Internal Penetration Testing: The What, When & Why You Should Do It

internal penetration testing

When Information Technology and Information Security leaders want to test the security weaknesses and cyber resilience of their organization, they turn to penetration testing. There is no better way of validating organizational security posture than by running pen tests. What is a pen test? Why would you want to conduct internal pen tests instead of external pen testing?

In this article, I’ll answer those questions and more. By the end of the article, you’ll understand what external penetration testing is and when you’d use it, what internal penetration testing is and how it’s different, and why internal penetration testing methodologies make sense for organizations large and small.

(NOTE: If you’re considering an internal penetration test, our free tool below matches you with a top-rated vendor who can meet your needs and budget)

Find the Right Pentest Provider Fast

Get matched for free with top Pentest vendors that fit your budget.

Sidechannel Logo Optiv Logo

By submitting this form I acknowledge that I have read and understand the Privacy Policy and agree to the Terms of Use.

What is Internal Penetration Testing?

Internal penetration testing is a kind of penetration test that evaluates the ability of a threat actor to gain access to systems within an internal network after bypassing perimeter controls. Put slightly differently, internal pen testing evaluates the ease with which security vulnerabilities allow entrance to both sensitive systems and sensitive information.

Internal penetration tests do away with the complexity of evaluating perimeter controls. Many organizations focus or have focused on bolstering perimeter security. For organizations that have a definitive and quantifiable perimeter (e.g.: those that operate within a defined number of physical locations), they may have hardware and software infrastructure designed to repel attacks. Before 2020, most information security investments could reasonably be said to have happened in that space.

In the post-COVID remote work world, the focus has shifted to safeguarding remote assets and data stores. Most infrastructure doesn’t sit on-premises and where it does, that infrastructure and its safeguards can be trivially compromised if an organization doesn’t engage in perfect hygiene.

Internal penetration testing highlights those deficiencies. More than that: it highlights identified vulnerabilities that can lead to significant cyber attacks and their results.

Internal vs External Penetration Testing

External penetration testing methodologies include various attack vectors that exploit vulnerabilities to gain unauthorized access into a corporate network. They identify security weaknesses along a network perimeter.

That’s where external penetration tests stop. They leverage known vulnerabilities to see whether or not someone can penetrate a network. Given the variety of ingress modes, ranging from common scenarios like open ports, phishing susceptibility, and leaky web apps, to less common scenarios like exposed shares, man-in-the-middle attacks, and various network security vulnerabilities, it’s highly likely that any external pen test will be successful.

Vendors provide external pen testing, but there are a plethora of services that automate these pen tests. An external penetration test isn’t complicated. Additionally, a laser-focused external penetration test misses the forest from the trees in that it will identify vulnerabilities in a narrow scope and miss all the likely other weaknesses.

Internal penetration testing, on the other hand, can be more focused by nature of the addressed scope. Internal pen tests exploit vulnerabilities to identify weaknesses in internal security controls that allow internal access inappropriately to sensitive resources. While there are many ways to gain access to an organization, there are only a few things that can compromise cyber security for internal assets. Any threat actor can engage in that malicious activity, whether that actor is a malicious insider or some set of external threats.

What Are The Benefits?

An internal penetration test highlights the impacts of both insider threats and external threat actors. Using knowledge of finite, critical file stores of sensitive data, authentication and authorization mechanisms, and network services, an ethical hacker is able to try to compromise those assets and infrastructure and circumvent security controls to simulate data breaches.

Even better: ethical hacking gives security teams the ability to evaluate their security posture and the various security controls in place.

An internal penetration test is a fantastic way to evaluate infrastructure like: Endpoint Detection and Response (EDR), Secure Access Service Edge (SASE), Intrusion Detection and Prevention Systems (IDS/IPS), and the responsiveness of a Managed Security Services Provider (MSSP) or Security Operations Center (SOC), to name a few. In that way, a pen tester becomes an expert validation of blue team defenses.

Internal Penetration Testing Methodology

internal pentest methodology

An internal pen test typically starts with an enumeration of internal IP addresses and ranges, critical assets, and authentication and authorization infrastructure. You can engage in black box penetration testing which enumerates none of that, though. That kind of black box penetration testing can be incredibly valuable for closely simulating an actual attack.

In many cases, organizations opt for a white or gray box penetration test. A white box penetration test is the first scenario defined above: an enumeration of infrastructure and assets for a comprehensive attack. Gray box penetration testing, however, is a test involving knowledge only of system architecture, which can be invaluable for web applications to simulate an actual attack.

Regardless of the kind of test, the ethical hacking team will initially work on a discovery phase. That discovery phase is essentially an internal network pen test. They’ll try to see if they can sniff and capture network traffic to identify the kinds of assets on the network. They’ll also identify ports and protocols that will allow them to move laterally silently through the network.

If that internal network penetration test is successful, they’ll proceed automatically to the next phase of the attack. That’s because they’ll have the necessary technical information to proceed. If not, they’ll need more information, which can be said to simulate an insider threat.

Once the penetration test team has gathered sufficient information about the environment in which they find themselves, they will try to engage in privilege escalation. That effectively entails two steps. The first is the enumeration phase: an initial bout of credential stealing from file stores or applications via information leakage or social engineering. That may involve cracking password hashes–make sure you’re appropriately hashing and salting your employees’ and users’ passwords!

The second is a campaign to use those credentials to gain elevated privileges, such as those from an administrator. In doing so, they’ll be able to masquerade as malicious insiders, which your SIEM and MSSP/SOC may not catch.

Using their ill-gotten access, the internal pen test team will continue to erode your organization’s security safeguards. They’ll use their internal access to your internal network, infrastructure, and (if in scope) cloud environments to attempt access to “crown jewels.” Those crown jewels are the critical assets you identified that pose the most significant areas of compromise based on data breaches and operational impacts.

The internal network penetration test team will attempt to beacon out to external IPs, which is a critical component of any cyberattack. Those beacons, if not implemented via the proper access that your internal penetration test team has, will inform threat actors that there’s a point-to-point connection between the critical data store or application and the threat actor server. Those beacons enable an external user, under uncontrolled and non-test circumstances, to access your network.

The internal penetration test team may then attempt to exfiltrate data. This is an important step in some cases because operating systems (specifically corporate instances of Windows 10/11) may prevent either network access or data exfiltration. Alternatively, there may be other cyber security infrastructure that prevents the data movement. Depending on the data your organization possesses, this would ideally be dummy or inconsequential test data. This is a critical test, however, because it effectively tests your network security controls.

Internal Penetration Testing Tools

Pen test vendors will use the same tools in their network pen tests as actual threat actors. Some of those tools include:

  • Nmap: this is a network discovery tool that will identify assets on the network that can be detected from the endpoint running the Nmap scan. It will also detect open ports and protocols, which can be used to elevate the attack.
  • Nessus: this is a freeware network vulnerability tool owned by Tenable that allows security teams to identify potential vulnerabilities in assets on the network.
  • Metasploit: this is a tool that allows the identification of exposed vulnerabilities available on the network.
  • CobaltStrike: this is a legitimate tool that when misused, provides exceptional access to legitimate assets. This is largely used by ransomware threat actors to compromise environments.
  • BurpSuite: a platform for compromising (or securing) web apps. Like CobaltStrike, this is something that is legitimate for QA purposes and is easily misappropriated by threat actors.
  • Mimikatz: an application used to brute force passwords and gain unauthorized access to systems.

How Long Does an Internal Pentest Take?

An internal pen test typically takes a week or two, give or take. The length of time depends on the number of systems and file stores included in the scope. Typically, teams follow the identified scope and will quote the proposed amount of time to evaluate based on their professional experience.

Internal Penetration Testing Costs

Internal pen tests are hard. They’re largely personal efforts on the part of one or more staff on the pen testing team. You will pay based on the number of targets and exercises conducted. How much that costs is largely dependent on the provider and the services they offer.

Some providers offer automated, a blend of automated and manual, and manual internal penetration tests. All of those use a blend of exploits based on known vulnerabilities. Depending on the team you get, they may try novel techniques.

For an internal penetration test, you’re spending anywhere between $ 2,000 and $ 5,000 per IP address or target.

Alternatively, automated solutions can cost as little as $10-$30 per IP address, but you need to deploy against an entire network. So if your network is 10,000 endpoints, you’re easily spending hundreds of thousands of dollars on a solution.

External pen tests are largely automated at this point. An external scan, provided by many professional and governmental organizations, can provide a comprehensive assessment for free or at a nominal cost. Those are largely reserved for critical infrastructure, though, so make sure you qualify.

Otherwise, you can purchase automated solutions that look for known perimeter vulnerabilities and identify whether or not they’re exploitable. Those typically come in at the tens of thousands and are priced based on external IP range.

When an Internal Pentest Makes Sense

Internal penetration testing always makes sense. If your environment is digital, it makes sense. Threat actors are ruthless and financially motivated. They don’t care what data you have and the sensitivity. You do.

If your security or compliance goals remain active, then an internal pen test is critical. If you’re considered to be critical infrastructure or care about your security posture, then an internal pen test is a must.

You should also consider an external pen test if you think that an internal pen test is insufficient to safeguard your environment. If you’re a critical infrastructure instrumentality then this is practically a must.

Understand that external penetration tests can be free. Internal penetration tests can have financial costs. It’s critical to evaluate that cost against your risk appetite.


Published by Aaron Weismann
Aaron Weismann is a healthcare industry CISO with over a decade of strategic management, technology, and information security experience. He deepest experience is in managing and securing sophisticated and highly regulated environments. His expert...
Network Assured on Facebook     Network Assured on Twitter
Copyright © 2022 Network Assured