An external penetration test is a type of security assessment that can evaluate the resiliency of your organization’s network perimeter. It’s widely considered to be one of the first types of assessments that most organizations will go through, as most are concerned with tackling their Internet-facing weaknesses first. And that makes sense, as you don’t want to let just anyone undermine your perimeter security in such a way that would unauthorized access to applications, sensitive date, or worst of all, an underlying host server.
This type of test is also designed to emulate real world threats, using penetration testers that understand how hackers think and know how to exploit vulnerabilities that an attacker would use. Going above and beyond clicking “Go” on a vulnerability scanner, an external penetration test seeks to uncover additional vulnerabilities, understand the real risk associated with identified vulnerabilities, and reduce false positives via manual verification.
What does an External Penetration Test include?
- Open Source Reconnaissance – We’ll use publicly available resources to try and uncover sensitive information, such as types of technology used by the organization or potential usernames, that can be used in the later phases of testing.
- Full Port Scan – In order to footprint an organization’s external perimeter, a port scan is used to understand which services are exposed and accepting inbound connections. These scans will take a look at all 65,535 TCP ports and the top 1000 most popular UDP ports.
- Vulnerability Scan – Where some assessments would center around a vulnerability scan, this is really just the beginning of an external penetration test. We use a vulnerability scan to speed up the identification process for some “low-hanging fruit” types of issues and exploitable weaknesses that could lead to a more significant compromise.
- Unauthenticated Web Application Penetration Testing – We’ve explained before that an external penetration test includes some aspects of web application penetration testing. That portion is whatever an attacker can see and do from a blackbox perspective, meaning we won’t be provided with valid credentials to log into discovered applications (unless we can find them ourselves).
- Manual and Automated Exploit Attempts – This is really the bread and butter of an external penetration test, and the most important part of the assessment. It’s hard to completely cover everything that can happen during this portion of the attack, but it includes looking for vulnerabilities that automated scans can’t find, exploiting issues scans did find, understanding the risks associated with identified vulnerabilities, and noting any mitigating controls.
- Password Attacks – Another important portion of external penetration testing are the opportunities for password attacks. These styles of attacks aim to use open source intelligence gathered and noted vulnerabilities, combining them in a way that makes password attacks more likely to succeed while avoiding protections in place. These attacks can help you understand shortcomings in password policies, account lockouts, and multi-factor authentication schemes.
Given all that, you can see why an external penetration test is seen as a foundational element of any well-rounded security program. It’s also one of the most cost effective ways to confirm your security controls are effective and your organization is as secure as you think it is, helping you sleep at night. If you’re interested in a little more detail on these high level activities involved in external penetration testing, check out our detailed methodology.