What Is The PTES (Penetration Testing Execution Standard)?

Penetration testing requires a special mindset and typically attracts some of the best and brightest in the world of cybersecurity. There are many useful certifications designed to help teach penetration testing, including:

  • EC-Certified Ethical Hacker (CEH)
  • C)PEH Certified Professional Ethical Hacker
  • Licensed Penetration Tester (LPT)
  • GIAC Penetration Tester (GPEN)
  • GIAC Web Application Penetration Test (GWAPT)
  • Certified Penetration Tester
  • Certified Expert Penetration Tester

But despite the number of certifications and the number of people in the pipeline to earn them, there remains a massive skill gap. In 2017, technology recruiting firm Mondo reported to Tech Republic that penetration testers were one of the three most in-demand cybersecurity job listings on their roster.

There’s also the fact that it’s hard to train a good penetration tester. The position demands inventiveness and initiative, an insatiable curiosity about how things work and a desire to solve puzzles. This is the very thing that drives a pen tester to make the same intuitive leaps a black hat hacker might.

But those individuals are rare, and the demand for testers is massive.

In this environment, some information security consultants and executives decided that providing a comprehensive and standardized guide to inform penetration testing engagements and help instruct penetration testers would be valuable.

Developing Standard Guidance For Penetration Testing Makes It More Accessible

In 2009, the Penetration Testing Execution Standard (PTES) was started as the brainchild of six information security consultants attempting to address deficiencies in the penetration testing community.

Their goal was to create a standard that would help both clients and testers by providing guidance about the tools, techniques, and elements to be covered in a general penetration test.

[[[We are aiming to create an actual standard so that businesses can have a baseline of what is needed when they get a pentest as well as an understanding of what type of testing they require or would provide value to their business. The lack of standardization now is only hurting the industry as businesses are getting low-quality work done, and practitioners lack guidance in terms of what is needed to provide quality service.]]]

With demands in the market exploding, many low-quality or unqualified firms and individuals were getting in on the penetration testing gold rush and delivering inadequate or even downright dangerous results that were giving even legitimate providers a bad name. Some penetration testers used their access to systems to subsequently hack the same targets they’d been paid to help secure. Others inadvertently damaged servers or left behind tools that could be used by malicious hackers making real attacks.

If certain standards could be agreed on, it was felt that the bad providers would either drop out or be more clearly distinguished from professional testers.

PTES wasn’t the first attempt at exploring a set of instructions and tools for penetration testers and other standards have been developed subsequently, including:

Comprehensive Guidelines To Inform Every Aspect of Penetration Testing

The PTES was a far more comprehensive effort than any of the competing standards, however. The guidelines are broken down into six sections:

  • Tools Required
  • Intelligence Gathering
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

There are also five appendices for further reference.

Each section offers an in-depth discussion of the factors a professional penetration tester should consider during that particular phase of an engagement. It covers everything from RF-frequency monitoring to physical site surveillance to mining and researching targets for phishing or other social engineering attacks.

More importantly, it explains how to interpret some of the results that can be uncovered and how to work toward exploiting vulnerabilities found.

The document contains links to resources and tools that can be used in each phase as well. For instance, helpful links to state business registration search sites are included for performing background research on the target.

But the document verges at times into overly generic suggestion and links that verge on pure cruft… right after the state corporation search links, for example, the document links the major search engines—Google, Yahoo, Bing, and the like—as if even five-year-olds today didn’t have such resources hardwired into their brains.

There are also considerable gaps in the information available. Much of the exploitation section awaits expansion, although general techniques are outlined. Some specific attacks are laid out, but the details are often dated and of limited utility.

PTES Helps Penetration Testers Adhere To Best Practices

The biggest problem with the PTES, or any static standard with such fine detail, is that information technology evolves too rapidly to be easily cataloged in a truly comprehensive manner.

Making matters worse, hacking itself, or at least the sort of hacking that penetration testers can most legitimately claim to defend against, is necessarily at the bleeding edge of technology. Exploits which are old and well-understood can and usually do have automated scanning and detection tools to ferret them out. The skill and inventiveness of an ethical hacker is put to best use when applied to find exactly the sorts of vulnerabilities these tools can’t uncover.

Cybersecurity, however, is a field that perpetually exists in a state of compromise and bare adequacy. Considering that skilled and qualified penetration testers simply cannot be produced in the volumes necessary to keep up with current demand, PTES and other efforts toward developing pen testing standards may be the best available compromise.

One thing that the standard can help all testers with, though, is ensuring that they have at least considered most of the common bases of attack in every engagement. Although the kind of magic that results in genuine insight during penetration testing evaluations may be rare, most of the work is meat-and-potatoes scanning and reporting. Although this can be automated—and often is—it’s still the case that many organizations don’t do it internally and rely on penetration testers to handle routine scans.

Even with its flaws, PTES outlines some of the industry best practices that should, at a minimum, be followed in any penetration testing engagement and it remains one of the best guides of its kind available today.