numberwhun/10 steps to managing a successful network penetration test

## 10 steps to managing a successful network penetration test
How to take your pen test engagement to the next level

Much has been written about various tools and technical methods for running network penetration tests or pen tests. However running an effective and successful pen test requires some amount of technical management effort and planning to ensure that the test is successfully architected and executed. Below are 10 useful steps to consider and implement for your next network penetration test that will wow your  team!

1. Comprehensive network assessment

A typical pen test at the simplest level does a penetration test of the company’s network and systems from the outside (external to the network) and optionally a test from the inside (internal to the network). Many companies choose to stick with the external assessment only.

A good comprehensive pen test approach is to have an external test together with an internal test and explore what internal vulnerabilities can be exploited. This external-to-internal pivot approach provides good visibility into the effectiveness of your layered security program. Can an external phishing attempt on a single user result in a pivot all the way through to administrator privileged access of a high value internal restricted server? Which layers in your security program were successful in blocking the attack?

2. Plan and structure the tests for effective results

Treat a pen test as a project just as you would a technical system rollout. Obtain project management resources if possible and allocate dedicated information security and IT time and effort.

3. Ensure adequate time for upfront planning

Even with the right resource dedicated to the project, a well-structured pen test requires some amount of upfront time to plan out the details of the test, align test goals with management and the pen test team, and review and provide all the required details to the pen test team. Pay special attention to the Pen Test team’s pretest request for information. If incorrect IP addresses are provided, then some of the systems or IP ranges will be missing test coverage.

4. Create a communication and alignment plan

If the test involves a social engineering component, decide upfront who will be involved in the test. How many participants will be part of the candidate pool for the test phish email? If you are running a phone test of the IT helpdesk picking the right time and phone numbers to call can be important, if your company has different staffing levels on different shifts. Line up the right people in management who will be provided advance knowledge of the pen test and the individual social engineering tests. Most importantly make sure that the right people on the information security incident response team are aware of what’s going on, so that the team knows how to escalate pen test related results appropriately.

5. Explore the what-if scenarios

Are there some gaps or holes you’ve always wondered about but don’t generally fall into the classic pen testing modus operandi. A pen test is a good time to test out a theory of a possible vulnerability.

6. Monitoring plan

Plan an effective monitoring plan during the pen test. While the pen test is being done by an external team to test the layered defenses, it can also be a very good test of your monitoring and incident response program. This means documenting which systems, sensors and teams triggered alerts during the pen test. Plan for an after action review with the incident response analysts to review how the existing monitoring and sensors worked and use the lessons learned to update the information security program

7. After the pen test

Make sure that pen tests results are qualified by the right frame of reference. Many pen testers will provide a standard report based on a common template that they will reuse for each engagement. Sometimes a company will use the same pen testing provider and results can be compared over time. It is critical however to provide context and background to the results. For example if the number of vulnerabilities reported has doubled from last year, it is important to add the total number of endpoints scanned to the results. If the number of endpoints scanned has also doubled then your number of vulnerabilities per endpoint scanned has remained the same. If you can break the endpoints numbers out by servers and desktops…the more detail to help understand the context of the results the better.

8. Reporting to management

Ensure that reporting to management is part of the pen test engagement. Pen testers will often put together a detailed and very technical slide deck summarizing the test results. Best practice is to have one technical presentation going in-depth with the IT team (CIO and key managers) and a separate and shorter presentation for the executives summarizing the tests with focus on risk impact and mitigation plans. Plan for having the pen testers participate in internal presentations.

9. Scope and coverage

Pen testing today can be many things to many people. Consider not limiting your test to just the network or external facing systems? If you’re doing this test just once a year, how about combining your network pen test with a limited test of critical company websites and some physical assessments including wireless walk around testing and physical access testing.

10. Web application penetration testing

This is a follow from the previous point. Consider also doing an in-depth application penetration test of your web properties and external facing applications, based on your risk assessment needs and plans. I’ve kept this for last because it is indeed a whole topic by itself and subject for a future post. Today, the pen testing vendor market seems to be split with some vendors doing network pen testing only and others doing application pen tests only. The lines seem to be slowly blurring however, with a few network pen test vendors offering very limited application testing as part of the engagement.

Now go and run your awesome penetration test!
	How to take your pen test engagement to the next level

	Much has been written about various tools and technical methods for running network penetration tests or pen tests. However running an effective and successful pen test requires some amount of technical management effort and planning to ensure that the test is successfully architected and executed. Below are 10 useful steps to consider and implement for your next network penetration test that will wow your team!

	1. Comprehensive network assessment

	A typical pen test at the simplest level does a penetration test of the company’s network and systems from the outside (external to the network) and optionally a test from the inside (internal to the network). Many companies choose to stick with the external assessment only.

	A good comprehensive pen test approach is to have an external test together with an internal test and explore what internal vulnerabilities can be exploited. This external-to-internal pivot approach provides good visibility into the effectiveness of your layered security program. Can an external phishing attempt on a single user result in a pivot all the way through to administrator privileged access of a high value internal restricted server? Which layers in your security program were successful in blocking the attack?

	2. Plan and structure the tests for effective results

	Treat a pen test as a project just as you would a technical system rollout. Obtain project management resources if possible and allocate dedicated information security and IT time and effort.

	3. Ensure adequate time for upfront planning

	Even with the right resource dedicated to the project, a well-structured pen test requires some amount of upfront time to plan out the details of the test, align test goals with management and the pen test team, and review and provide all the required details to the pen test team. Pay special attention to the Pen Test team’s pretest request for information. If incorrect IP addresses are provided, then some of the systems or IP ranges will be missing test coverage.

	4. Create a communication and alignment plan

	If the test involves a social engineering component, decide upfront who will be involved in the test. How many participants will be part of the candidate pool for the test phish email? If you are running a phone test of the IT helpdesk picking the right time and phone numbers to call can be important, if your company has different staffing levels on different shifts. Line up the right people in management who will be provided advance knowledge of the pen test and the individual social engineering tests. Most importantly make sure that the right people on the information security incident response team are aware of what’s going on, so that the team knows how to escalate pen test related results appropriately.

	5. Explore the what-if scenarios

	Are there some gaps or holes you’ve always wondered about but don’t generally fall into the classic pen testing modus operandi. A pen test is a good time to test out a theory of a possible vulnerability.

	6. Monitoring plan

	Plan an effective monitoring plan during the pen test. While the pen test is being done by an external team to test the layered defenses, it can also be a very good test of your monitoring and incident response program. This means documenting which systems, sensors and teams triggered alerts during the pen test. Plan for an after action review with the incident response analysts to review how the existing monitoring and sensors worked and use the lessons learned to update the information security program

	7. After the pen test

	Make sure that pen tests results are qualified by the right frame of reference. Many pen testers will provide a standard report based on a common template that they will reuse for each engagement. Sometimes a company will use the same pen testing provider and results can be compared over time. It is critical however to provide context and background to the results. For example if the number of vulnerabilities reported has doubled from last year, it is important to add the total number of endpoints scanned to the results. If the number of endpoints scanned has also doubled then your number of vulnerabilities per endpoint scanned has remained the same. If you can break the endpoints numbers out by servers and desktops…the more detail to help understand the context of the results the better.

	8. Reporting to management

	Ensure that reporting to management is part of the pen test engagement. Pen testers will often put together a detailed and very technical slide deck summarizing the test results. Best practice is to have one technical presentation going in-depth with the IT team (CIO and key managers) and a separate and shorter presentation for the executives summarizing the tests with focus on risk impact and mitigation plans. Plan for having the pen testers participate in internal presentations.

	9. Scope and coverage

	Pen testing today can be many things to many people. Consider not limiting your test to just the network or external facing systems? If you’re doing this test just once a year, how about combining your network pen test with a limited test of critical company websites and some physical assessments including wireless walk around testing and physical access testing.

	10. Web application penetration testing

	This is a follow from the previous point. Consider also doing an in-depth application penetration test of your web properties and external facing applications, based on your risk assessment needs and plans. I’ve kept this for last because it is indeed a whole topic by itself and subject for a future post. Today, the pen testing vendor market seems to be split with some vendors doing network pen testing only and others doing application pen tests only. The lines seem to be slowly blurring however, with a few network pen test vendors offering very limited application testing as part of the engagement.

	Now go and run your awesome penetration test!