Note from the Editor: This insight is the first installment of a 10-part series entitled, “Everything you need to know about an Internal Penetration Test.”
What is an Internal Penetration Test?
An Internal Penetration Test is conducted from within your network. It mimics the perspective of an attacker that has already gained a foothold in your network. This can be a direct exploitation of a public facing system or via social engineering, or a malicious insider. This assessment uses a combination of automated and manual exploitation techniques. The goal is to determine what a bad actor can do at this point. An internal penetration test has similar goals to an external penetration test, but completely changes the perspective and assesses different threat vectors.
Why do an Internal Penetration Test?
The most common argument we hear against internal penetration testing is, “Well I have great security controls on my organization’s perimeter, why should I pay to assess the inside of my network? Of course they can access sensitive stuff once they’re inside!” And while it’s true that most organizations focus the majority of their security efforts on the outside of their network, it’s not prudent to think that no one can possibly gain access to your internal network.
According to some sources, 91% of cyber attacks start with a phishing email. And in our experience, this is often the easiest and most likely path to success when trying to remotely access a network. So given all of that, as your security program matures, and you take more of a proactive approach to managing all of the threat vectors your organizations faces, it makes sense to consider an internal penetration test.
What Questions does an Internal Penetration Test Answer?
Some common questions an internal penetration test answers include:
- Just by plugging a system into the network, can an attacker move laterally to other sensitive systems?
- Can an adversary gain access to the organization’s “crown jewels” or most sensitive information?
- Can they exfiltrate that information without being detected?
- Can an adversary escalate from that initial foothold to “own the network” or become a Domain Administrator?
- How easy is it for them to achieve these goals and what are the easiest ways to reduce this risk?
- How effective are our current preventative and detective security controls?
What’s the Process of an Internal Penetration Test?
To facilitate this type of testing, the attack team will need to simulate that initial foothold on the internal network. So for example, you will be given a laptop to plug into your network. It will be just like an employee who sat down at their cube and started working. Once the laptop is plugged in the attack team will have remote access to the system. However, they won’t have any other information or credentials. At this point, the test begins, starting with port scans, vulnerability scans, passive traffic analysis, broadcast spoofing attacks, and password attacks, just to name a few of the initial activities.
Through discovery, target enumeration, exploitation, and then post-exploitation, the attack team will move through a standard methodology that aims to not only answer those key questions above, but also identify and prioritize every possible vulnerability along the way. Then when you’re provided the testing results, you have the actionable data you need to make significant improvements to your security posture and allocate resources where they’ll make the biggest impact.
This type of testing is slightly more expensive that external penetration testing. The reason being, it takes a lot more time to evaluate your entire internal network as opposed to the limited systems/services that are exposed on the Internet perimeter. Overall, this type of testing is most valuable to institutions that want to understand and reduce all elements of their risk. If you’re interesting in learning more about this kind of assessment or want to get a better understanding of whether this makes sense for you, contact us today.
About the Author:
JR, Director of Penetration Testing at SIG. He holds a BS in Computer Science Engineering from the University of Florida. And, a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
