Intelligence Gathering - The Foundation of a Good Penetration Test

Penetration testing is more than a bunch of ex-hackers in hoodies attempting to break into an organization that hired them. It is a carefully planned and organized engagement that probes and tests a defined piece of an organization's IT infrastructure for potential flaws. Without good intelligence to work from, testers cannot efficiently conduct their attacks, leaving potentially unidentified gaps in an organization’s defense. 

One of the most important parts of a penetration test is gathering as much relevant intelligence as possible. Since pen testers only have a finite amount of time to spend on an engagement, it’s critical that they know what they are looking for and the most efficient ways to find it. This blog explores the different types of information testers need and why it is crucial.

Uncovering The Truth

Intelligence gathering occurs during the discovery stage of a penetration test. During this phase, reconnaissance is performed to gather as much information as possible on the target without actually exploiting it. Intelligence gathering for a penetration test is not only about finding vulnerable targets. It is also about discovering information about the infrastructure that may be of use. There may be more to the pre-defined engagement scope, such as additional endpoints, shared data stores, or other uncategorized assets. Essentially, it’s the process of attaining any information that can be used during the engagement to gain access or achieve other objectives.  The type of information needed will depend on the scope of the engagement.

While there are different techniques for intelligence gathering, they all fall into one of two categories: passive and active reconnaissance. Passive reconnaissance requires gaining information without engaging with the target. Typically, this involves gathering all available public information, which can be anything from names of employees from sites like LinkedIn to IP addresses. Passive reconnaissance is ideal for getting context about a target. Active reconnaissance requires interacting with the target in some way and is more about gaining knowledge on specific weaknesses that may exist. One of the best and most often used means of active intelligence gathering is conducting vulnerability scan. 

Why Start With Vulnerability Scans?

Because they can serve as a straightforward attack vector, one of the most common pieces of information that testers look to identify is known vulnerabilities. By using a vulnerability scanner, testers probe networks and endpoints for known vulnerabilities. If a vulnerability management solution is used, threat intelligence can be imported and added to the reporting to provide  information on the severity of these known vulnerabilities and how attackers can exploit them. With this information, testers can rapidly identify potential targets. 

It is worth noting that identified vulnerabilities are only potential targets. Compensating controls may be in place, making it impossible for attackers to exploit the vulnerability. Testers will be able to confirm this information as part of their attack phase, validating how effective the controls are.  

Ports and Processes

Penetration tests are also designed to aid in the thorough understanding of potential targets. Software running on an endpoint might scan clean for known vulnerabilities, but it may open ports or run processes that have a vulnerability identified at some point in the future. 

The Log4J software for capturing logs in Java is a recent example of just how much damage can ultimately result from the exploitation of a single weakness. It was an industry-standard product assumed to be safe as it only exported logs, so it was widely utilized on servers worldwide. In December of 2022, researchers discovered that a remote code execution (RCE) vulnerability allowed attackers to hijack endpoints. Fortunately organizations with an inventory of it running on their systems were able to remediate it rapidly after the exposure became public knowledge. 

Finding Shadow IT

Asset inventories also provide invaluable intelligence for testers.  As organizations race to keep pace with the speed of business, they might ignore their IT team’s policies and incorporate temporary fixes or testing software to accomplish tasks in less than optimal conditions in the name of productivity. Though their intentions may have been to remove it when it was no longer necessary, that can often be delayed or even forgotten. 

This lurking, unsanctioned software is known as Shadow IT. When testers identify Shadow IT assets such as this, they become essential potential targets to investigate. Often the implementation of Shadow IT does not follow standard security configuration practices. It can also house sensitive data that was never intended to persist long term. Identifying these assets as part of the intelligence gathering process ensures they are included as part of testing, so they are listed as a potential finding for later remediation. 

Secrets in the Shadows

Not all unknown assets are running endpoints. Sometimes lucrative information resides inside known locations. Running code may contain hard-coded API keys allowing testers to access protected cloud resources. Poorly locked down file shares or insecure S3 buckets may contain sensitive information that requires minimal effort to access. This untracked information will allow testers to attack the IT infrastructure more efficiently and effectively. It will also serve as easy findings that teams can remediate before outside attackers get a chance to utilize it.  

Starting the Hunt

Identifying organizational intelligence is only part of the penetration testing journey. When starting this process, it is easy to become overwhelmed with whether this process should be done in-house or by external testers. Download our latest e-book, When to Use Penetration Testing Software, Services, or Both, to learn the best practices for selecting what testers to use and how organizations can utilize them most effectively.