Pre-engagement Interactions
Parties (a Client and a Testing Team) have to interact before a penetration testing begins. Main aspects which must be determined by them are: Scope of pentest (domains, IPs, application names, user’s credentials…), Duration (days or hours), Communications (email, messengers, feedbacks…), Payment (amount, prepayment %, test currency…), NDA. All of this is signed in Permission to Test document
Intelligence Gathering
A Testing team performs reconnaissance against a target to get data to develops a strategic plan for testing and selects attack vectors on the target
Threat Modeling
A threats model reflects an attacker’s view on a target. Structure of threats model consist of four key elements: business assets, business processes, threat agents, threat capabilities
Vulnerability Analysis
Active and passive testing, validation of results, conducting research
Exploitation
The exploitation phase of a penetration test focuses solely on establishing access to a system or resource by bypassing security restrictions
Post Exploitation
The purpose of the Post-Exploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use
Reporting
The Executive Summary part is intended for the top management of the Client and the main sections of this report are Overall Posture, Risk Ranking/Profile, General Findings, Recommendation Summary, Strategic Roadmap. Technical Report, highlights in details the results of test execution.