Cyber Security Blog

Stay ahead of the curve with industry trends, cutting edge tech and inventive strategies.

Insights from a Penetration Tester: Understanding Methodologies

When you ask a penetration tester what their strategy is for testing, it’s really not an easy question to answer. Testing for vulnerabilities is a bit like navigating a maze for penetration testers. It’s a complex process that involves using all sorts of tactics, techniques, and procedures to make sure everything’s thoroughly checked. It’s all about ensuring that the test is as effective as possible.

A day to day for a pen tester is always different and explaining how they secure such a diverse range of technologies is no small task. It’s like trying to juggle a bunch of different balls at once!

That’s why we’re here to simplify and describe the strategy and thinking behind a penetration test, and to show you how a penetration tester approaches a target application or network, so you can see for yourself how our testers make decisions that allow them to systematically identify vulnerabilities.

First though, a quick explainer is needed…

White, Black, or Grey Penetration Tests:

Penetration tests aren’t black and white, they are also grey (and red, blue and purple, but let’s not confuse things). The context of a test is very important, and each organisation has different needs. According to your strategy and threat model, you might choose either a white, black or grey box penetration test. This is a term that is applied to a test to describe the level of knowledge your tester has about their target:

In a black box test, our pen tester is operating from a simulated hostile adversaries’ perspective, they are not given any real information about their target other than the minimum amount of information needed to ensure they stay in scope.

This is the most realistic form of penetration testing, as a real adversary would (hopefully) not have any privileged information about their target and would need to figure out as much as they can by interacting with the target before trying to exploit it.

Forming a polar opposite to black box testing, white box penetration testing gives the tester as much information as is available about their testing target, this can include code, documentation and access to internal expert resources provided by the client. They may even be able to create custom builds of applications that allow them to test scenarios that would not be possible were the test to be a black box exercise.

This allows an extremely comprehensive test to be conducted, but is usually higher cost, takes longer and doesn’t give as much of an indication of the vulnerability exposure that can be observed by a less privileged attacker.

A grey box aims to be the best of both worlds, it gives our pen tester a reasonable degree of access to information, usually in the form of documentation and the ability to ask questions as needed to your internal resources but doesn’t give complete access to source code.

This allows for a comprehensive test without massive testing budgets and resource commitments. It’s also the most common form of testing that Equilibrium Security conducts.

The Pen Test Strategy Begins:

With an understanding of the different contexts of a test that can be conducted, lets dive into the actual penetration testing strategy that we use in all of our testing skews.

1. Equilibrium’s Penetration Testers begin their walk:

The first step of any penetration testing methodologies is always enumeration, and what I mean by that is exploration of our target.

The purpose behind this is to rapidly familiarise oneself with their target, the better one understands something, the easier it is to exploit it, of course.

During this stage our pen testers will also observe things they think warrant investigation. They might see a weird port on a network test, something non-standard. Or on the other side a web app might have a parameter like admin = False, what happens if I change it to true?

The context is also important to consider in this step, on a white box this stage will involve poring over code and documentation for hours but will be naturally shorter on a black box test.

It’s important for our testers to do this stage properly, it’s tempting for them to dash off and test something the second they see it.

man with orange jumper working at his desk on a computer
lady wearing pink shirt with white trousers holding a magnifying glass looking at footprints

2.The Penetration Test methodology needs a plan

If enumeration has been done to a high quality, our testers will now be in a position where they have a solid understanding of the entire system, it’s purpose and where they feel there may be security weaknesses. However, it’s still not time to let loose and start testing.

3. The Pen Testers begin to hack

At this point, our testers will finally start to explore their test cases, and this is where the pen testing methodology can branch off into the infinite.

Depending on the technology stack, frameworks in use and the specific code written for a web application, there could be many possibilities for types of vulnerabilities that could be present.

In a network test, there is just as much variation as just about any computer system could be a part of the network, including servers hosting web applications that could themselves require a full web application penetration test.

This step is specifically why writing a fully comprehensive explanation of how a test is performed is so difficult, it really does depend on the expertise and experience of the individual testers to be able to adapt to their target and exploit the specific vulnerabilities that are present within it.

There are of course some frameworks and standards that aim to provide a lattice in which testing can remain consistent between testers and ensure a minimum level of coverage, but even within these the actual process of performing the testing is still highly specific to the target.

animation of virus and vulnerabilities on computer screen
hand holding a magnifying glass looking at a server which potentially has vulnerabilities

In this step, the type of test plays a crucial role.

4. Do it again, but better!

This is where the real work comes from in the penetration testing methodology.

Each of our pen testers must constantly iterate their testing. Let’s say for example that in the previous step, our tester was exploiting a vulnerability within a network and manages to get access to the account of a HR user.

grey clipboard in the centre of a rotating circle
target looking at an icon of a person

This isn’t just the case within network testing, think about how many web applications you use every day that have multiple user roles. Testers will often iteratively test applications as they move through privilege levels too.

Summarising Penetration Testing Methodologies

The testing methodology is basically a circle, we can sum up the process with a neat little graphic:

Image of the methodology of pen testing

This overview provides a high-level insight into how penetration testers approach various computer systems, illustrating the flexibility required to navigate diverse target sets while adhering to principles that systematically uncover vulnerabilities akin to real threat actors.

For a deeper understanding of the specific steps taken by testers in assessing the security of web applications or networks, materials are being developed to provide a more detailed walkthrough of the process. Given the substantial differences in testing across various target categories, documents will be tailored to outline the process for each major service line.

Want peace of mind knowing your systems are secure?

Contact us to discuss how penetration testing can benefit your organisation today! 

We’re here to guide you with your Cyber Security needs. Call us on 0121 663 0055, or email enquiries@equilibrium-security.co.uk.

Don’t leave your Cyber Security to chance. Let’s collaborate to safeguard your digital future.

Ready to achieve your security goals? We’re at your service.

Whether you are a CISO, an IT Director or a business owner, Equilibrium has the
expertise to help you shape and deliver your security strategy.

About the author

Danny is your go-to expert for concise and intelligent security guidance, particularly in the realm of Penetration Testing. With a wealth of experience in Cyber Security, he specialises in analysing your security infrastructure and identifying vulnerabilities with precision.
Danny Binns
Principal Security Consultant

Latest posts