Which Penetration Testing Approach for Maximum Return

Which Penetration Testing Approach for Maximum Return

Posted by Peter Bassill on 30/07/2021


Which Penetration Testing Approach for Maximum Return
The current cybersecurity trend is to increase the strength of security within the supply chain. Of course, this does not mean that requirements for customers, partners and investors are being neglected. 
In the first half of 2021, we assisted more than 100 companies in developing their responses to client and prospective client security questionnaires. Every one of those questionnaires asked how many times you undergo penetration testing per year. In 2020, the question was, "do you undergo penetration testing".
Since we first started in 2009, we have seen the development and mass commercialisation of pentesting. Companies now look for the lowest price as opposed to the best return on investment, but cost should not be the driving focus in selecting your testing partner. The penetration testing approach has changed, and the leading testing firms are the ones driving the change for a better return for the client.
This blog will explain how businesses can approach penetration testing in a more structured manner and enable a higher return on investment.
Modifying the Pentest Approach to max your return
It is no secret that we changed our approach to pentesting for small businesses. We offer several predefined packages, such as a prebuilt Web Application pentest or an external infrastructure pentest. Prebuilt testing packages make engaging with a penetration testing company very easy. You know what you are getting and how much it is going to cost. But what factors should businesses consider in their purchasing approach to penetration testing?
Making Sure you hit the GDPR
The introduction of the General Data Protection Regulation (GDPR) throughout Europe made companies aware of data security issues in business sectors where risk awareness was previously low. With the departure of the UK from Europe, the GDPR is still very much in place, and the UK's Data Protection Act (DPA) has continued to be aligned. 
Article 32 of the GDPR (General Data Protection Regulation) requires businesses and organisations to implement technical measures to ensure information security. It highlights the need for "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing". 
GDPR requires regular security testing, and this should be in a business's pentesting requirement. 
Leveraging Security for Marketing Advantages
Security certifications such as ISO27001 and IASME Gold are increasingly popular among small and medium-sized companies. Security Certifications are a great way of differentiating businesses and making security a quality issue and marketing advantage. With the increased volume of security questionnaires included within RFP's, having a structured cybersecurity marketing storey makes a real difference.
Multiple Test Cycles per Year
We already know that many tenders and RFP's ask for the regularity of penetration testing within the year, but how best is that approached?
Having a structured test plan for the calendar year is vital. We have seen clients instruct us to perform penetration testing at six-monthly intervals and some at quarterly intervals. Keeping it regular on a calendar cycle approach aids in the scheduling and ensuring it doesn't get missed.
Specifying the testing resource is critical. You don't want the pentesting firm to use the same pentester on the second job. Ideally, you want to select a pentesting firm that operates two or more discrete teams. 
With penetration testing at Hedgehog, we will provide you with the details of our qualified testers and have relevant skills to perform your penetration test. You can then select the testers you would like to use. We also apply a 25% discount on the second test cycle when the test is within six months of the first test.

We would be amiss if we did not talk about retesting. While many firms will provide a pentest on a point-in-time basis, there is real value is seeing the identified issues, vulnerabilities and opportunities for improvement being tested and proven. Every pentest performed by Hedgehog includes one round of retesting for every vulnerability, issue and improvement opportunity within the report.
Know the Penetration Test Methodology
Knowing the high-level details of your chosen pentesting firms methodology will help you understand their testing process. An average penetration test has four phases to their methodology, which is a cyclic process: Recon, Mapping, Discovery, Exploitation.
Again, the Hedgehog approach is a little different. Rather than the average four-phase testing methodology, we have seven phases. Plus an additional annual service phase.
Pre-Engagement
Pre-Engagement is one of the most critical steps in ensuring success in your penetration test. Pre-Engagement is where we work together to define the scope and the goal of the test rigorously. We do this through a scoping call, and you can book these at a time and date convenient to you.
During the scoping call for your penetration test, we are looking to identify what needs testing. We seek to discover how complex it is and how much time we will need to complete the penetration test to the best of our capability. We will also look to identify the goal of the penetration test. The plan could be as simple as "identify all the exploitable vulnerabilities". It could be a lot more complex such as "pivot through an exploited host and attack the internal network to gain access to client data."
Having a well-defined scope is the key to the success of your penetration test. It is why we can never answer the question of "how much is a penetration test" until we have had a call to discuss your penetration testing scope.
Intelligence Gathering
The second step in a penetration test is Intelligence Gathering, and it is a two-step process. The first step is done in the background, usually a week before your test start date. Automated scripts perform the vast majority of the intelligence-gathering phase. Essentially we are looking to gather as much information about your business and your penetration test scope as we can from available public sources.
We will review the output from step 1 and any documents or information you have provided during the second part of the intelligence-gathering phase. Typically this is done the day before your penetration test starting. We will scour the internet, and to an extent, the dark webs, to identify any further information or data that could benefit your test. The typical documentation we are looking for includes, amongst other things, system architecture, data flow, infrastructure, concepts, password hashes, names and identities.
What is the purpose of this? Well, imagine if we were to find the company internal information in a forgotten bit-bucket somewhere? We could use this in the penetration test to help gain access to systems. Equally, it will help identify any potential client information left exposed. It all goes to helping complete the most comprehensive penetration test available to you and ensure a positive return on your investment.
Reconnaissance
The reconnaissance phase of every penetration test builds on the Intelligence Gathering stage through an active, in-depth technical review of the scoped environment. We will delve into each of the systems/applications in scope to identify the component structure and map all of the interaction points.
This part of penetration testing is vitally important to the success of the test. We will identify every point of interaction that a user can have with a system, application or target. We will identify the technologies used and whether we can identify some easy wins. We do this through port scanning, passive information analysis, mapping and analysis. This phase aims for our penetration testers to understand the scoped environment to its full extent.
Vulnerability Analysis
Vulnerability Analysis is the most time-consuming aspect of every penetration test. Vulnerability Analysis starts with a series of reviews of the scoped environment using various vulnerability scanning tools. We typically use several scanners and devices to aid in the rapid analysis of vulnerabilities. Our primary tool for vulnerability analysis is Secure, our in house developed vulnerability scanner. Secure uses many internally developed processes as well as commercial scanners, including Nessus, OpenVAS and NeXpose.
The output from the vulnerability analysis phase is the identification of known vulnerabilities. Every one of these vulnerabilities is then manually reviewed and validated. Once the automated scans are complete and the vulnerabilities confirmed, the tester then moves on to manually find unknown vulnerabilities. With Web Application testing, manual vulnerability discovery, identification and analysis take up the testing time's bulk. Unknown vulnerabilities are commonly known as zero-days, and these can exist in many different areas of the scope.
Exploitation
The exploitation phase of the penetration test is where we take all the vulnerabilities we have identified and test them. We do this to confirm that the vulnerability exists and to remove false positives. All exploitation occurs in a safe and controlled manner. For example:

A Web Application penetration test might lead us to bypass authentication controls or use other users accounts. We may access information that has session management protection on top of authentication and authorisation controls.
In an Infrastructure pen test, this might result in the tester being able to sniff passwords on the network or gain access to a server. The goal of exploitation is to work towards achieving the objectives of the test incrementally.

Once an exploit is successful, the entire pen test process restarts at Intelligence Gathering within the exploited system or application context. Exploitation testing can be highly time-consuming. We employ a very controlled testing manner for post-exploitation testing.
Post Exploitation
During the post-exploitation aspect of the penetration test, your pen tester will be analysing all of the gathered data and the results of individual tests. The analysis includes categorising the detected vulnerabilities and prioritising them per the business and technical context. During this step, the tester will loop back and test or retest specific areas to ensure complete scope coverage.
Summarisation / Reporting
The very last stage of the penetration test is the summarisation of the testing and the drawing of a conclusion.
At the end of every engagement is a test report. The report details what was done, what was found, and what should be fixed. For example, these may be:

Inadequate or improper configuration settings
Known or previously unknown software or hardware flaws
Operational gaps within business processes or technical controls.

Annual Service Phase
The annual service phase provides you with a regular monthly vulnerability assessment, lead by one of our qualified Penetration Testers, on your penetration test scope. There are eleven scans performed, with the first one being a month after your penetration test is completed and then running every month for the following 10 months. This means that your scope is checked every month up until your next penetration test.
Complimentary Analysis
Following a penetration test, we always recommended conducting further analysis should one of our testing identified areas that are suitable, for example:

More in-depth penetration tests, or on portions of the target not included in the scope of the previous tests; or
White box pentests, to take the security analysis a step further.

Strategy examples for Penetration Testing
In the following section, we have included some typical prices. These are taken from the average pricing from 2020 for our clients.
Start-up Businesses needing High Security
For a start-up business with high-security requirements from its customers and whose product requires a high number of pentest days:

Two penetration tests per year on the internal and external infrastructure and any associated web applications, with a different functional scope from one session to the other;
One social engineering pentest every year;
Cyber Essentials and Cyber Essentials Plus certification;
Monthly vulnerability scanning and reporting; and
Access to online cybersecurity awareness training.

The typical price for a high-security Startup-up business is around £11,000.00.
FinTech & Financial Services
For a FinTech or Financial Services business, or any that is PCI-DSS certified, with high-security requirements:

One pentest per quarter, with a different functional scope from one session to the other;
Cyber Essentials and Cyber Essentials Plus certification;
Monthly vulnerability scanning and reporting; and
Access to online cybersecurity awareness training.

The typical price for a FinTech or Financial Services business is around £24,000.00.
Insurance Brokers
Insurance Brokers will typically have high-security requirements driven by GDPR and DPA:

Two penetration tests per year on the internal and external infrastructure and any associated web applications, with a different functional scope from one session to the other;
One social engineering pentest every year;
Cyber Essentials and Cyber Essentials Plus certification; and
Monthly vulnerability scanning and reporting; and
Access to online cybersecurity awareness training.

The typical price for a high-security Startup-up business is around £11,000.00.
Small Business
For an SME wishing to prevent the main security risks:

One pentest of its information system (external and internal) every year;
Cyber Essentials and Cyber Essentials Plus certification;
Monthly vulnerability scanning and reporting; and 
Access to online cybersecurity awareness training.

The typical price for a high-security Startup-up business is around £4,000.00.
Recruitment Agencies
Recruiters have high-security requirements driven by GDPR and DPA. Still, their tests are often very short in duration due to the size of the IT environment:

Two penetration tests per year on the internal and external infrastructure and any associated web applications, with a different functional scope from one session to the other;
One social engineering pentest every year;
Cyber Essentials and Cyber Essentials Plus certification; and
Monthly vulnerability scanning and reporting; and
Access to online cybersecurity awareness training.

The typical price for a high-security Startup-up business is around £6,500.00.




How Hedgehog Security Can Help
Our penetration testing team are always on hand to help. If you need a check to see if you are currently vulnerable or you simple need a bit of guidance on what to do to fix the issue, you can get in touch using the form below, the online chat function or just give us a call.




Discover more about our Pentesting Services

Contact us



  • Worklab, Europort, Gibraltar

  • +350 540 73836

  • hello@wearehedgehog.com