Hidden vulnerabilities in an organisation’s computer networks, systems and applications can lead to significant security risks, but how do pen testers go about uncovering them?
Penetration testing plays a key role in identifying and addressing vulnerabilities by simulating the behaviour of a potential attacker. A range of penetration testing methodologies have been developed to enable security professionals to achieve this safely and effectively. In this blog post, we discuss the leading pen testing methodologies, including OSSTM, OWASP, NIST, PTES, and ISSAF, what they involve and the aspects they cover.
Why are pen testing methodologies important?
As an ethical cyber security assessment that helps organisations strengthen their cyber security posture, penetration testing is a complex process with the potential, if poorly executed, to miss important vulnerabilities and leave an organisation exposed. Completing pen testing in alignment with structured frameworks and methodologies ensures that it meets specific goals and covers all the required areas. However, a one-size-fits-all approach to pen testing is not appropriate, as every organisation and environment is different.
Pen testing methodologies – the top 5
It’s important to carefully consider whether a pen testing methodology provides the appropriate level of assessment for your organisation. This is achieved by gaining an understanding of the main types of methodologies, which include:
The Open Source Security Testing Methodology Manual (OSSTMM) aims to provide a scientific process for defining operational security, with the focus on verified facts.
The OSSTMM covers the majority of the ten security domains identified by the International Information System Security Certification Consortium (ISC)². The domains are divided into five channels or security areas to enable organisations to assess how well their security processes function. Continuously updated, the OSSTMM methodology is peer-reviewed and maintained by the Institute for Security and Open Methodologies (ISECOM).
A key point to note about the OSSTMM is that it was developed as a security auditing methodology to assess against regulatory and industry requirements, rather than being intended as a standalone penetration testing methodology. It is intended as a basis for a pen testing methodology geared towards the required regulations and frameworks. This means it is not as comprehensive as, for example, the Information System Security Assessment Framework (ISSAF), and it doesn’t provide tools or approaches for completing modules. However, it is a valuable resource that can help organisations meet regulatory requirements when used by specialists with the right level of technical knowledge.
Recognised by developers and security professionals around the world, the OWASP Top Ten outlines key vulnerabilities that affect web application security. It was created by the Open Web Application Security Project (OWASP), a not-for-profit foundation that supports organisations to improve the security of their web applications.
First published in 2003, the OWASP Top 10 is updated every three years. It provides a hierarchy of the most common web application security issues to help organisations to identify and address them according to prevalence, impact, method of exploitation by attackers, and ease or difficulty of detection.
OWASP pen testing covers the assessment of web applications to identify vulnerabilities outlined in the OWASP Top Ten. An OWASP pen test is designed to identify, safely exploit and help address these vulnerabilities so that any weaknesses discovered can be quickly addressed.
The OWASP Testing Guide (OTG) is divided into three key sections: the OWASP testing framework for web application development, the web application testing methodology, and reporting. The web application methodology can be used on its own or with the testing framework, while the framework can be used to build a web application focused on security, followed by a pen test (web application methodology) to test the design.
A key difference between OWASP and other penetration testing methodologies is that the OTG is solely focused on web application security throughout the whole software development lifecycle, unlike the ISSAF and the OSSTMM for example, which are aimed at security testing and implementation. Another difference is that the OWASP addresses controls while the OSSTMM does not.
The penetration testing execution standard (PTES) was created to offer a structured framework to outline what organisations should expect from a penetration test. Apart from being one of the most recently developed pen testing methodologies, it is argued that the PTES is one of the most comprehensive.
Made up of seven main sections covering all aspects of a pen test, it aims to create a baseline for penetration tests to give security practitioners and/or organisations a reference point for what to expect in relation to penetration testing requirements. It also seeks to give organisations and security service providers a common language and scope for performing tests.
A second version of the PTES is currently in development, with the aim of taking a more granular approach to the level of intensity at which each of the elements of a penetration test can be performed. This will help organisations to define the level of sophistication they anticipate from their adversary, and it will allow the tester to increase the intensity accordingly in the related areas.
While the PTES standard does not provide any technical guidelines around how to execute an actual pen test, there is an additional technical guide to accompany the standard. This makes the most of other available resources by referencing methodologies such as OWASP.
The Information System Security Assessment Framework (ISSAF) is supported by the Open Information Systems Security Group (OISSG). It links individual pen testing steps with specific tools and aims to provide a complete guide to conducting a penetration test and enable organisations to develop their own pen testing methodology.
The ISSAF divides the pen testing process into three key phases: planning and preparation, assessment and reporting, cleanup and destroying artefacts. The key defining characteristic of the ISSAF is that it provides comprehensive technical guidance on testing, unlike other methodologies, such as the OSSTMM, which is mainly an auditing methodology. However, while it is a valuable reference source that provides foundational and comprehensive guidance for individuals in the industry, it is no longer maintained, and is likely to become increasingly out-of-date.
The National Institute of Standards and Technology (NIST) cyber security framework provides a structured set of rules, guidelines and standards for organisations. It categorises all cyber security capabilities, projects, processes and daily activities into five core functions to help companies better understand, manage and reduce their cyber security risks.
As part of the framework, NIST penetration testing is a pen testing methodology that aligns with the specific and detailed guidance set out by NIST. To meet these standards, companies must perform penetration tests on their applications and networks following a pre-established set of guidelines.
The NIST publication most focused on pen testing is NIST 800-53, which specifies a number of security controls categorised into different groups according to their application.
Penetration testing methodologies provide structured frameworks for performing effective tests. The most widely adopted standards include OSSTMM, NIST, PTES, and OWASP. By leveraging these proven pentesting methodologies, testers can systematically evaluate security posture across the broadest possible attack surface
The stages of a pen test
While the specific steps that make up a penetration test will vary according to what is being tested, they generally follow a similar sequence, which includes:
Scoping is a critical part of the pen testing methodology because it enables the identification of the most appropriate type of assessment. This is the stage at which the full remit and goals of the pen test are defined. It includes listing the systems and applications to be assessed and the most appropriate testing methodology to be used, whether that is black box, grey box or white box.
The scoping stage should maximise the value an organisation achieves from its investment. Setting out clear aims for the pen test also means that only the specific and required areas are covered, and assessments are conducted in line with technical, legal and compliance standards, including pen testing aligned to the requirements of the GDPR, PCI DSS and ISO 27001.
The next stage in the penetration testing methodology is to execute the scoping plan and begin to identify and assess vulnerabilities. Activities at this stage can vary according to the type of test performed. If the test is conducted as part of a black box assessment, this stage may involve active and passive reconnaissance. Testers gather information using open-source techniques (passive), as well as network and vulnerability scanning to gain an in-depth view of an organisation’s infrastructure (active).
After establishing an overview of the network, the testers perform analyses on any systems and applications in scope to identify vulnerabilities and possible ways to exploit them.
Some engagements require the use of actions that attackers take against organisations, such as vulnerability exploitation. This allows the testers to understand how much a vulnerability could allow an attacker to compromise an organisation. Pen testers bring together previously gathered information and knowledge of the latest adversarial tactics, techniques and procedures in order to exploit vulnerabilities identified (if this was agreed upon within the scope) to obtain initial access.
This stage should also include work to conduct horizontal and vertical movement, which could entail elevating privileges by compromising user accounts that may have broader access to an environment. Doing so ensures that the objectives set out during the scoping process are completed.
Reporting and debriefing
Whatever the methodology, an important final step in the pen testing process is the reporting and debriefing stage. This involves delivering a client report, which outlines the vulnerabilities identified in the pen test, their impact, how they were found and the potential consequences of not remediating them. This report should also specify any sensitive data accessed and, if appropriate, how long the testers were able to stay undetected.
A good pen test report should also include analysis of the potential business impact of each issue identified. Additionally, it should include recommendations for remediation, with guidance on the required actions and the technical information to share with vendors to enable them to address vulnerabilities in their infrastructure and applications.
Selecting a pen test provider
While an up-to-date understanding of the different types of penetration testing methodologies is key, it is also important to assess potential pen test providers to ensure you select the most appropriate one for your organisation’s needs. A good pen test provider should be able to provide guidance on the methodology and approach best suited to your particular requirements.
How Kroll can help
As a CREST-certified company, Kroll performs testing to the highest technical, legal and ethical standards. All our award-winning pen test services include complete post-test care, actionable outputs, prioritised remediation guidance and strategic security advice to help you make immediate and long-term improvements to your cyber security posture.
To learn more about how to achieve the best results from penetration testing and how our services can support your security needs, feel free to schedule a quick, obligation-free call with our experts. We can tell you more about what’s involved and the techniques we use, as well as advise on how to achieve the best value from pen testing.