Internal Penetration Testing: What It Is & How It’s Done

An internal penetration test focuses on vulnerabilities within a network. Where an external pen tester attempts to break into the network from outside, an internal pen tester starts with basic access.

From this insider perspective, the internal pen tester identifies and attempts to exploit network vulnerabilities. They document their findings and compile them into a report, which can then be used to improve the network’s internal security.

An internal pen test simulates an insider threat, or an attacker who has already gained access to a network. An external pen test, on the other hand, simulates an outside attack by a threat actor who must first gain entry to the network before they can proceed.

How to Conduct an Internal Penetration Test

1. Scoping

To begin with, the company being tested works with the pen tester to determine testing requirements, outline objectives, and define the overall scope of the test. This scope determines which systems and assets will be explored during the pen test. It might also include a list of excluded solutions, devices, and technologies, ensuring the penetration tester focuses on the specific areas the company wants to examine.

The objectives will define the purpose of the pen test. Together with the scope, everyone involved should be on the same page before the pen test begins.

2. Vulnerability Identification

Once everyone is in agreement concerning the pen test’s scope, the pen tester gathers relevant data on company systems, networks, and applications. They’ll scour the network to collect as much detail as possible, particularly information that could point toward potential attack vectors or vulnerabilities. This will include assessing existing security measures, such as firewalls and access controls.

As part of this process, pen testers may use automated tools to scan the network for potential weaknesses. These tools focus on known issues, as documented in databases such as the CVE list. Pen testers will also use open-source tools such as Nmap and Wireshark to explore the network in their search for vulnerabilities.

As they work, the pen testers will document these vulnerabilities, and draw up their attack plan for the following stage.

3. Exploitation

penetration test does not merely identify vulnerabilities; once they have been documented, the pen testers will actively attempt to exploit them, executing their attack plans in simulation of a real-world cyberattack.

This stage varies a great deal depending on the vulnerabilities in question. Pen testers often have to get creative to overcome previously unidentified obstacles, or adjust their approach if a particular strategy proves ineffective. A ‘failed’ exploitation attempt can still provide insights, just as a successful attack can open up new vantage points from which to escalate their attacks.

4. Reporting

After completing the exploitation phase, penetration testers create detailed reports outlining their discoveries. This report will the vulnerabilities discovered, outline how the pen tester exploited them during the test, and explain what they were able to achieve in their exploitation attempts.

Some penetration testers will include recommendations for fixing any problems they find during the internal penetration tests. They’ll also speak with internal IT team members about their results, answering any questions the team might have about what the pen test uncovered.

5. Remediation & Retesting

With a pen test report in hand, the company can now address the vulnerabilities that were identified in the test. That can mean anything from patching outdated software to revamping the network from the ground up.

Once the security issues have been addressed, it’s best to retest to make sure your updated security measures function correctly. To do so, the pen tester will again attempt to exploit any vulnerabilities they identified. If significant changes were made, it might even make sense to conduct the pen test from scratch.

Red Team vs Blue Team Exercises

Red team vs blue team exercises pit two teams of IT professionals against one another. The red team acts as a real-world threat, assuming the identity of a malicious actor. The blue team serves the organization, working to detect incidents and respond to intrusions swiftly.

Usually, the red team is comprised of pen testers, and they use a variety of techniques and tools to gain access to systems or move through a network to gather data. Their actions functionally test any intrusion detection mechanisms in place, determining if an organization’s solutions are effectively identifying the activity and altering the appropriate employees.

Additionally, it gives blue team members a chance to hone skills relating to swift detection and mitigation. As a result, it helps identify weak points in the existing incident response process, creating opportunities for improvement.

Internal Pen Testing Tools

Here are some of the tools most commonly used in internal penetration testing:

  • Arachini
  • BurpSuite
  • GHDB
  • Hydra
  • Intruder
  • Metasploit
  • Nessus
  • Nikto
  • Nmap
  • Openvas
  • SQLmap
  • Wireshark

For more information, see our full guide to penetration testing tools.

Internal Penetration Testing Cost

The cost of internal penetration varies, depending on factors such as the size of a company’s IT landscape and the scope of the test itself.

Sometimes, companies can save money by relying on internal resources to conduct the test. But this isn’t always as effective as bringing in an outside party, and it isn’t recommended to have the same employees that maintain a system conduct a pen test on that system.

An internal penetration test with a narrow scope might only cost a few thousand dollars. However, complex internal pen tests, surveying more extensive systems, can cost $15,000 or more.

For more information, see our full guide to network pen testing.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.