Often in discussions with customers and
potential customers, questions arise about our penetration testing services, as well as
penetration testing in general. In this post, we want to walk
through Mandiant's take on the five W's of penetration testing, in
hopes of helping those of you who many have some of these same
questions. For clarity, we are going to walk through these W's in a
foremost, it's important to be upfront with yourself with why
you are having a penetration test performed (or at least
considering one). If your organization's primary motivation is
compliance and needing to "check the box," then be on
the lookout for your people attempting to subtly (or not so
subtly) hinder the test in order to earn an "easy pass"
by minimizing the number of findings (and therefore the amount of
potential remediation work required). Individuals could attempt to
hinder a penetration test by placing undue restrictions on the scope
of systems assessed, the types of tools that can be used, or the
timing of the test.
Even if compliance is a motivating
factor, we hope you're able to take advantage of the opportunity
penetration testing provides to determine where vulnerabilities lie
and make your systems more secure. That is the real value that
penetration testing can provide.
Finally, if you are getting
a penetration test to comply with requirements imposed on your
organization, that will often drive some of the answers to later
questions about the type and scope of the test. Keep in mind that
standards only dictate minimum requirements, however, so you should
also consider additional penetration testing activities beyond the
really two "who" questions to consider, but for now we
will just deal with the first: Who are the attackers that
concern you? Are they:
- Random individuals on the
- Specific threat actors, such as
state-sponsored attackers, organized criminals, or hacktivist
- An individual or malware that is behind the
firewall and on your internal corporate network?
- Your own
employees ("insider threats")?
- Your customers
(or attackers who may compromise customers'
- Your vendors, service providers, and
other business partners (or attackers who may have compromised
The answer to this will help drive
the type of testing to be performed and the types of test user
accounts (if any) to provision. The next section will describe some
possible penetration test types, but it's helpful to also discuss
the types of attackers you would like the penetration test to
What type of penetration test
do you want performed? For organizations new to penetration
testing, we recommend starting with an external network
penetration test, which will assess your Internet-accessible
systems in the same way that an attacker anywhere in the world
could access them. Beyond that, there are several options:
- Internal network penetration test - A penetration
test of your internal corporate network. Typically we start
these types of assessments with only a network connection on
the corporate networks, but a common variant is what we call an
"Insider Threat Assessment," where we start with one of
your standard workstations and a standard user account.
- Web application security assessment - A review of custom web
application code for security vulnerabilities such as access
control issues, SQL injection, cross-site scripting (XSS) and
others. These are best done in a test or development environment
to minimize impact to the production environment.
engineering - Using deceptive email, phone calls, and/or physical
entry to gain access to systems.
- Wireless penetration
test - A detailed security assessment of wireless network(s) at
one or more of your locations. This typically includes a survey of
the location looking for unauthorized ("rogue") wireless
access points that have been connected to the corporate network
and are often insecurely configured.
If budgets were
not an issue, you would want to do all of the above, but in reality
you will need to prioritize your efforts on what makes sense for
your organization. Keep in mind that the best approach may change
over time as your organization matures.
In what physical location should the test take place? Many
types of penetration testing can be done remotely, but some
require the testers to visit your facility. Physical social
engineering engagements and wireless assessments clearly need to be
performed at one (or more) of your locations.
penetration tests can be done remotely via a VPN connection, but we
recommend conducting them at your location whenever possible. If
your internal network has segmentation in place (as we recommend),
then you should work with your penetration testing organization to
determine the best physical location for the test to be performed.
Generally, you'll want to do the internal penetration test from a
network segment that has broad access to other portions of the
internal network in order to get the best coverage from the
Another "Where" to consider for remote testing
is where the testers are physically located. When testers are in a
different country than you, legal issues can arise with data
provisioning and accessibility. Differences in language, culture,
and time zones could also make coordination and interpretation of
results more difficult.
that most organizations get some sort of security assessment on
an annual basis, but that security assessment does not
necessarily need to be a penetration test (see Penetration
Testing Has Come Of Age - How to Take Your Security Program to the
Next Level). Larger organizations may have multiple
assessments per year, each focused in a different area.
Within the year, the timing of the penetration test is usually
pretty flexible. You will want to make sure that the right people
from your organization are available to initiate and manage the test
- and to receive results and begin implementing changes. Based on
your organization's change control procedures, you may need to work
around system freezes or other activities. Testing in December can
be difficult due to holidays and vacation, along with year-end
closeout activities, especially for organizations in retail,
e-commerce, and payment processing.
If you have significant
upgrades planned for the systems that will be tested, it is
typically best to schedule the test for a month or two after the
upgrades are due to be finished. This will allow some time for the
inevitable delays in deploying the upgrades as well give the
upgraded systems (and their administrators) a bit of time to
"settle in" and get fully configured before being
Who (part 2)
"who" question to consider is who will perform the
penetration test? We recommend considering the following when
selecting a penetration testing provider:
- What are
the qualifications of the organization and the individuals
who will be performing the test? What differentiates them
from other providers?
- To what degree does their
testing rely on automated vulnerability scanners vs. hands
on manual testing?
- How well do they understand the
threat actors that are relevant to your environment? How well are
they able to emulate real world attacks?
deliverables will you receive from the test? Are they primarily
the output of an automated tool? Ask for samples.
they unbiased? Do they use penetration tests as a means to sell or
resell other products and services?
No doubt, there
are other questions that you will want to consider when scoping a
penetration test, but we hope that these will help you get started.
If you'd like to read more about Mandiant's penetration testing (and
other) services, you can do so here. Of course,
also feel free to contact
us if you'd like to talk about your situation and how Mandiant
can best assess your organization's security.