The Penetration Testing Execution Standard or “PTES” is a standard consisting of 7 stages covering every key part of a penetration test. The standard was originally invented by information security experts in order to form a baseline as to what is required for an effective penetration test. While this methodology is fairly dated and has not been updated recently, it still provides a great general framework for planning and executing a penetration test at a high level. As we have outlined before, Triaxiom leverages the PTES within our own custom testing methodologies for executing any form of penetration test.
7 stages of the Penetration Testing Execution Standard
- Pre-Engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation
Pre-Engagement Interactions include everything from getting a Stateme
nt of Work in place, ensuring the scope of the project is accurate, and reviewing the Rules of Engagement. This is an extremely important step to ensure the testing team and client are on the same page as to what is being tested, when it is being tested, and any special considerations that need to be followed during the test.
The intelligence gathering, or OSINT, phase is conducted at the beginning of every penetration test to gather as much information about the organizations and assets in scope as possible. This information is used to inform and facilitate testing performed later in the process, such as password attacks.
The goal of a penetration tester is to emulate an attacker in order to gauge the real risk for a target, so identifying and understanding the threats a target might face is a key step. This data should inform the rest of the testing process to identify potential attacks to use, weed out false positives, etc. Threat Modeling identifies what threats an organization, a target network, or an in-scope application should be worried about.
Now that we know our targets and have a clear understanding of the threats the target assets face, it is time to move into the vulnerability analysis phase. This involves vulnerability scans as well as manual evaluation of the in-scope assets. From here, the penetration tester should verify all discovered vulnerabilities are accurate, there are no false positives, and figure out which vulnerabilities can or should be exploited in the following phase.
With a list of potential or confirmed vulnerabilities, it is time to exploit discovered vulnerabilities in order to gain access to information systems or data. This phase truly helps the client understand their risks, as it proves the viability of exploits, exemplifies exactly how an attacker can leverage existing vulnerabilities to infiltrate the assets in scope, and highlights the results of the exploit (e.g. access to sensitive information, potential for loss of availability, etc.).
The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. This is sometimes called the “looting” phase, as the key goal is to gather screenshots and sensitive information that help highlight the risk for reporting or allow further access in the target environment, representing additional vulnerabilities.
Following any penetration test, reports are delivered detailing exactly what was uncovered during the assessment. In most cases and at Triaxiom, this includes an Executive Summary report detailing the scope of the assessment, the overall risk to the organization, and the strengths and weaknesses uncovered during the test. Additionally, a Technical Findings report is provided that details every single vulnerability, where it was discovered, the associated criticality, relevant details that help explain the risk or recreate the issue, and recommended remediation steps.
What are the Benefits of using Penetration Testing Execution Standard?
As you can see, the Penetration Testing Execution Standard can be a great foundational resource that lays out a clear framework to follow when executing a penetration test. It’s important for penetration testers to follow a consistent methodology (which could include the PTES) so each and every penetration test produces accurate and consistent results, ultimately helping clients become more secure. Every penetration test is different, but a core methodology can help ensure that you do not skip a step, you do not miss a critical aspect of the test, and you can give the client the best test possible.
Looking for your next penetration test? Reach out to us today and we would be happy to assist!