What is an Internal Pen Test?

This time in our series on the different types of penetration test, we’re covering “Internal” pen tests, otherwise known as “Internal Infrastructure” or “Internal Network” penetration tests. Hopefully, from our previous post you should now have some idea about penetration testing both in general and on the outside of your business (check out our first blog post on perimeter/external pen tests, if you haven’t already), and this post will explain why you might want to take a look on the inside.

Infrastructure/Network Pen Test

Commonly referred to as an “Internal Pen Test”, the internal infrastructure penetration test focuses on testing attacks which could be carried out by an adversary who has already gained a foothold within your network and is looking to “elevate” themselves to gain further control and cause more damage. It also deals with security holes that could be taken advantage of by a malicious insider — perhaps a disgruntled employee that wishes to cause damage to areas of the business outside of their usual access level.

This type of pen test typically involves tapping into your network on site, so the tester(s) will need to be given access to your office similar to that of an employee. Alternatively, they could start in your cloud infrastructure, depending on the scope of testing and the scenario to be explored. Testers will then attempt to gain access to sensitive information sources or privileged user accounts which should be off-limits to them, finding ways to subvert any access controls you may have in place.

The process normally starts with a “discovery phase” where the tester uses network mapping tools to discover the inner workings and layout of your network. Testers will effectively build up a map of your internal network, and the computers and services available on it, and will use this map to guide their efforts to find holes in your security, and to breach areas they shouldn’t be able to access.

After the discovery phase comes the “identification phase”. Some examples of the sorts of activity that can take place in this phase are as follows:

• Brute forcing of user accounts to attempt to gain unauthorised access to machines on the network
• Subversion of network routers and switches to control and monitor traffic, inject weaknesses or take control of endpoints by exploiting protocols. For example, the Web-Proxy Auto-Discovery protocol, that normally helps computers communicate with the internet can be abused by local attackers to sniff your web traffic
• Exploiting known vulnerabilities in software running locally to break into servers, elevate existing access, or prove attackers could run malicious code

The aim of these types of tests is really to find all possible weaknesses in the shortest space of time. An ordinary infrastructure pen test is therefore usually carried out as an audit-style approach, in collaboration with the security team, and can often be very noisy (in terms of security alerts from any monitoring systems you might have). Although this is a good way to discover the majority of the weaknesses you might have, the downside of this approach is that it may not give you the best understanding of how you might fare when targeted by a real attacker.

For larger and more security-mature businesses, it’s possible to go one step further and conduct what’s called a “Red Team” exercise. Tests conducted by a Red Team aim to mirror techniques a real attacker would use as accurately as possible, including trying to avoid detection. As such, a red team is more of a test of your operational defences, and is often carried out without the knowledge of staff members, including those working in security teams. Red teaming will usually involve other types of attack such as phishing, and can offer a more comprehensive, realistic (and expensive!) coverage.

Standard internal pen tests typically take anything from a few days to a couple of weeks, whereas a full red team engagement would likely take longer, running for over a month or even two for larger firms. Pricing varies hugely based on the scale of the job and the experience of the professionals carrying out the tests.

Hopefully this has cleared up some of the questions you may have had regarding Infrastructure Pen Tests. Next up in the series we will talk about Web Application Pen Tests, the type of pen test which tests the security of your websites.