Most organizations are wisely running pen tests on regular basis. Just like going to the doctor for a yearly physical, these engagements allow an organization to gauge their security posture to real-world threats.
The results of a proper pen test can provide feedback on the current security strategies and help guide initiatives within the organization, but just like anything technical with a scope, approaching it with some foreknowledge will help get the most value from it.
Below are 6 tips to get the most out of a penetration test.
1 Discuss your goals
There are many reasons why organizations perform penetration tests, including legal compliance, merger check-ups, recent big changes in infrastructure, new software releases, etc.
It is important to discuss your goals, concerns, and limitations with your pen testing team. Seek and be open to advice from the team. Some items worth discussing may be:
- What are the potential attack scopes of the organization? These include external, internal, web apps, social engineering, mobile apps, cloud, etc.)
- Are there any compliance standards that your organization must abide by, such as PCI, HIPAA, etc.?
- Is your organization currently undergoing any migrations, infrastructure changes, etc? Recently?
- What are the organizations biggest concerns? Are there any specific tests that should be performed or that the pen testing team recommends?
- Are there any limitations that could pose a complication for the testing efforts?
Having these deeper conversations early can ensure the project is scoped properly and tests are providing more valuable information.
At the end of the day, you shouldn’t be looking for a team that is only there to “break in,” but rather a team that is intentionally working with you to truly test your security assumptions.
2 Get the lay of the land
Assuming you have the resources, making use of in-house vulnerability management programs and monitoring, etc., you may draft some general expectations for weak spots. You may use this information to either remediate easy low-hanging fruit or at least map out potential areas of interest you want the testers to dig deeper into. This can also assist in ensuring the scope is complete.
Do not, however, get caught up in the mindset that “everything needs to be fixed before we have a pen test.” The only failed pen test is the one that was never performed.
3 Develop a relationship with the pen testing team and communicate often
Find a team that is open to communicating. This doesn’t mean they need to report every second of what is happening but having some transparency on progress and findings can help you understand the process, remediate critical issues on the spot, and mitigate blockers faster.
Some pen testing teams include project managers to assist with blockers or facilitate communications.
When the report is done, take the time to discuss the results with the pen testers. Discuss not only the short-term remediation but also the longer-term strategies that would likely make their job more difficult next time. The goal is to make a pen tester work harder.
Furthermore, having a consistent pen testing partner is beneficial as they having a deeper understanding of your organization, infrastructure, and systems. They can provide a more comprehensive picture of how the posture is changing over time and/or the reoccurring weak spots.
4 Provide accurate scope
Most penetration tests are intended to gauge the organization’s security posture against real-world threats in a controlled and timed engagement. Since the goal is to get actionable data within a logical amount of time, it is important to provide as much accurate scope as possible. Depending on the scope or type of pen test this may include: IPs, URLs, application credentials, etc.
Ultimately, this allows testers to legitimately test your security posture as opposed to spending unnecessary time determining the real scope of the organization. Remember that an attacker technically has all the time in the world, while pen testing engagements have a finite amount that can be better spent testing your systems.
5 Don’t alert SOC or artificially block the test
Someone in the chain of command should know about the engagement, but you get the most out of the pen test if the SOC/Blue Team isn’t made aware. This way you can also gauge accurate monitoring visibility and team response to a potential active threat.
Discuss your security defense mechanisms (firewalls, WAFs, IDS, EDR, etc.) with your tester.
Depending on your goals it will likely be a good idea to run tiered tests. For example, you may be interested in seeing the efficiency of your WAF at protecting your web applications, but also any underlying issues present.
You could whitelist a testing IP for the testers to compare the target application with and without WAF, giving you a much deeper understanding of the web app security posture.
While it’s highly uncommon, it goes without saying that creating artificial blockers that are normally not there in order to hamper the test, will invalidate the results and effectively void the whole purpose of the pen test.
6 Don’t wait until the last second to schedule a test
Q4 is infamously a hectic quarter as organizations scramble to fit in pen tests for compliance or budgetary reasons. This can leave you in a tight spot with fewer options, resources, and/or higher cost.
Perform penetration tests with ample time prior to get more flexibility, resources, and follow-up remediation tests if needed.
Good luck! But remember, no luck is needed. A pen test is not a pass/fail. It is a way to accurately measure all the work you’ve done to prepare your security posture, and hopefully a way to continue improving and keeping pace with the ever-evolving threat landscape.