Network penetration testing: a beginner’s guide
If you've thought about the security of your business' network, then you've likely considered performing a network penetration test. Penetration testing is an essential security measure for any organization and can provide valuable insights into the safety and effectiveness of your current practices.
But, before jumping in headfirst, it’s important to understand exactly what network penetration testing entails because there are many components to consider. This beginner's guide will take you through the basics of what it entails, which type is best for your needs, which provider to use, and more. So read on to understand more about this integral security practice.
What is network penetration testing?
Network penetration testing, also known as pen testing, is the process of conducting simulated attacks on a network to discover any potential weaknesses which can be exploited by hackers to breach your systems. Think of it as mapping and investigating your network to find any vulnerabilities so that you can patch and beef up security before any malicious hackers crash the party.
Any attack can be serious, but if you're worried about letting pen testers loose on your network, don't worry – you are in control in terms of the scoping process and setting out the rules of engagement. Scanning tools and ethical hackers conduct network penetration assessments to find potential problems and help you determine solutions to strengthen your defenses, not try to steal your data.
With penetration testing, you’ll strengthen your cybersecurity posture, bringing threats into focus. Even if you’ve never been breached before, pen testing is crucial for understanding how to improve and stay safe.
Network pen testing is a broad term, encompassing everything from assessing internal systems or private networks that aren’t connected to the internet, to probing external services exposed online. This can include testing web applications and APIs as well as examining specialized protocols such as SIP, the protocol which is used to control voice/video calls over a network. The two types referred to most often - internal and external infrastructure assessments - will be our focus in this post.
Internal infrastructure pen test
Internal infrastructure penetration testing simulates every organization’s worst nightmare: what happens when a bad actor gains access to your networks from the inside? Keeping your data safe from insider threats is more important than ever. 60% of all breaches come from people on the inside – whether it’s malicious actors with unauthorized access attacks and social engineering or employees gone rogue – so you must ensure the security of your infrastructure is as strong as possible.
To do this, a team of penetration testers will try to wrangle their way in where they don't belong - into any sensitive or privileged areas you want bad actors to stay out of. They'll look for any cracks in your security by finding ways around access controls, aiming to get their hands on stuff they shouldn't. They’ll then provide you with a detailed report so you can promptly start the work of eliminating any flaws that could put sensitive data at risk.
External infrastructure pen test
External infrastructure network pen testing is different but equally important. It answers the question: how could someone with no prior access gain entry and do harm?
Unlike an internal network pen test, the external kind usually focuses on your perimeter systems. Anything an outsider could access from the public internet, partner systems, or other outside networks depending on the scope of the test.
One thing to remember about conducting an external pen test is that it goes beyond just uncovering potential vulnerabilities. It also helps you to understand how those weaknesses can be manipulated and the true risks they pose if a malicious actor were able to exploit them. Knowing that someone can gain access is just the beginning. If you don't know how far they could get, then you don't have the full information available to properly assess the risk.
External network penetration testing services typically employ a combination of techniques to understand your security posture. Depending on your situational needs, your next assessment may involve credential guessing to find out whether any active accounts have passwords that are easily guessable and external vulnerability scanning to uncover cybersecurity weaknesses.
Why is network penetration testing important?
Hackers are always finding new ways to hack into business systems. But by leveraging the expertise of a penetration testing team or an automated pen testing tool, you can identify and tackle vulnerabilities more effectively – giving your security a boost. And, with data breaches costing $4.35 million on average in 2022, waiting until you get attacked to fix things is clearly a bad move.
How to carry out a network pen test
Whether they’re internal or external, most penetration tests take one of two forms: manual or automated.
Manual network penetration testing
Manual pen tests are authorized cyberattacks performed by expert security analysts. In other words, it involves real humans trying to hack your systems using a range of tools and techniques. Along the way, they keep detailed logs, notes, and documentation which they then use to explain the security flaws they found and offer recommendations on how to fix the weaknesses.
Humans have the advantage of understanding IT complexities that automated tools and machines can't. Humans can think like a hacker – critically assessing potential threats and finding creative solutions for maximum protection against malicious activity. Better still, they're trained to spot patterns and weaknesses that could be missed by automated software, as well as accurately identifying false positives, allowing businesses to resolve security issues quickly and more efficiently.
Of course, there is a downside to manual penetration testing. As it occurs at a set point in time — whenever you decide to conduct a test – the pen tester’s report can go out of date almost immediately because your business and its security posture are constantly changing.
A new vulnerability could appear the day after your pen test was conducted leaving you exposed. And, because manual pen testing can be expensive, it’s not cost effective to be done frequently, making it inappropriate for enhancing your security between tests. For that, you’ll need…
Continuous network penetration testing
As the name suggests, continuous pen testing introduces automation to bolster the manual evaluation, impact assessment and false-positive reduction in traditional pentests.
This approach takes a lot of the tedium out of rote work where humans might miss details, because it relies on the support of technology. At play are continuous vulnerability scanners, such as Intruder’s, which monitor your evolving attack surface. Intruder also runs proactive vulnerability scans, which check your systems for newly discovered vulnerabilities, mitigating the manual effort required to stay ahead of the latest threats.
How to choose a network pen testing vendor
If you’ve been shopping around, you’ve probably noticed there’s a sea of formal qualifications to choose from. From CREST Certified Tester in Infrastructure (CCT INF) to Offensive Security’s OSCP, it can all seem pretty confusing. So, which should you choose?
There’s also the question of experience. It stands to reason that the more you test, the better prepared one is for uncovering security vulnerabilities. However, it's important to be aware of where your provider’s experience lies – does their background match up with what technologies you're using? They may have lots of testing know-how but if it’s not geared toward those particular applications then there could still be problems lurking.
You will ultimately gain the most benefit from a well-rounded approach. Above all, look for a team with proven expertise and a wide range of service options – your budget will go way further. Offensive security qualifications are a good starting point, and there are specific Offsec qualifications for infrastructure, web application and wireless. In the UK, Offsec qualifications are a good barometer, but you could also look for CREST-qualified individuals, same as in the US and ANZ. If you're looking for more senior testers, then you might want CCT-qualified individuals, and Infrastructure and Web Application CCT for each job.
Many organizations in the UK require CHECK Team Leaders/Members for their engagements, but this just unnecessarily narrows your scope of potential vendors. CHECK Team Leaders/Members still have CREST CCT or CRT, but they also have Security Clearance which you really only need if you’re working in central government or handling sensitive government data. If you’re a bank, you can just request CREST-qualified individuals and have clauses in your contract, including a background check if you want. For more information, check out our guide to choosing a pentesting company.
Network penetration testing with Intruder
Intruder is a great way to get started with network penetration testing because you’ll get market-leading continuous vulnerability scanning in the process. We’re firm believers that it shouldn’t matter how big your business is or what your needs are: everyone deserves the same level of security. We help you secure your attack surface with features designed to dramatically simplify pen testing:
- Continuous network scanning: every time you add something to the portal or make changes, we'll make sure it gets checked out right away and then keep monitoring at regular intervals so nothing slips through unnoticed.
- Emerging threat scans: we keep a vigilant eye out for new threats to your sensitive data so at the first sign of danger, we sweep through all external targets with an emerging threat scan - just in case.
- Rapid response: we detect potential risks before they have a chance to become an issue with manual scanning and continuously monitoring security threat feeds. When something pops up that we think could be affecting your system, we'll provide you with details on how best to protect yourself.
Network penetration testing doesn’t have to be complicated. Try Intruder today to see how easy it is to keep your network safe.
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.