Internal Infrastructure Penetration Test

An internal infrastructure penetration test simulates an attack on your internal systems from within your internal environment. The consultant simulates a potential attacker (hacker) who already has access to your internal network. This could be an employee, a contractor, or even an external attacker who has already breached the external perimeter.

Unlike the insider threat test, which tests the internal environment as a whole, this test focuses on specific, selected internal systems. The performed tests are equivalent to an external perimeter test with a different entry point.

Benefits

An internal infrastructure penetration test allows you to elevate the security of your internal systems closer to the level that is considered standard for externally accessible systems.

The conservative approach to internal network security operates on the assumption that a well-secured external perimeter is an almost insurmountable obstacle, therefore internal systems can be orders of magnitude less secure than external systems. However, modern defense-in-depth including the Zero Trust architecture concept reject this separation. According to them, information systems should not trust the internal network any more than the external network.

Typical targets for this test are your internally accessible systems, such as intranet web servers, mail servers, shared storage, firewalls, and HR systems.

We recommend this test as a periodic activity for long-term security analysis of individual internal systems, as well as for verification of a new deployment. When building the security of the internal environment as a whole, we recommend starting with the insider threat test, which seeks out its weakest points. Despite the popularity of Zero Trust, in practice, we still consider it appropriate to first focus on protecting the external perimeter.

Testing Process

Establishing the scope forms the basis of the test. This typically includes selecting IP ranges or domain names.

An internal infrastructure penetration test can be conducted in a so-called zero-knowledge mode. This means that we are only provided with internal network access, and not with any additional authentication credentials (usernames, passwords, certificates, keys, etc.) or other non-public information. However, based on the threat model, it may be appropriate to also provide credentials that allow accessing the systems as a regular employee.

The following tests, among others, are performed under these conditions:

• We begin with network scanning to discover accessible servers and services.

• We fingerprint the available services and analyze the server software used, creating a list of the technologies in use.

• All identified devices, services, and technologies are tested for known security flaws and vulnerabilities using automated tools (e.g., vulnerability scanners, web application scanners and other specialized tools).

• Websites located within the scope are only subjected to a basic security assessment; a detailed security review of web applications (based on the OWASP methodology) is offered by the Web Application Penetration Test.

• Based on the expertise of the penetration testers, specific services are selected for a manual search for flaws and vulnerabilities.

• All findings from the previous steps are verified by manual tests, false positives are eliminated, genuine flaws are documented, and where possible, we try to demonstrate their exploitability.

Our internal methodology is based on the NIST 800-115 (2008) standard and the OSSTMM (2010) methodology, but it focuses primarily on modern procedures, trends, and best practices in cybersecurity testing.

All findings, along with proposed recommendations, are presented in the final report.

Other Types of Tests

This test can be combined with other supporting or follow-up tests:

• Penetration Test – Insider Threat methodically seeks out the most critical weaknesses throughout the internal infrastructure, leveraging those that could lead to the highest impact.

• It is advisable to perform penetration tests of internally accessible web applications and APIs.

• An External Perimeter Penetration Test has similar objectives, benefits, and procedures, but it analyzes security of your systems that are accessible from the internet.

In addition to the tests described above, we also provide our clients with many other types of penetration tests. For a full list, see Penetration Testing – Overview.

Final Report

The results of the penetration test are documented in a final report, which contains details of the testing process, a description and classification of all the vulnerabilities found, and recommendations for mitigating the risks. We deliver the report securely in MS Word and PDF formats. The results can also be presented in a management presentation or a technical workshop.