Penetration tests (also known as pentests) are vital to helping companies discover where they’re most likely to face an attack. By understanding vulnerabilities before they’re exploited, businesses have a chance to get it fixed before it’s too late.
Why Use a Penetration Testing Company Instead of In-House
If you’re wondering whether your internal security team can conduct a penetration test, the most crucial factor is understanding their level of expertise. Conducting a pentest is a complex process that requires a unique knowledge and skill set, not to mention access to specialized tools and software. The reality is most companies don’t have the right tools because it’s not economically feasible to invest in the software (not to mention the training) when you’re not using them on a continual basis.
For small to medium sized businesses, the cost of training and managing an in-house penetration test team can be quite substantial compared to going through a penetration testing company. When employing a third-party penetration testing company, you only bear the service costs charged by the vendor, which makes it much more cost effective. Plus, more likely than not, the third party will have substantially more experience and knowledge when it comes to penetration testing than your internal team. Another common issue with using an in-house penetration testing team, is they often have a hard time adopting to a fresh perspective of an external hacker. This can result in missing crucial vulnerabilities.
Understanding the Approach Taken by Penetration Testing Companies
Partnering with experienced penetration testing companies helps ensure a strong security posture so businesses can shift their focus back to what their business does best. There are different approaches that penetration companies typically employ. An understanding of their strategy is important before deciding who to go through.
There are typically three different approaches to a penetration test:
Opaque Box
Also known as: Black-box testing or close box testing
Overview: The team conducting the test does not have any visibility or information about the internal structure of the network or application before starting. This can also be viewed as an external penetration test where the activities happen from outside of the environment.
Pros: Quickest to run since typically uses automated tools
Cons: Of all the approaches, this one is the most likely to overlook a vulnerability that exists within the internal part of a network or application. If the testers cannot breach the perimeter, any vulnerabilities of internal services remain undiscovered and unpatched. In addition, many defensive tools and configurations exist that might prevent a vulnerability from being found during this type of approach, but that does not necessarily mean the vulnerability doesn’t exist. This can result in a false sense of security that may be exploited by someone who has time to explore this attack surface more greatly.
Semi-Opaque Box
Also Known As: Gray-box testing
Overview: This can often be referred to as assumed breach, where the team has some knowledge of the environment and systems as well as valid credentials, but not have access to everything.
Pros: This is a more efficient and streamlined approach since pentesting companies would start with some background information and low-level account credentials. Not only does this save time on the reconnaissance phase, but it also allows penetration testing companies to focus their efforts on exploiting potential vulnerabilities in higher-risk systems, rather than spending time trying to discover where these systems may be found. An internal account on the system also allows testing of security inside the hardened perimeter and simulates an attacker with longer-term access to the network.
Cons: There aren’t many cons to this type of testing. However, it can be more expensive than an opaque box approach.
Transparent Box
Also Known As: White-box testing or open box testing
Overview: This is where the team will have full knowledge of everything and access to the environment.
Pros: This is a great way to identify unusual behavior associated with an insider threat such as a disgruntled employee. With this approach, detailed information about the internal network structure and configuration is provided to the penetration testing company. This allows a comprehensive evaluation of the network’s security so they can look for potential access points between the external and internal networks that shouldn’t exist.
Cons: Because this approach mostly looks at vulnerabilities from an insider’s view, it doesn’t necessarily come close to understanding how a real-world cyberattack would affect the company. Also, more data is required to be released to the penetration testing company which some companies might be hesitant to provide (and it can also take some time to retrieve all the necessary information). This approach can also be most expensive since it requires more time to review all aspects of the system thoroughly.
Which Approach is the Best?
When determining the best approach for a penetration test, the Red Trident team typically finds that the Semi-Opaque box along with an assumed breach delivers the most value for most situations. This view tries to answer the question “If a malicious actor were to get into the environment, how far can they get and what can they do?” rather than the outside question of “Can a malicious actor get into the environment?”.
Another reason as to why the Semi-Opaque approach is considered one of the most effective, is due to time constraints. A standard Red Trident penetration test where active testing is conducted takes place in the average span of a standard 40-hour work week. Malicious actors are not bound to these time limitations. This allows the malicious actors to spend more time in an environment to gather information and research their target(s). This additional information is a key valuable insight that penetration testers do not have if they are not provided some type of knowledge beforehand.
No matter the approach you decide, Red Trident highly recommends you also carefully consider how much experience the chosen vendor, or partner, has in penetration testing ICS/OT environments specifically. Special considerations are always made by Red Trident in ICS/OT environments with respect to network and system availability that not all penetration testing service providers will either respect or be even aware of.
Pen Testing Companies that Offer Quick Results for Cheap
There are some firms that market themselves as a penetration testing company with the quickest and most affordable pentesting solution on the market. Reality is, the solution they’re offering, isn’t pentesting, but actually a very basic vulnerability assessment that is automated. Although vulnerability scans can be helpful, they can miss a lot of vulnerabilities, which often gives companies a false sense of security. Other times, they can provide a lot of false positives which can make it very confusing when it comes to knowing what’s accurate and determining where to even start.
If the price seems too good to be true, it probably is.
Beware of One-Size-Fits-All Types of Approaches
Each organization has their own unique sets of goals, strategies, network environments, processes, outputs, etc. that all contribute to unique penetration testing experiences. Before deciding on a penetration testing company, be sure to set up a call to learn more about their process.
Red Trident works directly with customers to determine a scope for the assessment in order to gain an understanding of the business, systems, and their particular concerns. For this reason, no penetration tests with Red Trident are ever the same. Once a scope has been determined, a rules of engagement document is created to align expectations and to ensure any work is within the purview of the organization’s policies and constraints.
Additionally, the Red Trident team maintains an open line of communication and collaboration throughout the lifecycle of the project. That way there is clear visibility into what the team is doing, what they have found, etc. without being blindsided by a report at the end.
Penetration Testing Companies that Specialize in OT/ICS
If you’re in the critical infrastructure industry, then partnering with a penetration testing company that has an understanding of OT (Operational Technology) and industrial control systems is vital.
Not only does Red Trident illustrate the potential pathways a malicious actor may take to achieve network access, but also looks for opportunities that may potentially create OT-specific consequences, such as: loss of view, control, confidence, inhibition of response functions, or impairment of process controls.
Services Beyond Penetration Testing
When evaluating third party penetration testing companies, you also need to understand whether you’re looking for the short-term or long-term. Do you want a one and done type of company who just tells you what your vulnerabilities are or do you want a company that will be there through the journey in case there’s items on your list that need outside help?
Unlike most penetration testing companies, Red Trident also have the expertise to offer remediation services. If you have your own team, that’s great! Red Trident is happy to take a step back as your team handles the remediation (or parts of it) or provide training to your team if they need some assistance.