Penetration Testing Execution Standard (PTES)
The Penetration Testing Execution Standard (PTES) is the most recent (and arguably the most complete overall) penetration testing methodology we will discuss.
It was developed by a team of information security practitioners with the aim of addressing the need for a complete and up-to-date standard in penetration testing. In addition to guiding security professionals, it also attempts to inform businesses with what they should expect from a penetration test and guide them in scoping and negotiating successful projects. Like the previous frameworks we’ve looked at, it covers ‘what’ and ‘when’, but goes much deeper into the ‘how’.
The PTES is made of two main parts which complement each other. The Pentest guidelines describe the main sections and steps of a penetration test, while the Technical guidelines discuss the specific tools and techniques to be used in each step.
PTES describes the penetration test in seven main sections:
This section outlines the main issues to be discussed and covered in the initial stage of the test before any actual tests begin. It provides advice for both the penetration testers and their clients, in order to ensure that there is a common understanding and agreement on all major points of the assignment.
The main items discussed in this section include:
- Scope definition
- Time and budget estimation
- Dealing with third parties
- Communication channels
- Incident handling
- Rules of engagement – times and locations, evidence handling, permission to test and legal considerations
This is the first stage of actual engagement. PTES discusses this activity at three possible levels:
- Level 1: Compliance driven – based mainly on automated tools
- Level 2: Best practice – includes automated and some manual analysis
- Level 3: State-sponsored – full scope, automated, and detailed manual analysis
The main steps of reconnaissance are defined as:
- Target selection
- Open Source Intelligence (OSINT)
- Covert gathering
- Identification of protection mechanisms
This section follows the traditional ‘assets and attackers’ approach. It defines the assets as business assets and business processes, and the attackers as threat communities and their capabilities/motivation.
Effective threat modelling allows the pentesters to simulate more realistic attacks on the assets and should be done in cooperation with the client organisation.
The four entities of the model are discussed in:
- Organisation’s data
- Human assets (employees, subcontractors etc)
Business processes supporting:
- Third-party integration
Threat community identification:
- Internal – employees, insiders, contractors, etc
- External – competitors, organised crime, hacktivists, nation states, etc
Threat capability analysis:
- Tools available
- Threat motivation
This is the process of finding weaknesses in the target systems and processes, which would allow an attacker to compromise the security controls to an asset. The scope of the pentest will define the breadth and depth of vulnerability assessment. Some assignments will require an analysis of a single system, evaluating mitigation against a fixed set of vulnerabilities, while other assignments will require a broad assessment and an expectation to uncover all relevant vulnerabilities.
PTES considers two types of vulnerability testing: active assessment using vulnerability scanners, and passive assessment through traffic monitoring and metadata analysis. These initial results are followed by validation (correlation, manual testing and attack tree creation) and research (evaluating the exploitability of identified vulnerabilities).
This section begins with ‘identifying the least path of resistance into the organisation without detection and having the most impact on the organisation’s ability to generate revenue’ (PTES 2012). At the end of this phase, the pentesting team should identify a set of attack vectors which allow bypassing security controls and compromising the organisation’s assets.
The main points discussed here include:
- Awareness of countermeasures
- Evading detection
- Customised exploitation
- Zero-day exploits
This section aims to:
Help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time.
An important part of this section is the discussion on the rules of engagement which covers the issues of protecting the client as well as protecting yourself.
The main steps covered here include:
- Infrastructure analysis
- Pillaging/data exfiltration
- High-value targets
- Further penetration into infrastructure
Reporting is the final phase of the penetration test. In this section, the PTES standard provides a high-level discussion on the required items of the report as well as the issues that they need to address. It suggests that a standard pentesting report consists of two parts:
- An executive summary describing the specific goals of the penetration test and its main finding. Written as an overview and aimed at the organisation’s management, it should focus on business impact and describe the overall security posture, risk profile, and a summary of recommendations.
- The technical report which describes in sufficient technical detail the scope, information, attack path, impact and remediation suggestions of the test. It is aimed at the organisation’s technical staff.
Here we have given you an overview of the main point in the PTES guidelines. The actual document contains some very good discussions throughout and we highly recommend that you invest the time to read it.
Get familiar with the main points of the PTES methodology by following the link in the references section.
You need to be aware of the main steps of the methodology and the flow of the project. You don’t need to know the technical details and tools.
You should spend a little longer looking at this methodology than you did the others, as it will be useful for the task later this week.
PTES (2012) Penetration Testing Execution Standard [online] Available from http://www.pentest-standard.org [11 April 2019]
© Coventry University. CC BY-NC 4.0