.
Depending on the scope agreed, recommendations will be produced, and if so engaged, remediations would be made. It’s important that retesting is carried out to make sure that the vulnerabilities exploited are appropriately secured.