Single Blog

Here at Skyrim Security we offer a myriad of Penetration Testing services, and today we’ll delve into one specific type of test: the external penetration test. This method emulates a real-world attacker on the internet targeting your organization’s internet-facing assets. While we at Skyrim Security strictly follow the Penetration Testing Execution Standard (PTES) framework for a comprehensive and structured testing approach, this article is designed to offer a concise, high-level glimpse into the processes of an external penetration test.

1. Open-Source Intelligence (OSINT)

Every good external penetration test begins with OSINT. Before any attacks are launched, a vast amount of information about the target is collected. This could range from publicly available documents, social media posts, DNS records, and anything else that could potentially provide invaluable information about potential vulnerabilities or even just a clearer picture of the target environment. Think of it as doing your homework before the big exam.

2. Scanning & Enumeration

Once enough information is collected, the next phase often involves automated scans to identify open ports, services running on servers, and other potential entry points. However, it’s crucial to note that while scans are automated, they represent just a minor part of the penetration test. These scans merely offer a starting point. The real depth of the test comes from manual analysis.

3. Manual Analysis & Exploitation

Emulating real-world attackers means thinking like them. Automated tools might give us potential vulnerabilities, but it’s the manual testing that attempts to identify if these vulnerabilities are exploitable. Penetration testers will manually verify potential vulnerabilities and attempt various tactics, techniques, and procedures to gain unauthorized access. This phase is truly where the expertise of the penetration tester shines, using creativity, experience, and skill to emulate potential threat actors.

4. Post-Exploitation & Lateral Movement

Successful exploitation can lead to gaining a foothold inside the target’s infrastructure. From here, testers might attempt to move laterally, escalate privileges, or access sensitive information in order to demonstrate impact. The aim is to understand the depth of access a potential attacker could achieve and identify ways to mitigate such risks.

5. Reporting

Perhaps the most critical phase is the final report. This isn’t just a list of findings but a comprehensive document outlining vulnerabilities, data accessed, paths taken, and most importantly, recommendations for securing the organization’s assets. It offers organizations a roadmap to better security. Here at Skyrim Security, we provide two reports as part of our deliverable package:

1. Executive Summary – This is curated for C-suite executives and other non-technical stakeholders. It provides a high-level overview of the assessment, focusing on thematic security issues, overall risk posture, and strategic recommendations. The language is non-technical, ensuring it’s easily digestible for decision-makers who need to understand the broader implications without getting into the nitty-gritty.
2. Technical Findings Report – This is a granular report presented as an Excel spreadsheet. It meticulously details each vulnerability discovered during the test. For every vulnerability, we specify the host, IP address, port it was found on, and an in-depth description. Furthermore, this report also includes clear remediation steps, ensuring that technical teams have a clear and actionable roadmap to bolster the organization’s defenses.

The final report is not just a reflection of the testing process but a comprehensive document that guides organizations on their path to improved security. It offers both a broad perspective for leadership and a detailed action plan for technical teams. Remember, in the world of cybersecurity, it’s always better to be proactive than reactive.

In Conclusion

While tools and automation play a role in external penetration testing, the vast majority of the process is manual. When you commission an external penetration test, you’re not just paying for a scan; you’re investing in expert knowledge, skill, and the human intuition of testers who emulate real-world attackers. It’s this blend of technology and expertise that ensures your organization’s defenses are truly robust. Remember, in the world of cybersecurity, it’s always better to be proactive than reactive.