You know that penetration tests are important to run— and that more and more companies are integrating them into their annual cybersecurity initiatives.
Despite all the value a penetration test may hold, many businesses aren’t using the results to their full potential. It’s not that they’re purposely neglecting improving their security, they just don’t know how to “decode” the pentesting report results.
That’s because many pentesting reports are packed with "techy" words that exec management and other decision-makers don’t understand.
Don’t let your penetration testing report intimidate you. All you need is a glossary to translate the industry lingo into layman’s terms.
Here are some troublesome words that someone without a cybersecurity background may need explained:
When you first open your pentesting report, the first section you’ll see after the initial Overview section is Objective & Scope. While you probably understand that the objective is the “goal” of the pentest itself, scope defines specific details of that engagement to reach the goal(s).
The scope outlines all the things that’ll be tested and what will be excluded from the attack. It’ll detail what networks, applications, databases, accounts, people, physical security controls and other assets the penetration testers can go after.
This Objective & Scope will often even define the type of pentesting engagement it is, such as an external network or application pentest, so you’ll know with certainty where the focus lies.
Your report may define the objective as gaining access to a certain network, and couple it with a scope:
Attempt to obtain access to the (name of) internal network through any offensive cybersecurity measures:
- Social engineering
- Wireless network compromise
- External network
- External web applications
The scope also involves your agreed-upon timeline for the engagement.
After discussing your Scope and leading with a brief summarized overview of what the pentesters uncovered, the report will detail the specifics of how they compromised your system. The report will explain the attack vectors they used to breach you, which is just a fancy way of saying the path they took to gain access to your data.
Within your penetrating report, there will be a written explanation of the way(s) the pentesters successfully breached your system. This means of attack is sometimes illustrated with an image, especially if the pathway had many steps and becomes complex.
In the example below, you can see the hacker used an attack path of “phishing” to access an important Cloud software service the client was using as well as “exploiting a VPN vulnerability” to gain access to their virtual private network.
Learn more about the Attack Phase of penetration testing here.
There’s often more than one attack vector pursued in a pentest— and each vector involves complex pathways to get from the initial breach to the information the pentesters are seeking. Because of this, the pentester will often explain the journey in a detailed narrative, much like telling the story of how they got from Point A to Point B (and then C, D, E, etc.).
The Chronological Attack Narrative shows how the pentesters did their magic, in order of attack. It will often detail pictures or screenshots from the engagement, like the social engineering email the pentester sent out that an employee clicked an infected link in or the folders in a server they were able to see and access.
Privilege Escalation of {insert name} Server
This is just a high-level look at one part of this rather lengthy section of a pentesting report. Every narrative will be unique, often showcasing many specific screenshots and examples of the attack vectors and resulting escalations.
Curious to better understand this section of the pentesting report? Learn more about the Chronological Attack Narrative here.
From reading about your attack vectors and the Chronological Narrative, you’ll notice that there are many steps for breaching a system. It’s not often a matter of doing one thing and gaining full access to the full database.
After breaching a system, a hacker will use a number of techniques to move even deeper into the network to uncover more sensitive information. The attacker will lay low and not make themselves noticed while making lateral movement through the environment to glean more info.
There are three stages to lateral movement— reconnaissance, credential/privilege gathering, and gaining access to other computers in the network— which you could further explore should you be interested:
Pentesters understand certain users have higher permissions than others that grant them access to sensitive data. With this in mind, a pentester’s goal is often to gain access to an elevated permission user directly (called vertical escalation) or to take a lower permissions level user and “escalate” their permissions (horizontal escalation).
With this deeper accessibility, the pentest can laterally move deeper into the network to access higher protected troughs of data.
Once into a high permissions level user’s computer, a pentester may be able to see what services you have running on your device and what users are running those services. From there, they could inject a malicious code into one of your processes. This may allow them to retrieve privileges from the process owner, like the domain administrator, giving them otherwise unauthorized access to private data.
After reading through the attack narrative, your pentesting report will usually segway into a list of your technical vulnerabilities. These are the security holes that the pentesters uncovered— given a name and description.
One technical vulnerability you may see in your pentesting report could be “Insufficient Endpoint Protection.” The report may explain that during their test, they found the following:
The endpoint security solution used (company name) was (antivirus brand).
The antivirus solution did not create any additional complexity, nor was a bypass necessary throughout the project.
The solution did not block any penetration testing non-malicious malware used by our security company.
Every technical vulnerability listed in your pentesing report will be given a risk rating, which is usually organized by the following:
Every pentesting company may have its own definition of what these individual risk ratings mean, but generally, they are weighted similarly.
Here at Mitnick Security, our risk rating system is as follows:
After you know your technical vulnerabilities and their risk rating, the pentesting report will include a list of Remedial Actions which are key takeaways for how you could fix the gap in your security.
A client with a Medium risk for “Insufficient Endpoint Protection” may receive the following recommendation for remediation:
An Endpoint Detection and Response (EDR) solution should be deployed to provide modern defense for workstations and servers.
Most EDR agents can support both Windows and macOS and can feed log direction into a SIEM.
Now that you’ve learned a little about the lingo used inside a pentesting report, do you feel more confident putting your results to good use?
Discover how our world-class pentesters helped World Surf League improve their security by reading their case study— and receive one of the most detailed reports in the industry from our team at Mitnick Security.