What Is an Internal Penetration Test, and How Is it Done?
A famous 2011 article by security adviser Roger Grimes is intriguingly titled, “To beat hackers, you have to think like them.” In the article, Grimes explains that IT security professionals must view IT systems through the eyes of hackers — and search for ways to break into these systems, identify weaknesses, and create robust security measures.
That is precisely what penetration testing is all about.
What Is Penetration Testing?
Understanding penetration testing and the value it provides is crucial to your overall risk management strategy. Unlike traditional defensive cybersecurity strategies, which focus on remediating a security event and mitigating its harm, “pen testing” is an offensive security testing strategy focusing on prevention.
Penetration tests differ from a vulnerability scan, an automated, high-level security vulnerability assessment to identify known vulnerabilities, a lack of security controls, and common misconfiguration errors.
A penetration test (pen test) is also known as a white hat attack or ethical hacking. It is performed by a skilled penetration tester using detailed, hands-on, manual testing techniques and tools to simulate a cyber-attack. Testers explore the target system and its applications, devices, services, and user behaviors to identify vulnerabilities and security flaws.
A pen tester investigates the potential effects of these flaws on the network and, ultimately, on the organization. The tester may also:
- Discover security policy errors.
- Ascertain weaknesses in vulnerability identification processes and security controls.
- Review security awareness in the organization.
- Identify compliance issues related to relevant industry standards or regulations, such as HIPAA, PCI DSS, or GDPR.
The goal is to identify security weaknesses or vulnerabilities that a threat actor, cybercriminal, or data thief could exploit to compromise the system, disrupt operations, demand a ransom, or steal sensitive data. The tester may leverage some of these methods:
- Social engineering to convince an insider to reveal sensitive information such as login credentials
- Send phishing emails to access critical accounts or test employees’ security awareness
- Use stolen or unencrypted passwords to access sensitive systems or data
At the end of a pen test, the tester prepares a detailed report, which allows security teams and network administrators to understand and remediate the identified vulnerabilities and exploits.
Who Performs Pen Tests?
Penetration testing is performed by ethical hackers who methodically compromise systems to uncover security vulnerabilities before cybercriminals can exploit them. Skilled penetration testers simulate real-world attacks to validate an organization’s cybersecurity posture.
External security consultants are often leveraged to perform objective penetration tests. Third-party ethical hackers bring fresh perspectives since they are not biased by internal assumptions. Their outside vantage point helps expose overlooked risks and security gaps in networks, applications, APIs, and endpoints.
For internal pen tests, organizations build dedicated red teams. Their insider knowledge helps create accurate threat models to assess risks. However, internal teams can overlook vulnerabilities that outside testers may catch.
The most skilled penetration testers think creatively and adapt on the fly. They stay up-to-date on the latest techniques and tradecraft. With curiosity, persistence, and drive, experienced professionals and self-taught hackers can become standout ethical hackers.
What Are the Different Types of Penetration Tests?
There are many types of pen testing based on the system being tested.
Network Pen Tests
The ethical hacker tests network security by hacking into the network via various attack vectors such as:
- Phishing emails
- Third-party software
- Password guessing
Network pen tests can be done locally or remotely.
Hardware Pen Tests
The tester exploits vulnerabilities in internet-enabled devices, such as security cameras, networked printers, and smart home systems.
Web Application Pen Tests
Testers check the security of enterprise web apps, APIs, and software.
Mobile Pen Tests
The tester attempts to find vulnerabilities in the organization’s mobile app.
Wireless Pen Tests
This test involves connecting to open, less secure hotspots or Wi-Fi networks to understand how threat actors may exploit them to compromise the enterprise network.
Physical Pen Tests
In such tests, the tester tries to break into a physical space to gain unauthorized access to its IT systems or other physical assets, perhaps by posing as a contractor or service technician.
The ‘Boxes’ of Pen Tests
Pen tests can also be classified as black box, white box, or gray box, depending on how much information the tester has about the target system.
Black Box Pen Tests
The tester has no specific information about the target system, only high-level information that could be found anywhere, such as the company name. The tester carries out detailed reconnaissance to find and exploit vulnerabilities. Since testers work “blind,” black box pen tests take a lot of time to perform, but these tests also closely resemble what a hacker would know when approaching a target.
White Box Pen Tests
The tester has prior information about the target system, including its IP addresses, network infrastructure schematics, operating system, source code, and so forth, which the tester uses to simulate an internal security attack. Although more detailed than black-box tests, white-box pen tests still provide valuable insights.
Gray Box Pen Tests
Before starting the test, the ethical hacker knows a user with elevated privileges. This method is suitable for simulating the possible actions of internal attackers with long-term access to the target system.
The Stages of Penetration Testing
Organizations use penetration testing to validate their cybersecurity posture against real-world attacks. Skilled penetration testers and ethical hackers methodically compromise systems safely to uncover vulnerabilities before criminals exploit them.
A thorough penetration test simulates motivated adversaries’ tactics, techniques, and procedures. It typically involves five phases:
- Planning: Defining the scope, rules of engagement, testing methodologies, and target systems. Gathering open-source intelligence on the organization’s web applications, network infrastructure, and other digital assets.
- Discovery: Scanning networks, Application Programming Interfaces (APIs), wireless signals, and applications for vulnerabilities. Performing non-intrusive vulnerability scanning to create an inventory of security issues.
- Attack: Attempting to exploit identified vulnerabilities through techniques like Structured Query Language (SQL) injection, password cracking, Cross-Site Scripting (XSS), and social engineering and trying to achieve escalation of privilege, data exfiltration, or denial of service.
- Persistence: After gaining access, maintaining footholds within systems to model Advanced Persistent Threats (APTs). The goal is to assess how well security controls detect and respond to simulated cyberattacks.
- Analysis: Documenting which vulnerabilities were successfully exploited. They provided remediation guidance and risk assessments to strengthen cyber defenses, quantifying overall security posture against real-world adversaries.
Penetration Testing Methods
Organizations use different penetration testing methodologies to validate security controls against cyberattacks.
External Pen Testing
External testing targets public internet-facing systems like websites, web applications, email servers, APIs, and network infrastructure. It focuses on remotely exploiting vulnerabilities to breach perimeter defenses. External pen testing simulates real-world attacks by external threat actors.
Internal Pen Testing
Internal testing evaluates insider risks from compromised accounts, phishing, social engineering, and rogue employees. It exercises lateral movement, privilege escalation, and data exfiltration post-access. Internal pen testing evaluates controls like network segmentation, identity and access management, and security monitoring.
Blind Pen Testing
Blind pen testing does not inform the testing team of test details or timing. This models undetected cyberattacks from zero knowledge, like real-world threats. Blind testing assesses incident response capabilities against unknown attack vectors.
Double-Blind Pen Testing
Double-blind testing keeps the red team penetration testers and blue team defenders unaware. This mimics detecting and responding to new vulnerabilities and exploits on the fly. Double-blind testing evaluates readiness against zero-day attacks.
Targeted Pen Testing
Targeted pen testing involves collaboration between ethical hackers and security staff. The focus is rapidly identifying and remediating vulnerabilities or gaps in security controls. Targeted testing provides real-time security guidance and training.
The Differences Between Internal Penetration Testing and External Penetration Testing
Every pen test is a multi-phased process involving these steps:
- Scoping
- Reconnaissance (intelligence gathering)
- Threat modeling
- Exploitation and post-exploitation
- Analysis and reporting
- Re-testing
However, the specific goals, methodology, conditions, and targets can differ quite a bit depending on whether the enterprise chooses internal or external penetration testing.
In external pen testing, the tester tries to simulate how an external user without proper access and permissions could exploit open vulnerabilities in the internal network. Essentially, the tester acts as a malicious outsider or hacker who might try to attack the organization.
Internal pen testing is about understanding how a threat actor with inside access could exploit the network’s vulnerabilities. It also tries to determine what information could be exposed to this insider.
It’s usually best to conduct external and internal pen tests to understand system security weaknesses and strengthen the enterprise security posture.
What Is Internal Penetration Testing?
An internal pen test is usually done after completing an external pen test. It imitates an insider threat and identifies how an attacker with internal access may compromise or damage the network, systems, or sensitive data.
Typically, the starting point of an internal network penetration test is a user with standard access privileges. The tester may work with these common scenarios:
- An unhappy rogue employee (malicious insider) who tries to compromise or damage the system
- An external malicious attacker who accesses the system via social engineering, phishing scam, or stolen credentials
Most organizations focus on external security threats. Yet internal threats — from malicious insiders, careless employees, insecure third-party vendors, and even clients or customers — are equally (if not more) serious than external threats.
Research shows that from 2018 to 2020, insider incidents increased by 47 percent. Moreover, in 2020, the total average cost of insider threats was $11.45 million, 31 percent higher than the $8.76 million in 2018. In 2021, insider threat incidents are expected to grow by 8 percent, and one-third of data breaches are projected to result from insider threats. These threats can come from:
- Weak or shared passwords
- Weak access controls
- Insecure file sharing or unencrypted data
- Network misconfigurations
- Lack of awareness about social engineering and phishing
- Ransomware attacks
- Insecure remote networks and devices
It’s crucial to identify these threat vectors and address them on priority. For this, internal penetration testing is critical.
How to Do an Internal Pen Test
In internal pen tests, the tester may test:
- Computer systems, workstations, and mobile devices
- Servers
- Wi-Fi networks
- Access points
- Firewalls
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
- Internet-connected HVAC systems
- Cameras
- Employees (behaviors and procedures)
Once the tester identifies data security vulnerabilities in these components, they will try to exploit them to understand the potential for unauthorized access and damage. The tester will also provide a detailed report so the enterprise security team can take the necessary actions to close discovered vulnerabilities as soon as possible.
There are many ways to conduct internal pen tests. The tester may use privilege escalation, steal credentials, spread malware, leak information, or carry out other malicious activities like man-in-the-middle (MitM) attacks. Different standard internal pen testing methodologies include:
- Internal network scanning
- Port scanning
- System fingerprinting
- Firewall testing
- Manual vulnerability testing
- Password strength testing
- Database security controls testing
- Network equipment security controls testing
The tester may also carry out internal network scans to find known Trojans and check third-party security configurations to minimize the risk of supply chain attacks.
To carry out these tests, white hat hackers can choose from many pen testing tools, including:
- Nmap: An open-source port scanner utility for network discovery and security auditing
- Rapid 7Metasploit: A framework to probe and verify enterprise vulnerabilities
- Wireshark: An open-source network protocol analyzer to assess vulnerabilities in network traffic in real-time
Let ZenGRC Help With Penetration Testing
To protect your organization from cyberattackers, hackers, and even malicious insiders, it’s essential to think like them, simulate their actions, and actively test the enterprise network. A robust penetration testing plan is integral to your risk management strategy.
Instead of using spreadsheets to manage your information security program, adopt ZenGRC’s governance, risk management, and compliance platform to automate and streamline tasks and documentation management.
Schedule a demo today to see how ZenGRC can strengthen your security posture.