January 20, 2023
Pen Testing has been a staple of cybersecurity programs for decades
For much of that time, organisations had only one type of Pen Test engagement to choose from—the traditional penetration test. Today, the options have expanded considerably, providing a broader range of testing capabilities but introducing plenty of confusion at the same time.
This article will look at the three most popular types of Pen Test engagement, explain the differences, and provide some insights to help you choose the ideal Pen Test offering for your organisation.
What is Pen Testing?
Penetration Testing—also known as Pen Testing—is a category of cybersecurity functions that aims to uncover vulnerabilities in an IT environment before a hacker can exploit them. Until around ten years ago, all Pen Testing engagements were completed by teams of human security experts. However, today there are more options, which we’ll explore shortly.
Unlike protective controls such as a firewall, which aim to prevent malicious activities, Pen Tests are a form of offensive security. They preemptively employ hackers’ tools and techniques to uncover weaknesses in an environment or asset before a malicious hacker can exploit it.
Most Pen Tests have a specific scope since testing “everything” in a single engagement is generally not feasible or desirable. Some of the most popular targets for Pen Testing include:
- Networks (local, cloud, or hybrid)
- Wireless networks
- Web applications
- Websites
Why Pen Test?
There are many reasons to implement regular Pen Tests. Some of the most common include:
- Assess cyber risk. Pen Tests help organisations uncover unknown sources of cyber risk before a hacker can exploit them.
- Fulfil compliance obligations. Many legal and compliance frameworks, including PCI-DSS, require organisations to complete annual Pen Tests of specific assets.
- Identify unknown vulnerabilities in products or architecture—particularly those that can’t be found using automated vulnerability or application security scanners.
- Prepare for M&A. Most M&A agreements now include cybersecurity requirements which typically require organisations to submit to Pen Tests.
- Mitigate supply chain risk or meet stakeholder requirements. Customers, suppliers, and partners increasingly demand that organisations prove their cybersecurity readiness by scheduling regular Pen Tests and publishing the results.
- Protect business continuity and system uptime. Cyberattacks frequently lead to significant and costly interruptions to business operations. By identifying weaknesses proactively, Pen Tests help to protect business continuity and system uptime.
- Protect customer data or commercial secrets. Today, data is often among an organisation’s most critical assets—and it’s also a common target for hackers. Pen Tests are often used to uncover weaknesses that may allow an attacker to collect and extract data from an organisation’s network, website, or Internet-facing assets.
- Avoid negative publicity. Organisations that are the subject of successful cyberattacks inevitably face negative publicity—even if the attack is quickly contained. This can have implications for ongoing business, particularly if an attack threatens the assets or business continuity of partners, customers, or suppliers.
Traditional Pen Testing
A traditional Pen Test is a time-bound engagement delivered by a security services provider like CyberOne. These engagements are delivered by a team of qualified, experienced Pen Testers over a defined period—often 1-2 weeks, but there is no firm rule on engagement length.
Most traditional Pen Test engagements have an overarching mission—for example, meeting annual compliance objectives or preparing for an event such as a product launch or M&A. However, some organisations prefer to schedule regular traditional Penetration Tests purely as a continuous addition to their cyber risk reduction program.
A typical Penetration Test engagement will follow a clear project plan. At CyberOne, our engagements use the following testing methodology:
- Scoping. Working with the customer to define which assets and infrastructure fall within the scope of the engagement.
- Reconnaissance. Gathering publicly available information about the customer that may help the testing team identify weaknesses.
- Mapping. Assessing target assets to build a complete picture of their attack surface.
- Vulnerability analysis. Scanning and manually investigating in-scope assets to identify security vulnerabilities.
- Service exploitation. Exploiting vulnerabilities to access systems and data.
- Pivoting. Reusing successful exploits to target further systems and assets.
- Clean up. Removing testing data from the customer’s systems.
- Reporting and debriefing. Providing an in-depth Pen Test report with clear recommendations and guidance for remediation. This can be delivered as a written report or via a virtual or face-to-face meeting.
A recent upgrade to traditional Pen Tests has been the addition of ‘Pen Test platforms,’ which allow customers to more easily schedule Pen Tests, see the status of ongoing engagements, request more information about reported vulnerabilities, request retests following patching, etc. This feature was initially introduced by crowdsourced Pen Testing providers and is rapidly becoming an industry standard due to the improvement it provides to customer experience.
Automated Pen Testing
An automated Pen Test is exactly what it sounds like—an automated solution that attempts to replicate the processes of a traditional Pen Test without requiring any human intervention.
Note the word attempts. In reality, no automated tool can completely replace the need for human Pen Testers. If it could, traditional Pen Tests would already be obsolete—and they notably aren’t. There are some weaknesses that require human perseverance and creativity to uncover—the type of perseverance and creativity that a malicious hacker would employ.
However, today’s automated Pen Test solutions are extremely powerful and can provide continuous security validation of critical systems and assets in a way that would be prohibitively expensive to deliver manually. Similarly, many security weaknesses are more suited to machine-testing, as they are simply too time-consuming to uncover in a 1-2 week human testing engagement.
Automated Pen Test solutions are NOT the same as vulnerability scanners. In addition to uncovering known vulnerabilities, an automated Pen Test solution provides additional capabilities such as:
- Security control validation
- No-harm exploitation of discovered weaknesses
- Complete attack surface coverage
- Risk-based remediation guidance
Typically, automated Pen Testing isn’t a complete replacement for traditional Pen Testing. Organisations often employ automated Pen Testing solutions to provide a continuous assessment of cyber risk and uncover vulnerabilities introduced during normal business operations—while reserving traditional Pen Tests for more focused testing of specific assets.
At CyberOne, we work with Pentera to provide our clients with automated pen testing solutions.
Crowdsourced Pen Testing
Crowdsourced Pen Tests are a completely different approach to security testing that has come to prominence over the last decade. Instead of working with a set team of Pen Testers provided by a security services provider, crowdsourced testing enables organisations to engage with a global community of ethical hackers and security experts.
This approach gives organisations access to an unprecedented range of security testing expertise, helping to uncover high-risk vulnerabilities by mimicking the behaviours of real malicious hackers.
In almost all cases, organisations don’t attempt to organise crowdsourced testing in-house. Instead, they work through a crowdsourced testing provider, which will typically deliver a platform through which organisations can invite freelance hackers and security experts to test their assets.
Broadly, there are two ways to engage with crowdsourced testing:
- Specific, time-bound engagements that mimic traditional Pen Tests
- Continuous testing engagements that allow testers to submit vulnerabilities at any time.
While it is possible to engage directly with crowdsourced testers and manage the entire process in-house, crowdsourced testing providers usually manage the engagement process and the delivery of specific testing engagements. This allows organisations to reap the benefits of crowdsourced testing while retaining important elements of traditional Pen Tests such as:
- Vetted and risk scored vulnerability reports
- Low internal effort requirements to manage the testing process
- Remediation guidance for reported vulnerabilities
At CyberOne, we work with Synack to provide our clients with crowdsourced pen testing solutions.
Which is Right For Your Organisation?
There is no “best” form of Pen Testing. Each of the options described above is equally strong, and your choice of engagement type should be defined based on your specific needs.
For small organisations with few resources, meeting compliance requirements is typically the priority—and this usually mandates the use of traditional Pen Tests. At the other end of the scale, many organisations use a combination of Pen Test engagements to meet varied cybersecurity needs.
For example:
- Traditional Pen Tests to meet compliance objectives.
- Automated Pen Testing for continuous security validation of their networks.
- Crowdsourced Pen Testing for specific, high-risk or business-critical applications.
This approach is highly effective for controlling cyber risk but naturally requires a higher investment of resources to maintain compared to a more traditional program.
If you’re not sure which engagement—or combination of engagements—is right for your organisation’s needs, we can help. Get in touch today to discuss your Pen Testing options with one of our experts.