Pentesting aims to evaluate information security measures through the eyes of a potential attacker with the aim of testing the effectiveness of security controls.
A security practitioner tasked with penetration testing will conduct a series of security tests in an attempt to gain access to a system and exploit security flaws that exist using the same tools and techniques that simulate a malicious attack, but do so in a controlled manner.
A properly scoped and deployed pen test can be an invaluable tool to assess the ability of a system to survive a malicious attack.
For more information on why you should use a penetration testing framework, you may read this article.
The cornerstone of a successful pen test is its underlying methodology.
There are several pentesting methodologies and frameworks in existence to choose from:
- Information Systems Security Assessment Framework (ISSAF)
- Open Source Security Testing Methodology Manual (OSSTMM)
- Open Web Application Security Project (OWASP)
- Penetration Testing Execution Standard (PTES)
- NIST Technical Guide to Information Security Testing and Assessment 800-115
ISSAF – Information Systems Security Assessment Framework
The ISSAF is a framework provided by the Open Information Systems Security Group (OISSG), a not-for-profit organization based in London.
You can download a copy of draft 0.2 here
This penetration testing methodology is divided into three primary phases, planning and preparation, assessment, and, reporting and clean up.
One advantage of ISSAF in particular is that the distinct relationship between the tasks and their associated tools for each task are shown.
ISSAF Methodology Steps
The ISSAF methodology suggests following a strict sequence of steps when simulating an attack:
- Gathering Information
- Mapping the network
- Identifying vulnerabilities
- Getting basic access privileges and elevating them
- Further enumeration
- Remote users/sites compromise
- Maintaining access
- Covering your tracks
- Clean and destroy evidence
OSSTMM – Open Source Security Testing Methodology Manual
The OSSTMM is an open-source security testing created by ISECOM (Institute for Security and Open Methodologies). Access to its latest version requires paid membership but previous versions are also available for free.
You can download a copy of OSSTM version 3 here.
OSSTMM is used primarily as a security auditing methodology and is not as comprehensive in the tools or methods selection but can be very effective in testing controls in an organization to satisfy compliance with regulatory compliance.
OSSTMM Main Directions of Testing
- Human security
- Physical security
- Wireless communications
- Data networks
OWASP – Open Web Application Security Project
This is a very famous methodology used widely by security professionals. It is a non-profit organization focused on advancing software security. OWASP provides numerous tools, guides, and testing methodologies like the OWASP Testing Guide (OTG).
OTG is divided into three primary sections, namely, the OWASP testing framework for web application development, the web application testing methodology, and reporting.
OWASP Methodology Steps
The following are the stages of the Open Web Application Security Project (OWASP) framework:
- Maintaining access
You can download the OTG here and the OWASP Application Security Verification Standard here
OTG has a strong focus on web application security throughout the entire software development lifecycle as opposed to the ISSAF and OSSTMM, both of which are aimed at security testing and implementation.
PTES – Penetration Testing Execution Standard
The Penetration Testing Execution Standard (PTES) is a methodology that was developed to cover the key parts of a penetration test. From the initial contact phase, working through the stages of the cyber kill chain (e.g. vulnerability analysis, exploitation, and post-exploitation) and finishing with the reporting phase.
The PTES standard itself does not specify precisely how to conduct a penetration test, but rather the steps that should (typically) be followed. Technical guidelines were developed to accompany the PTES, however, the technical guidelines should not be followed precisely, they are an approximation of the steps that should be followed, and an actual penetration test will vary on a client-to-client basis.
Penetration Testing Execution Standard is a standard that uses other resources and incorporates other frameworks within it like OWASP for web application penetration testing.
You can download the PTES version 1.1 here
PTES Methodology Steps
The main stages described in PTES are:
- Intelligence gathering
- Threat modeling
- Vulnerability analysis
- Exploitation and post-exploitation
The National Institute of Standards and Technology (NIST) provides a manual that is best suited to improve the overall Cybersecurity of an organization.
With this framework, NIST set its sight on guaranteeing information security in different industries, including banking, communications, and energy. Large and small firms alike can tailor the standards to meet their specific needs.
In order to meet the standards that NIST has set, companies must perform penetration tests on their applications and networks following a pre-established set of guidelines.
Penetration testing is being referenced in many NIST publications. Read more details here.
You can download the NIST special publication 800-115 here and the 800-53 here
In summary, there is a diverse range of methodologies to use when it comes to penetration testing. Each has unique characteristics and approaches. Every security professional should read through each penetration framework or guide he can get his hands on. You will learn much more than just penetration testing methods. You will learn how to approach security in your organization in ways you haven’t thought of before. It will be time well spent.
Every framework has valuable information which can empower every pentest activity. There is no “one methodology/framework to rule them all”, but if I had to choose I would select the one from NIST coupled with the guides from OWASP.
Books Worth Reading
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.