Penetration Testing Execution Standard (PTES)

The Penetration Testing Execution Standard (PTES) is the most recent (and arguably the most complete overall) penetration testing methodology to date.

It was developed by a team of information security practitioners with the aim of addressing the need for a complete and up-to-date standard in penetration testing. In addition to guiding security professionals, it also attempts to inform businesses with what they should expect from a penetration test and guide them in scoping and negotiating successful projects. It covers ‘what’ and ‘when’, but goes much deeper into the ‘how’.

The PTES is made of two main parts which complement each other. The Pentest guidelines describe the main sections and steps of a penetration test, while the Technical guidelines discuss the specific tools and techniques to be used in each step.

PTES describes the penetration test in seven main sections:

Pre-Engagement Interactions

This section outlines the main issues to be discussed and covered in the initial stage of the test before any actual tests begin. It provides advice for both the penetration testers and their clients, in order to ensure that there is a common understanding and agreement on all major points of the assignment.

The main items discussed in this section include:

• Scope definition
• Time and budget estimation
• Dealing with third parties
• Communication channels
• Incident handling
• Rules of engagement – times and locations, evidence handling, permission to test and legal considerations

Intelligence Gathering

This is the first stage of actual engagement. PTES discusses this activity at three possible levels:

• Level 1: Compliance driven – based mainly on automated tools
• Level 2: Best practice – includes automated and some manual analysis
• Level 3: State-sponsored – full scope, automated, and detailed manual analysis

The main steps of reconnaissance are defined as:

• Target selection
• Open Source Intelligence (OSINT)
• Covert gathering
• Footprinting
• Identification of protection mechanisms

Threat Modelling

This section follows the traditional ‘assets and attackers’ approach. It defines the assets as business assets and business processes, and the attackers as threat communities and their capabilities/motivation.

Effective threat modelling allows the pentesters to simulate more realistic attacks on the assets and should be done in cooperation with the client organisation.

The four entities of the model are discussed in:

• Business assets:
  • Organisation’s data
  • Human assets (employees, subcontractors etc)
• Business processes supporting:
  • Infrastructure
  • Information
  • Employees
  • Third-party integration
• Threat community identification:
  • Internal – employees, insiders, contractors, etc
  • External – competitors, organised crime, hacktivists, nation states, etc
• Threat capability analysis:
  • Tools available
  • Skillsets
  • Threat motivation

Vulnerability Analysis

This is the process of finding weaknesses in the target systems and processes, which would allow an attacker to compromise the security controls to an asset. The scope of the pentest will define the breadth and depth of vulnerability assessment. Some assignments will require an analysis of a single system, evaluating mitigation against a fixed set of vulnerabilities, while other assignments will require a broad assessment and an expectation to uncover all relevant vulnerabilities.

PTES considers two types of vulnerability testing: active assessment using vulnerability scanners, and passive assessment through traffic monitoring and metadata analysis. These initial results are followed by validation (correlation, manual testing and attack tree creation) and research (evaluating the exploitability of identified vulnerabilities).

Exploitation

This section begins with ‘identifying the least path of resistance into the organisation without detection and having the most impact on the organisation’s ability to generate revenue’ (PTES 2012). At the end of this phase, the pentesting team should identify a set of attack vectors which allow bypassing security controls and compromising the organisation’s assets.

The main points discussed here include:

• Awareness of countermeasures
• Evading detection
• Customised exploitation
• Zero-day exploits

Post-Exploitation

This section aims to:

Help the tester identify and document sensitive data, identify configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and setup one or more methods of accessing the machine at a later time.

(PTES 2012)

• Infrastructure analysis
• Pillaging/data exfiltration
• High-value targets
• Persistence
• Further penetration into infrastructure
• Cleanup

Reporting

• An executive summary describing the specific goals of the penetration test and its main finding. Written as an overview and aimed at the organisation’s management, it should focus on business impact and describe the overall security posture, risk profile, and a summary of recommendations.
• The technical report which describes in sufficient technical detail the scope, information, attack path, impact and remediation suggestions of the test. It is aimed at the organisation’s technical staff.

Your task

Get familiar with the main points of the PTES methodology by following the link in the references section.

You need to be aware of the main steps of the methodology and the flow of the project. You don’t need to know the technical details and tools.

Reference

_{PTES (2012) Penetration Testing Execution Standard [online] Available from http://www.pentest-standard.org [11 April 2019]}