External attackers may have little or no knowledge of your company, perhaps just some IP addresses. They may be former employees or work for partners or service providers and have considerable knowledge of the inside of your network. An insider may be a systems administrator or DBA with privileged access and authorization and knows where critical data resides.
Motive is a factor in developing profiles. Is the attacker after credit card numbers and PII that can be turned into cash? Intellectual property to sell to a competitor or gain a business advantage? The attacker may be politically/ideologically or competitively motivated to bring your Web application down. He may be an angry ex-employee who wants to "get back at the company."
Work with business owners to help fashion these profiles and learn what types of potential attackers they are most concerned about.
The profile narrows the focus of the pen testing, and tests will vary based on each of these multiple profiles.
"We get a snapshot of what a particular attacker can do against a target, and we don't mix results," said Core Security's Solino. "For every profile, we get the result of the pen test and do another profile."
Tip 6: The More Intelligence the Better
Information gathering is as much a part of the process as the actual exploit--identify devices, operating systems, applications, databases, etc. The more you know about a target and its connected systems, the better chance you have of breaking in.
Each step may yield valuable information that will allow you to attack another asset that will eventually get you into the target database, file share etc. The information will allow you to narrow the search for exploitable vulnerabilities. This reconnaissance is typically performed using automated scanning and mapping tools, but you can also use social engineering methods, such as posing as a help desk person or a contractor on the phone, to gather valuable information.
"We're increasingly starting to do social engineering," said Verizon's Khawaja. "It's essentially reconnaissance--performed with the permission of the customer--to let us find everything in the environment that could assist us in breaking in."
Multi-stage penetration testing typically is a repeated cycle of reconnaissance, vulnerability assessment and exploitation, each step giving you the information to penetrate deeper into the network.
Tip 7: Consider All Attack Vectors
Attackers can and will exploit different aspects of your IT infrastructure, individually or, frequently, in combination to get the data they are seeking.