Pentesting is inherently time-consuming. This constraint alone has led to the rise of scanners as well as the exclusion of regular pentesting in many modern development lifecycles. Whilst we can’t automate and deliver everything at lightspeed, there are things we can do to increase the speed and efficiency of testing.
1. Use prior knowledge and insights
It can take time to understand what’s happening on the target network. You can speed this process up by looking at any previous reports and findings, as well as talking to the engineers to get an overview of what’s running (or at least what they think is running) in their environment. The more information you have, the more efficient you will be when carrying out your testing.
2. Make use of downtime
Outside of your testing hours, you can be running scans, cracking hashes or fuzzing endpoints. A word of caution though, make sure the activities you’re carrying out are low impact as you don’t want a call in the middle of the night with complaints; if your client appears to be running a lot of legacy applications, scanning them might break something.
3. Use pre-built test cases and scripts
Often during a pentest, we will look for things such as open shares and scripts with hard-coded credentials, or applications of interest such as Jenkins or Greylog that might yield sensitive information if we can get inside. This can easily be automated alongside keeping other exploits or scripts for reuse in the future.
4. Reporting templates and knowledge base
Using a template will make the reporting process much quicker and more efficient. Beyond this, you should consider setting up a knowledge base for your team so that standard text such as remediation for MS17-010 (eternal blue) can be dropped in and adjusted as needed without having to write it out each time. This also reduces the time spent having someone proofread and/or edit the report before it goes out.
There is also a further benefit to maintaining a knowledge base within the team, and that’s supporting the development of junior members. A lesson learned is always valuable to a tester, but recording and sharing that lesson enables your team to scale and improve their skills more rapidly.
5. Collaborate and communicate
If a team of you are working on the same project, make sure you have a clear plan and aren’t duplicating work. Often this falls to the team lead or senior pentester to figure out but really it just comes down to regular communication between team members.
Most of the time you won’t feel like you have enough time to check everything you want to check, but by prioritizing your testing you’ll ensure that the client gets the most out of the time you or your team spend testing.
7. Training and education
By helping organizations get a handle on simple issues that are likely fixed by a more robust patch management process, you can spend more time looking for more complex issues within their environment. Whilst it’s likely out of scope for you to review their day-to-day IT operations, giving insights into what’s important and sharing best practices during a debrief can go a long way to helping an organization step up its game and improve its security posture.
For organizations, there are also some things that can be done to make sure everything runs smoothly.
- Ensure the required documents are signed as needed, don’t wait until the morning of testing to check over the Rules of Engagement.
- Ensure accounts are created ahead of time – this usually means putting a ticket into the helpdesk or the infra team. Again, doing this the morning of is a mistake that many organizations make.
- Make sure all the relevant stakeholders are at least informed ahead of time, you don’t want a last-minute fuss because some senior team member was left out of the loop.