External Network Penetration Test
Establish a Strong Perimeter
One of the most common forms of penetration tests, especially for SMBs, is an external network pentest. This form of pentest is an assessment of all systems on a company’s perimeter, or in other words, all systems that are publicly accessible from the internet. Due to these systems being exposed to everyone and their mother, they are the most easily and regularly targeted systems a company owns. As in they’re likely scanned/targeted almost everyday. Most of these attacks are automated and are trying to identify any low hanging fruit – but that shouldn’t detract from the fact that even a small vulnerability might have a significant impact.
The difference between an internal network penetration test and an external network penetration test is that an external network pentest evaluates a company’s security posture from the perspective of some stranger who could be sitting on a beach in Hawaii thousands of miles from the target. This perspective will help a company understand how effective their exterior security posture is while identifying misconfigured controls or weaknesses that could be exploited from anywhere in the world.
What Does an External Network Pentest Evaluate?
Misconfigured Firewall Rules
Open Ports
Ineffective IDS
Weak Password Policies
Unpatched Systems
Exposed Cloud Resources
External Network Pentest Methodology
The importance of a structured and consistent methodology in external network penetration testing cannot be understated. While every project differs in scope, goals, and the tools required – a consistent methodology ensures the thorough coverage of any attack surface. Our team utilizes a structured process that ensures quality work is performed for every assessment.
*If you’ve already viewed some of our other services you might notice a theme: the overall structure of our methodology is the same, but if you look closely the context & goals differ depending on the scope. In other words, yes, we admittedly copied/pasted the content and then edited the details for each scope.
Step 1: Information Gathering and Enumeration
The first step that X Security takes when assessing the external network of a company is to gather and enumerate information about the target; this is also commonly referred to as the reconnaissance phase. This step is critical as it creates a strong foundation of info that can later be used to identify vulnerabilities and attack paths. There are 2 different forms of reconnaissance in penetration testing:
- Passive Reconnaissance is the process of identifying information without ever directly interacting with the target environment. Good examples of passive recon include reviewing breached credential databases or reviewing job postings to discover the types of tools used at the company.
- Active Reconnaissance is the process of performing recon that directly pokes & prods the target application. X Security assessors will utilize a number of different tools to scan IP blocks & systems to identify information about the hardware, hosts, and firmware.
Step 2: Threat Modeling
Threat modeling is an essential, yet often overlooked, step to a quality pentest. In this phase assessors will use the information they previously learned to map out the network architecture, operating systems, open ports as well as underlying services. Another critical part of threat modeling is categorizing different types of data that may be obtained during a pentest in a manner that will indicate the severity of different findings. Threat modeling helps pentesters understand more than just the technical aspects of findings and allows them to articulate their findings in a way that aligns with the business.
Step 3: Vulnerability Analysis
Once assessors move into the vulnerability analysis stage, they begin to utilize tools to identify potential vulnerabilities in the environment. Automated tools will help identify low hanging fruit vulnerabilities prior to our team shifting to where we spend most of our time: manual analysis & exploitation. We’re often asked what kind of automated tools we utilize for scanning & while the answer varies depending on the scope, we do regularly rely on some commercial tools that have our own custom built integrations such as Burpsuite Pro, Metasploit, and Nessus.
Step 4: Exploitation
In this stage of the penetration test, we begin to safely exploit identified vulnerabilities and misconfigurations to determine what the impact of different findings would be to the business. Our team will attempt to gain access to the devices & systems to gain a foothold into the internal network. The exploitation stage allows assessors to better understand how different vulnerabilities would effect the business & ultimately help the customer prioritize their remediation efforts. This plays a significant role in delivering a report that provides actionable next steps to customers. Among other things, below are a few issues that X Security attempts to exploit in an external network pentest.
- Compromise Remote External Services: With the adoption of remote work, more companies are relying on services that allow employees to access internal enterprise network resources from external locations. X Security will attempt to gain access to these remote service gateways to gain a foothold into the environment.
- Exploit Public-Facing Applications: Applications, databases, and network device admin and management protocols often have internet facing programs that could be taken advantage of by nefarious actors. X Security will help evaluate these systems & portals.
- Default & Employee Accounts: Software, operating systems, and devices have default accounts setup that may still be in use. Adversaries will attempt to abuse credentials to gain access to an environment. Additionally, employees may reuse credentials that have been previously compromised in other breaches (e.g Yahoo email/password) so our team will leverage a proprietary breached credential database to explore this type of attack path.
Step 5: Documentation & Reporting
At the end of every penetration test, clients receive a report documenting the results and providing actionable steps to improve the security of their network environment. During this stage X Security compiles everything from the pentest and puts it into a white labeled report for our MSP partners so that they receive a report ready for immediate delivery. What you’ll receive with the report is outlined below:
- Executive Summary & Strategic Recommendations
- Strengths & Weaknesses
- Technical Documentation: Testing Process & Screenshots
- Actionable Remediation Steps
- Summary Document (Provide to 3rd parties without exposing highly sensitive information)
It’s important to highlight the value of a good pentest report – they help guide strategic decisions and budgets, they’re provided to auditors for compliance & regulation needs, and they’re provided to enterprise customers who require their 3rd party vendors to perform annual pentests. For the channel community, a quality pentest report that not only looks good but provides actionable steps for both leadership & technical folks is a massive sales/marketing tool.
Step 6: Remediation Testing & Report Updates
Clients ultimately want a clean(er) bill of health. After a client follows the remediation steps outlined in the report, X Security will perform a remediation test to ensure that not only have all of the previously identified vulnerabilities been removed – but also checking to ensure no new vulnerabilities have been introduced during the remediation process. X Security will also reissue an updated report & summary document reflecting the remediated state.
*Remediation testing may have an extra cost. This is determined on a case-by-case basis at the end of the test and depends on the quantity of findings.