Pen testing is the art of attempting to breach an organization’s network, computers and systems to identify possible means of bypassing their defenses. It's an "art" because there is no one-size-fits-all method or process. Testers need a variety of skills, knowledge and tools to make the attempt.
Most testers are hackers trying to use their skills legitimately, technical administrators, network administrators or just computer enthusiasts who enjoy trying to undermine IT security stacks. Many testers are jacks-of-all trades (and masters of them all). Their primary goal is to succeed in getting past defenses and report on their findings. An MSPs intention is to NOT allow this to happen by putting up the right security posture through layered defenses.
So it’s easy to see how the relationship can quickly become adversarial. But there are ways pen testing organizations can help MSPs. Before we get to that, more details on types of pen tests.
Types of testing
An issue with pen testing is a lack of standard operating procedures. No one company performs the tests the same way. Testers are fallible actors with certain skills they apply to circumvent defenses. While testers and testing organizations are usually highly skilled, they are not all knowing. Trust, but verify.
So, what types of testing methods are there? While standardization is scarce and pen testing is pretty much a Wild West environment, there are some common methods and approaches. These can be broken down into two categories: Blue Teams and Red Teams.
(Tools are varied and not important until the tester discovers or knows what type, brand or systems are present. In other words, tools are specific to the environment.)
With Blue Teams, "tester" has some information about the network, computers and organization that they're pitted against. They know how things are set up and are there as more of an audit/report type tester rather than a malicious hacker.
Blue Teams can be anyone inside or outside the organization. However, in the MSP community, the Blue Teams are usually the technicians responsible for establishing the layered security defenses and then verifying their effectiveness. They're the internal folks that are standing up various tools to block bad actors from encroaching or breaching their network, computers and systems.
Here's where it can get murky and why you should always insist on more information about ay client’s pen test. Pen testing can be an outside organization performing a Blue Team activity and their report can be communicated as a Pen Test Failure. Trust, but verify.
Red Team testers have no idea about the organization they're testing against and must figure out the technology, network, computers and systems before doing anything. These are true hackers starting from nothing. They may use social engineering to conduct reconnaissance, they may google employees, use LinkedIn or any other publicly available information to gain a foothold with the organization before they write one line of code.
This is real penetration testing, as they make the attempt to access networks, computes and systems of the identified organization they're testing against. When a Red Team reports its findings on why and how they were able to breach a client, it’s time to pay attention.
Should you put a Penetration Testing company on retainer?
So, now that we've established some high-level perimeters, how should MSPs engage with pen testers?
First, it’s important to learn everything you can about your tools. The mantra of a strong security posture is ‘know your tools inside and out.’
But don’t stop there. Rather than stand up the layers of the latest cool tools and cross your fingers no pen tester hits a client with a failing report, be proactive. Learn about the penetration testing market, find a good pen testing company with strong credentials and engage with them. With security concerns exploding over the past few years, pen testing should be considered an essential tool for validating your effort and spend on the security stack. So get to know the good ones.
Again, many MSP view third-party pen testing organizations as the enemy. Instead, engage with pen testing organizations to test your own defenses before issues affect your customers.
Here are a few tips for improving your business’s relationships with pen testers:
- Pen test your own network, computers and systems. If you want to know how good your "Blue Team" is, put their feet to the fire and have a solid, reputable third-party pen testing organization attempt to breach your own defenses. Learn all you can about their methods and findings, then review and adjust.
- Work with the pen test organization as a potential revenue opportunity. Work out an agreement that lets you as the MSP provide work and opportunity through your own customer network. You act as the lead generator and offer their services as an adjunct to your own.
- When customers come along with a report that you were not involved, ask questions about how the test was conducted and then offer your own services to proactively verify their report.
Now that you know the basics of pen testing and how they can be used constructively, here’s a question: what happens when a customer fails a pen test? We’ll answer that question in an upcoming post.