An Internal Penetration Test is conducted from within your network, taking the perspective of an attacker that has already gained a foothold by some other means (whether that is direct exploitation of a public facing system or via social engineering) or a malicious insider. This assessment uses a combination of automated and manual exploitation techniques to determine what a bad actor can do at this point. An internal penetration test has similar goals to an external penetration test, but completely changes the perspective in order to assess different threat vectors.
The most common argument we hear against internal penetration testing is “Well I have great security controls on my organization’s perimeter, why should I pay to assess the inside of my network? Of course they can access sensitive stuff once they’re inside!” And while it’s true that most organizations focus the majority of their security efforts on the outside of their network, it’s not prudent to think that no one can possibly gain access to your internal network. 91% of cyber attacks start with a phishing email, according to some sources, and in our experience during red team engagements, this is often the easiest and most likely path to success when trying to remotely access a network. So given all of that, as your security program matures and you take more of a proactive approach to managing all of the threat vectors your organizations faces, it makes sense to consider an internal penetration test.
What Questions Will An Internal Penetration Test Answer?
- Just by plugging a system into the network, can an attacker move laterally to other sensitive systems?
- Can an adversary gain access to the organization’s “crown jewels” or most sensitive information?
- Can they exfiltrate that information without being detected?
- Can an adversary escalate from that initial foothold to “own the network” or become a Domain Administrator?
- How easy is it for them to achieve these goals and what are the easiest ways to reduce this risk?
- How effective are our current preventative and detective security controls?
What’s The Process?
To facilitate this type of testing, the attack team will need to simulate that initial foothold on the internal network. So a laptop will be provided that you will plug into your network just like an employee sat down at their cube and started working. When that system is plugged in, the attack team will have remote access to it, but no other information or credentials will be provided. At this point, the test begins, starting with port scans, vulnerability scans, passive traffic analysis, broadcast spoofing attacks, and password attacks, just to name a few of the initial activities. Through discovery, target enumeration, exploitation, and then post-exploitation, the attack team will move through a standard methodology that aims to not only answer those key questions above, but identify and prioritize every possible vulnerability along the way. Then when you’re provided the testing results, you have the actionable data you need to make significant improvements to your security posture and allocate resources where they’ll make the biggest impact.
This type of testing is slightly more expensive that external penetration testing (but still reasonable), as it does take a lot more time to evaluate your entire internal network as opposed to the limited systems/services that are exposed on the Internet perimeter. Overall, this type of testing is most valuable to organizations that want to understand and reduce all elements of their risk, and either have a good handle on their external security or want to justify improvements throughout their organization’s security, not just from a single point of view. If you’re interesting in learning more about this kind of assessment or want to get a better understanding of whether this makes sense for you, reach out or drop your questions below!