Penetration Testing Stages
Penetration testing at RedTeam Security can be broken down into six stages.
1. Information Gathering
During this stage, we perform reconnaissance on our target and gather as much information as possible to help us understand what we’re up against. This may include active information gathering (where the tester has direct contact with the target) or passive information gathering (where the tester collects information undetected by the target).
2. Threat Modeling
We identify and categorize assets, threats, and threat communities as they are relevant to the organization being tested. What are the primary and secondary assets? What or who are the most prominent threats or threat communities? How do these threat communities map to the various assets?
3. Vulnerability Analysis
Using the information gathered thus far, we eliminate non-vulnerable assets and identify exploitable vulnerabilities through testing, validation, and research. We use a combination of commercially available and internally developed tools during the vulnerability analysis phase.
Often viewed as the most “exciting” phase of penetration testing. During the exploitation phase we use the groundwork we’ve laid up until this point to successfully abuse, misuse and exploit vulnerable systems, networks, devices, physical controls and/or humans, carefully documenting the vulnerabilities we uncover along the way.
Our work isn’t over yet. After successfully exploiting our target’s assets, we must determine the value of the compromise, considering data or network sensitivity.
This is the phase where we convey what we’ve learned in educational, actionable terms. We thoroughly outline and present our findings with suggestions for prioritizing fixes, walking through the results with you hand-in-hand.