Blog
Penetration testing

What is an internal pen test and how is it carried out?

Lars Greiwe
Author
Lars Greiwe

Key Points

This time in our series on the different types of penetration test, we’re covering internal pen tests, otherwise known as 'internal infrastructure' or 'internal network' penetration tests. Hopefully, from our post on external penetration testing you should now have some idea about penetration testing both in general and on the outside of your business, and this post will explain why you might want to take a look on the inside.

What is an internal network penetration test?

Commonly referred to as an 'internal pen test', the internal infrastructure penetration test focuses on testing attacks which could be carried out by an adversary who has already gained a foothold within your network and is looking to 'elevate' themselves to gain further control and cause more damage. It also deals with security holes that could be taken advantage of by a malicious insider — perhaps a disgruntled employee that wishes to cause damage to areas of the business outside of their usual access level.

This type of pen test typically involves tapping into your network on site, so the tester(s) will need to be given access to your office similar to that of an employee. Alternatively, they could start in your cloud infrastructure, depending on the scope of testing and the scenario to be explored. Testers will then attempt to gain access to sensitive information sources or privileged user accounts which should be off-limits to them, finding ways to subvert any access controls you may have in place.

How is internal pen testing carried out?

The process normally starts with a 'discovery phase' where the tester uses network mapping tools to discover the inner workings and layout of your network. Testers will effectively build up a map of your internal network, and the computers and services available on it, and will use this map to guide their efforts to find holes in your security, and to breach areas they shouldn’t be able to access.

After the discovery phase comes the 'identification phase'. Some examples of the sorts of activity that can take place in this phase are as follows:

  • Brute forcing of user accounts to attempt to gain unauthorized access to machines on the network
  • Subversion of network routers and switches to control and monitor traffic, inject weaknesses or take control of endpoints by exploiting protocols. For example, the Web-Proxy Auto-Discovery protocol, that normally helps computers communicate with the internet can be abused by local attackers to sniff your web traffic
  • Exploiting known vulnerabilities in software running locally to break into servers, elevate existing access, or prove attackers could run malicious code

The aim of these types of tests is really to find all possible weaknesses in the shortest space of time. An ordinary infrastructure pen test is therefore usually carried out as an audit-style approach, in collaboration with the security team, and can often be very noisy (in terms of security alerts from any monitoring systems you might have). Although this is a good way to discover the majority of the weaknesses you might have, the downside of this approach is that it may not give you the best understanding of how you might fare when targeted by a real attacker.

You can also learn more about how penetration tests are scoped and quoted.

Penetration testing vs red teaming

For larger and more security-mature businesses, it’s possible to go one step further and conduct what’s called a 'red team' exercise. Tests conducted by a red team aim to mirror techniques a real attacker would use as accurately as possible, including trying to avoid detection. As such, a red team is more of a test of your operational defences, and is often carried out without the knowledge of staff members, including those working in security teams. Red teaming will usually involve other types of attack such as phishing, and can offer a more comprehensive, realistic (and expensive!) coverage.

Standard internal pen tests typically take anything from a few days to a couple of weeks, whereas a full red team engagement would likely take longer, running for over a month or even two for larger firms. Pricing varies hugely based on the scale of the job and the experience of the professionals carrying out the tests.

Continuous internal penetration tests

Manual penetration testing can be costly, infrequent, and only give you point-in-time insight into your security posture. It’s also impossible for pen testers to manually check for every vulnerability that exists, as there are simply too many.  

Although it’s not possible to fully automate an internal pen test, Intruder offers a unique continuous penetration testing service, where our pentesting team look for critical vulnerabilities in your systems on an ongoing basis. Learn more about it here.

Finally

Hopefully this has cleared up some of the questions you may have had regarding internal pen tests. At Intruder, we help you continuously scan your systems, monitor your network, and reduce your attack surface, giving you the protection you need between manual pen tests. Start your 14 day free trial today.

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Sign up for your free 14-day trial

7 days free trial