.svg)
.svg){kind=icon}
.svg)
As one of the most effective ways to mimic hacking behavior and therefore prepare business owners against evolving cyber threats, it’s unsurprising that there are standards penetration testers follow. Of these, the Penetration Testing Execution Standard (PTES) is one of the most comprehensive toolkits.
The PTES is a standard that penetration testers follow to ensure they offer their customers an efficient, valuable, and supportive service. Although all pen tests are different, this standard sets a clear timeline that’s easy to follow while still helping testers to dive deep.
In this guide, we’ll look at the PTES and the steps a tester will take while following its structure.
What is the Penetration Testing Execution Standard (PTES)?
The PTES is a seven-section penetration testing standard that lays out the typical steps a penetration tester follows when researching, qualifying, and attacking systems.
It’s designed to keep pen tests as efficient and as straightforward as possible, even in the face of specific client needs and potential complexities.
Initially devised in 2009, it’s a standard that’s frequently adjusted and adapted in line with modern penetration testing expectations. In fact, the PTES technical guidelines are still referred thanks to its recommendations on:
- General pen testing tools and software
- Intelligence gathering techniques (such as covert gathering)
- Vulnerability testing and automated techniques
- Precision exploitation
- Customized attacks
- Post-exploitation practices (such as file pulling and log deletion)
- Technical reporting and deliverable development
It’s a standard that sets a benchmark for quality and efficiency, but testers must always take individual client needs into account.
That said, following the seven-step plan laid out by the PTES can help testers focus on specific tasks and build more comprehensive reports for their clients. Altogether, it’s a reliable system for ensuring clients get a clear picture of what’s at stake for their data, and how to better protect it.
Penetration Testing Execution Standard Process
Following the PTES, testers will typically split their research, attack, and report activities into seven clear steps:
- Pre-engagement interactions
- Intelligence gathering
- Threat modeling
- Vulnerability analysis
- Exploitation
- Post exploitation
- Reporting
Let’s explore each of these points in more detail.
1. Pre-engagement Interactions
The PTES’s first section establishes what testers must cover before launching a penetration testing project. Essentially, pre-engagement interactions are all about asking clients the right questions, documenting answers, and establishing scope.
During pre-engagement, a penetration tester will typically establish factors such as:
- Project scope
- Time estimations (including start and end dates)
- Hardware and software
- Technical details (such as IP addresses and access points)
- Client needs
- Boundaries between clients and testers (to prevent scope creep)
This step benefits testers and clients. For testers, it’s a good exercise to ascertain what they are going to test, for what purpose, and what the clients need. For clients, it’s peace of mind as to what tests will entail and what the outcomes might be.
To benefit all parties, documented questions and answers are kept on record for reference at the end of the process. Regardless of the penetration testing services you engage with, it’s crucial to establish clear boundaries and expectations at the outset.
2. Intelligence Gathering
The second stage of the PTES, intelligence gathering, is where testers gather as much information as possible about the systems and infrastructure they are testing and exploiting. This also includes learning more about how the client’s business works and the relationships they have with customers and other parties.
Open-source intelligence testing, or OSINT, is also used to help testers find entry points that hackers might use to break into client systems. It’s also here where testers will spot and confirm targets that they intend to attack.
If a tester is following black box penetration testing principles, intelligence gathering will be limited. That’s because black box testing typically takes place blindly, to mimic a real-world attack.
However, The VikingCloud team uses a variant of white box pen testing, which involves testers obtaining extensive details about a client’s system to better understand attack surfaces.
3. Threat Modeling
Threat modeling, the third step in the PTES process, sees testers identify specific areas with a client’s infrastructure that might be under threat. After spotting threats, they then use tools to research and map out how big a risk might be to certain assets when it comes to attack vulnerability.
Testers might use information such as business policies, research and development data, public-facing assets (such as social media), and infrastructure design to determine where the biggest threats could lie.
4. Vulnerability Analysis
At the fourth stage of PTES, testers undertake vulnerability analysis – which essentially means exploring a system or infrastructure to uncover specific flaws.
This process can involve actively testing ports and protocols and in the case of testing web applications, using specific flaw scanners to crawl site directories. In the latter's case, the tester might find errors in website scripting that could indicate a potential vulnerability to SQL injections.
5. Exploitation
The fifth step, exploitation, is where testers get to put their hacker hats on. Here, they take the data from stages three and four of the PTES to actively attack the client’s infrastructure or systems, albeit in a controlled environment.
During this stage, testers use various attack vectors with professional tools to discover how vulnerable systems and protective measures legitimately are. They record success rates, tools used, data potentially extracted, and the probability of future, real-life attacks.
This stage is one of the most important for building a clear report with remediation suggestions, which we cover in step seven below.
6. Post Exploitation
The post-exploitation stage, or step six of the PTES, still takes place while the tester has access to the system they hacked into during step five. It’s here where they exercise control over the systems they’ve compromised and dive deep into the data that might be exploitable.
This stage requires testers to carefully identify sensitive data, listen to internal networks, and map out where future exploitation might be possible. Ahead of reporting, testers redact sensitive information but provide proof of the damage that could be done.
7. Reporting
The final PTES stage, reporting, is where testers compile their findings from the project and offer clients clear guidance on how to better protect their data and hardware.
These reports typically include an executive summary, and a high-level list of test findings. This also establishes what the tester set out to achieve, and what they did to achieve it.
Reports will include risk ratings and strategic roadmaps, which, in plain language, give clients a clear pathway to better securing their systems against threats discovered during testing.
How PTES Differs from Other Standards
The PTES differs from many other standards in that it’s a level template for most pen testing activities. It’s a “baseline” series of recommendations designed by security professionals – it’s comprehensive, and doesn’t have a niche in any one specific testing area.
For example, the Open Web Application Security Project, or OWASP, offers a testing guide that’s specifically rooted in testing web applications, APIs, and IoT connections.
Other standards, such as the framework set by the National Institute of Standards and Technology (NIST), are seen as the “absolute minimum” for testers in the profession. The PTES, ultimately, builds on the absolute basics to help testers plan for most eventualities.
Conclusion
As experts in pen testing, we’ve observed many different penetration testing methodologies over the years. Some are more effective than others when assessing specific client systems – and the PTES offers some of the most comprehensive “baseline” practices.
Regardless of your penetration testing needs, VikingCloud will map out a strategy that keeps you in the loop at every stage of your controlled hack. Contact our team to learn more about how we can help strengthen your security posture.
.svg)
