CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Time Windows for Penetration Testing

Often when penetration tests are scheduled, it will be requested that testing occurs during off-peak hours, such as late evening to early morning. For example, requested hours for testing could be 7pm – 7am, or even 11pm – 6am.

A big reason to have these testing time windows is to prevent peak-time outages. Most organizations have a need to keep systems up and running for their services and customers. Any outage due to penetration testing could be costly and be a denial of service, preventing sales and perhaps affecting revenue.

One thing to keep in mind, however, is whether or not there is a SOC or any monitoring occurring during these off-peak hours to be notified of any outage. Is there a 24/7 staff monitoring service during these late hours of the night and early morning? If not, then any outage that occurs during these hours may not be noticed until peak hours begin and employees begin their workday. If there is no 24/7 staff or monitoring availability, then automated real-time alerts, such as phone calls or text messaging to the IT staff is crucial to prevent the damage that the time windows were specifically set up to avoid.

There are some occasions when pentesting is requested during peak times, for the purpose of having staff present and working to monitor any issues, events or alerts that happen as a result of penetration testing. Another aspect to be aware of is that for penetration testing to be most beneficial, it must replicate as much as possible what a real attacker would do. A real attacker would not necessarily stick to requested testing time windows. A real attacker may not even avoid performing denial of service attacks (or maybe they would, so as to be as stealthy as possible). There is also the amount of time a real attacker has compared to a penetration tester who is fixed to a specific amount of hours to perform testing. A customer requesting a penetration test would be best served to give their tester the flexibility to replicate a real attacker, but also keep within a budget of hours allocated for the tester.

Another important aspect of penetration test time windows is capturing network traffic. Many penetration testing attacks capture traffic that occurs on the network by users in the environment. If testing is done when no one is working it could cause potential vulnerabilities in the organization to be overlooked and give a false sense of security to the customer. It can be very beneficial especially for internal penetration tests to have testing be performed during peak hours to capture any potential weaknesses that can be more easily identified while employees use their IT systems for everyday business. As an example, even though a bit exaggerated, would you restrict a vishing attack to the hours of the day when employees are not at their desks to answer their phones?

The recommendation here is to not restrict penetration tests to any time windows. If the fear for outages is there, communication with the penetration tester is key. Many of the testing activities performed in modern penetration tests should not result in any outages. However extra care can be taken on the side of the penetration tester. Specific Denial of Service attacks should not be performed unless approved by the customer on a system that will not affect their business. Additionally, a longer length of time for testing is more beneficial as the tester will have more time to identify weaknesses that may be present, especially for larger environments with many systems and services.

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More