Penetration Testing Services Cloud

Cloud Pentesting Penetration

Network Pentesting

Application Pentesting

Web Application Pentesting

Social Engineering

Pentesting Frameworks & Methodologies and Why They’re Important

Penetration testing has helped organizations safeguard their digital assets from an increasingly sophisticated array of threats for several decades now, establishing itself as a true cornerstone of any robust cybersecurity strategy. Giving security and IT leaders detailed insights into the vulnerabilities in their assets, penetration testing allows organizations to proactively exploit and identify vulnerabilities in systems and applications by employing skilled human pentesters or ethical hackers simulate attacks on their systems to identify weaknesses for prioritization and remediation.

There are several penetration testing frameworks, methodologies, and inputs that apply to each specific use case, project scope, etc., that penetration testers rely on to maximize the effectiveness of penetration testing across various digital environments and IT infrastructures.

In this blog, we will explore penetration testing frameworks, why they are important, and the most commonly used frameworks, methodologies, and inputs.

What is a Penetration Testing Framework?

Essentially, a penetration testing framework is a standardized set of guidelines, tools, and methodologies used to guide pentesters through a penetration test. There are many different frameworks, some more prominent than others, that pentesters follow depending on the type of pentest, the scope of the test, and compliance regulations that an organization is regulated to comply with.

Penetration testing frameworks are all unique, but all generally include guidance for the following phases, which are sometimes divided into smaller phases, depending on the framework:

1. Planning and Reconnaissance:

The planning and reconnaissance phase of penetration testing frameworks generally guides pentesters in defining the scope, goals, and communication guidelines with stakeholders as well as gathering information needed to conduct and execute the pentest as effectively as possible. This is also when stakeholders will discuss attack paths and define rules of engagement to ensure that the penetration testing techniques used do not cause operational downtime or leave artifacts behind. The pentest planning phase helps pentesters ensure that the scope is sufficient to meet their security and business goals, and the type of testing needed is defined based on the knowledge of the attack surface (Black Box, Gray Box, or White Box). Depending upon the type of pentest, information such as user credentials, IP addresses, authentication tokens, web application URLs, etc. may need to be established.

2. Execution:

Penetration testing frameworks generally provide guidance on the following components of pentesting, including how to:

  • Perform network mapping
  • Identify vulnerabilities with specific tactics, techniques, and procedures (TTPs)
  • Exploit identified vulnerabilities without causing downtime
  • Escalate privileges beyond the initial discovery of a vulnerability to determine the extent of a vulnerability without causing irreversible issues within an organization’s systems.
  • Properly execute post-attack “clean-up” to ensure that organizations’ systems are left in the condition they started in

3. Reporting:

Penetration testing frameworks also provide pentesters with guidance on how identified vulnerabilities should be reported. This helps pentesters in determining the criticality of vulnerabilities, collective evidence such as proof of concepts (POCs0, and prioritize remediation recommendations. This guidance ensures that pentest reports are as standardized and comprehensive as possible and deliver actionable intelligence for organizations to improve their security posture and achieve effective outcomes.

Most Common Penetration Testing Frameworks, Methodologies, and Inputs

MITRE ATT&CK

The MITRE ATT&CK framework, developed by the MITRE Corporation in 2013, is arguably the most widely known penetration testing framework.

The MITRE ATT&CK framework, unlike other frameworks that guide pentesters through specific steps or phases, provides a comprehensive matrix of techniques used by attackers during various stages of an attack, helping simulate real-world attack scenarios to assess defenses effectively. The MITRE ATT&CK framework also guides pentesters in the categorization of different attack methods to better understand Attack Kill chains.

Referencing the MITRE ATT&CK framework throughout each phase of a pentest enables pentesters to execute and explore specific TTPs to conduct the most comprehensive assessment possible. The MITRE ATT&CK framework is one of the most detailed frameworks, providing pentesters with in-depth knowledge about more niche, real-world techniques that may otherwise be overlooked.

CREST Guide for Running an Effective Penetration Testing Program

The CREST Guide for Running an Effective Penetration Testing Program is designed to serve as a framework for organizations to build and maintain a comprehensive penetration testing program. Created by the Council of Registered Ethical Security Testers (CREST), a leading authority in cybersecurity standards, the guide offers practical advice and best practices for implementing a robust testing program, covering key components of pentesting like:

  • Defining objectives
  • Scoping engagements
  • Selecting appropriate testing methodologies
  • Managing resources
  • Reporting findings, and more

CREST emphasizes the importance of communication and collaboration between all stakeholders, including executives, IT teams, and external testing providers.

One of the CREST framework’s key strengths is its flexibility – it acknowledges that every organization has unique security needs and leaves room for pentesters to customize testing approaches to cater to specific environments and objectives, ensuring that penetration testing is tailored to an organization’s risk profile and industry regulations.

The CREST framework also stresses the importance of ethical conduct throughout the testing process, ensuring that full knowledge and consent are granted by the organization being pentested. It also highlights that pentesting should be conducted in a timeframe that minimizes disruption to normal business operations.

By following the recommendations outlined by CREST, organizations can establish a proactive approach to identifying and addressing security vulnerabilities, ultimately enhancing their overall cybersecurity posture

OWASP Testing Guide

The Open Web Application Security Project (OWASP) Testing Guide provides a comprehensive framework for testing the security of web applications. It covers a wide range of vulnerabilities and attack vectors commonly found in web applications, along with recommended testing methodologies and tools.

The OWASP Testing Guide can be broken down further into the following categories applicable to penetration testing:

OWASP Application Security Verification Standard (ASVS)

The OWASP Application Security Verification Standard (ASVS) is a framework for web application technical security controls that also serves as a list of requirements for secure application development. The ASVS provides a detailed list of security control verifications and guidance on how to use the ASVS depending on the use case. It also recommends testing methods and tools, and information about the role of penetration testing in the verification process.

There are three application security verification levels to ASVS, and each is designed to help ensure the security of specific applications with varying levels of security requirements based on their levels of data sensitivity. The levels of ASVS can be broken down as follows:

  1. Level 1: ASVS Level 1 is designed for applications that don’t handle sensitive information and have a relatively lower risk of attack, outlining the minimum security standards that all applications should strive for.
  2. Level 2: ASVS Level 2 is designed for the vast majority of applications that handle significant business-to-business (B2B) transactions, process healthcare information, and any sensitive data, etc. Level 2 ensures that security controls are in place, effective, and used within the application. These types of applications have a higher likelihood of being exploited in a targeted attack by skilled and motivated attackers, increasing the need for more stringent security controls beyond what Level 1 requires.
  3. Level 3: ASVS Level 3 is designed for critical applications that perform high-value transactions, contain sensitive medical data, or any application that requires the highest level of trust. Level 3 requires app developers to embed security layers into the application by design in the early stages of development and that all security efforts are documented and audited.

The control verifications detailed by OWASP ASVS are structured into the following categories, which further classify each individual verification as level 1, 2, or 3:

  1. V1 Architecture, Design and Threat Modeling
  2. V2 Authentication
  3. V3 Session Management
  4. V4 Access Control
  5. V5 Validation, Sanitization and Encoding
  6. V6 Stored Cryptography
  7. V7 Error Handling and Logging
  8. V8 Data Protection
  9. V9 Communication
  10. V10 Malicious Code
  11. V11 Business Logic
  12. V12 Files and Resources
  13. V13 API and Web Service
  14. V14 Configuration

The OWASP Top 10 Web Application Security Risks

The OWASP Top 10, as defined by OWASP, is “a standard awareness document for developers and web application security”
The OWASP Top 10 represents the most critical security risks to web applications. Updated in 2021, the OWASP Top 10 web application security risks include the vulnerabilities pictured.

The OWASP Mobile Top 10 Security Risks

Updated in 2024, the OWASP Mobile Top 10 details the top 10 most critical security risks to mobile applications and provides best practices to help remediate them. Organizations leverage this list to prioritize risks in mobile apps to better prevent and defend against exploitative attacks on application functionality. The OWASP Mobile Top 10 security risks include the pictured vulnerabilities.

OWASP API Security Top 10

First launched in 2019 and updated in 2023, the OWASP API Security Top 10 was developed to educate security, development, and IT leaders about the most critical API security risks to watch out for. The latest version of the OWASP API Security Top 10 includes the pictured vulnerabilities.

OWASP Top 10 for LLM Applications

In 2023, to bridge the divide between general application security principles and the specific challenges posed by large learning models (LLMs), OWASP launched an initiative to create the OWASP Top 10 for LLM Applications. The OWASP Top 10 for LLM Applications heavily focuses on the unique risks that conventional vulnerabilities may pose to LLMs and how traditional remediation strategies can be adapted for LLM applications. The OWASP Top 10 for LLM Applications includes the pictured vulnerabilities.

Not only does the OWASP Top 10 for LLM Applications include a list of vulnerabilities like the other OWASP Top 10 lists, but it also includes a detailed diagram (Diagram 1) that highlights areas of risk that illustrate how the vulnerabilities intersect with the application flow. The diagram is intended to increase understanding of how LLM security risks impact the overall application ecosystem.

Diagram 1: OWASP Top 10 for LLM Applications

OSSTMM

The Open-Source Security Testing Methodology Manual (OSSTMM), first introduced over 20 years ago in the year 2000 by the Institute for Security and Open Methodologies (ISECOM), is a comprehensive methodology for conducting security tests and measuring security controls.

The OSSTMM is unique in that it encourages a holistic approach to security testing by incorporating both technical assessment and human factors. It highlights a wide array of testing techniques organizations should adopt to gain a comprehensive view of their security posture, including:

  • Penetration testing
  • Vulnerability assessments
  • Social engineering

It also provides guidelines for testing various aspects of security, including:

  • Infrastructure
  • Applications
  • Physical security
  • Human factors

The OSSTMM includes guidance on all aspects of penetration testing and beyond, including:

  • Scoping
  • Proper attack procedures
  • The use of critical thinking
  • Error handling
  • Trust metrics
  • Disclosure rights and responsibilities, and more

NIST SP 800-115

The National Institute of Standards and Technology (NIST) Special Publication 800-115 provides guidance on information security testing and assessment. It outlines methodologies for conducting security assessments, including:

  • Penetration testing
  • Vulnerability assessment
  • Security architecture review

Penetration testing is specifically addressed starting in section 5.2, where NIST highlights its Four-Stage Penetration Testing Methodology, which is structured as follows:

  1. Planning
  2. Discovery
  3. Attack
  4. Reporting

NIST elaborates granularly on each phase of penetration testing, offering detailed guidance on:

  • Information-gathering techniques
  • Common categories that exploited vulnerabilities fall into
  • Penetration testing logistics
  • Best practices, and more

PTES

First developed in 2009 by six information security consultants, the Penetration Testing Execution Standard (PTES) is a standard for performing penetration tests in a consistent and comprehensive manner. It defines a set of guidelines and phases for conducting penetration tests, including:

  • Pre-engagement interactions
  • Intelligence gathering
  • Threat modeling
  • Vulnerability analysis
  • Exploitation
  • Post-exploitation
  • Reporting

While PTES doesn’t include technical guidance on how to execute a penetration test, it is now accompanied by a technical guide that helps define certain procedures to follow while conducting a penetration test. The technical guide outlines baseline methods that must be continuously updated and changed as time progresses, stating that it must not be used as an all-encompassing set of instructions on how to perform a penetration test. PTES explicitly encourages pentesters to think outside the box.

The technical guide includes detailed guidance on:

  • Tools required for a pentest depending on the operating system and other factors
  • Intelligence gathering (both human and electronic)
  • Vulnerability analysis tools
  • Exploitation
  • Reporting, and more

Cobalt Strike

Cobalt Strike, while not a framework in the traditional sense, is a popular commercial penetration testing tool often used by security professionals for advanced threat emulation, red teaming, and adversary simulation exercises. It provides a range of features for stealthy exploitation, post-exploitation, and command-and-control.

Cobalt Strike is a penetration testing tool that cybersecurity professionals and red teams use to simulate advanced targeted attacks on organizations’ systems. Cobalt Strike can help security teams conduct advanced attack modeling with its Beacon payload that enables stealthy command-and-control communication in addition to simulating a wide range of attack techniques, such as:

  • Phishing
  • Credential theft
  • Lateral movement
  • Privilege escalation, and more

Its ability to replicate real-world attack scenarios has made Cobalt Strike a go-to tool for pentesters.

ISSAF

Initially released in 2004 by the Open Information Systems Security Group (OISSG), the Information System Security Assessment Framework (ISSAF) serves as a comprehensive guide to conducting a penetration test. The ISSAF is often used as a starting point for developing customized methodologies. The framework is no longer being maintained or updated, making it quite outdated, but still does a good job of linking each step of a penetration test with specific tools. Similar to some other penetration testing frameworks and methodologies, the ISAAF breaks penetration testing down into three steps:

  1. Planning and preparation
  2. Assessment
  3. Reporting, clean-up, and destroy artifacts

ISSAF also details different tactics or “layers” of pentesting to be applied to the following types of targets:

  • Network penetration testing
  • Host testing
  • Application penetration testing
  • Database security testing
  • Social engineering

ISSAF provides details about the targets and how they are generally configured, the tools that pentesters use, and more.

CIS Benchmarks

First launched in 2000 by the Center for Internet Security (CIS), the CIS Benchmarks provide over 100 CIS Benchmarks that security professionals can use to safeguard systems across over 25 product vendor families, including:

  • Operating systems
  • Cloud infrastructure and services
  • Server software
  • Desktop software
  • Mobile devices
  • Network devices
  • Multi-function print devices

The CIS Benchmarks, furthermore, offer guidance on how to better secure legacy systems against common and emerging risks with specific measures such as disabling unused ports, removing unnecessary app permissions, and limiting administrative privileges.

SANS CWE TOP 25 Most Dangerous Software Errors

The SANS Top 25 is a list of the most dangerous and common errors from the Common Weakness Enumeration (CWE) list that are found in web applications. The list is compiled by surveying and interviewing security practitioners, developers, and researchers to identify the top 25 errors that can lead to severe exploits like data theft, application takeover, or prevented functionality.

Each CWE ID listing is linked to the relevant spot in the MITRE CWE site where each finding is ranked and includes the following details:

  • Full CWE entry data
  • Weakness prevalence and consequences
  • Remediation cost
  • Ease of detection
  • Code examples
  • Direction methods
  • Attack frequency and attacker awareness
  • Related CWE entries
  • Related attack patterns

All CWEs on this list are generally easy to identify and exploit, hence why they are the most dangerous to applications.

CISA Known Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of vulnerabilities that have been exploited in real-world scenarios. This is a list of CVEs that security leaders and pentesters can both use as input to their vulnerability management prioritization frameworks. Each named vulnerability includes:

  • A detailed description
  • Actions that should be taken to mitigate the vulnerability if it arises
  • Information on whether it is known to be used in ransomware attacks
  • Date

In Conclusion

These frameworks and methodologies provide guidance and structure for conducting penetration tests more effectively, helping organizations identify and address security weaknesses before they can be exploited by malicious actors. The frameworks and methodologies are not mutually exclusive and can be paired to create a custom methodology that aligns best with an organization’s penetration testing security and business requirements.

About BreachLock

BreachLock is a global leader in attack surface discovery and penetration testing services integrated into one seamless platform with a standardized, built-in pentesting framework. This framework serves as a safeguard for precision and quality, automating routine tasks like report formatting, proof of concept integration, and basic vulnerability identification. This also enables consistent and regular benchmarks of unique attacks, Tactics, Techniques, and Procedures (TTPs), security controls, and processes to deliver enhanced predictability, consistency, and more accurate results in real-time, every time.

Know your risk. Contact BreachLock today!

References:

  1. MITRE ATT&CK Matrix
  2. OWASP Security Testing Guide
  3. OWASP Application Security Verification Standard (ASVS)
  4. OWASP Top 10 Web Application Security Risks
  5. OWASP Mobile Top 10
  6. OWASP Top 10 API Security Risks
  7. OWASP Top 10 for Large Language Models (LLMs)
  8. The Open Source Security Testing Methodology Manual (OSSTMM)
  9. NIST SP 800-115
  10. Penetration Testing Execution Standard
  11. Cobalt Strike
  12. CREST Guide for Running an Effective Penetration Testing Program
  13. CIS Benchmarks List
  14. SANS Top 25 Software Errors
  15. CISA Known Exploited Vulnerabilities Catalog

Industry recognitions we have earned

reuters logo csea logo hot150 logo global excellence logo benelux logo cea logo bloomberg logo top-infosec logo

Fill out the form below to let us know your requirements.
We will contact you to determine if BreachLock is right for your business or organization.

background image