If you’re considering incorporating penetration testing into your cybersecurity planning process, there are some key considerations to keep in mind when you’re figuring out exactly what’s ‘in scope’ — what networks, employee accounts, defensive capabilities and other assets that are fair play for the penetration tester to try to break. These scoping decisions should be made during the initial consultation, so everyone knows what’s in bounds and what’s out of bounds.
Penetration tests can fail before they even start, thanks to poor scoping. It’s easy to hamstring your pen testers through overly restrictive scoping, but a scope that’s too wide can end up reporting back what you already know.
The name of the game is to find that ‘scoping sweet spot’ where you learn something new about your network and your defenses, while effectively spending your limited resources on shoring up defenses against real attackers.
Attacker simulation
Start by asking this question: “Are my detection capabilities in play, or not?” If you’ve already invested in user behavior analytics, endpoint detection and response capabilities, or automated security information event management, you’ll certainly want to put those technologies to use – and against a realistic attacker.
Your testing team, whether internal or external, should have a very specific goal in mind. Your simulated attacker is constrained by your detection capabilities, so they won’t throw every exploit they have against your entire enterprise. Instead, you’ll learn if the specific data you’re trying to protect is, in fact, protected.
Of course, if you don’t already have these detection and response capabilities, then this is a pretty easy decision: you’re in store for a straight internal assessment.
Internal assessment
On the other hand, if you’re more interested in figuring out where your patch management and asset management is failing, an internal assessment may get you more bang for your assessment buck.
In this sort of engagement, the pen tester might be invited to set up on the internal network, complete with a known, dedicated machine from which they can launch all their scanning and exploit traffic.
While this may seem like regular vulnerability management at first blush, a penetration test organized this way can help you identify which networked assets are most at risk from an internal vulnerability, assuming an attacker is already capable of breaching any ‘perimeter’ you might think you already have.
Can I do both at once?
One common error in considering penetration test scope is mixing these two engagement philosophies or types together.
Consider an engagement where you want a consultant to pretend to be an externally-based attacker with no prior knowledge of your network. However, you’ve prohibited them from contacting any non-IT employees or connecting to specific production machines in order to limit any disruptions. This combines two types of engagement, attacker simulation and internal assessment, which you can’t do at the same time – and it’s a mistake to try.
Essentially, you’ve hamstrung the attack simulation style with some arbitrary limitations that no real attacker would adhere to, and you’ve also seriously limited the value of a broadly scoped security readiness test.
Know your goal
A reputable and experienced penetration testing consultancy should point out this kind of scoping failure right away, and help you define the parameters of the test you really want. If the purpose is to actually learn where you can invest your time, money and people to be better prepared for a real security event, you’ll want to decide early on if attack simulation or security readiness is the best way to assess your posture, and commit to that decision when you’re scoping the work.
If you already know that your patch management is the pits, a broad internal assessment report might just be the thing to nudge your CFO into approving budget changes in favor of your vulnerability and asset management programs.
If you suspect your employees are susceptible to phishing, and want to prove it, an attack simulation where social engineering is the name of the game can help you get that much-needed anti-phishing training program.
In either case, that first scoping decision can make all the difference in how useful your penetration testing experience will be.
Finally, if you know you’re lacking in intrusion detection and response (IDR) capabilities, a penetration test is a pretty flashy — if expensive — way to prove it to your upper management. Now, that money is likely better spent in actually investing in IDR, but if there’s one thing pen tests are good at it’s dramatically demonstrating risk.
So if you need a pen test to get the point across, by all means get a consultant in there to uncover this particular security gap.