Cyber Security Interview Prep. Q11: "PTES Pentesting Model"

Category: Red Team

What is the PTES model? What are the stages and could you briefly describe each stage?

PTES stands for "Pentesting Execution Standard" and is a model for how a Penetration Test can be carried out, including everything from the initial preparation through to the report writing at the end.

There are 7 stages, each briefly described below:

Pre-Engagement Interactions- pentesters will prepare the needed tools, Operating System (OS) and software needed for the pentest. These will vary based on the scope of work, which should be properly defined during this stage through discussions with the client.

Intelligence Gathering- Here, the client organisation may provide some details about in-scope targets and in addition to this, the pentester will also use publicly available information to gather additional details. This is where OSINT (Open-source Intelligence) comes into play.

Threat Modelling- At this stage, two things are looked at and the relationship between the two considered:

1) The assets in the client's business

2) The types of threats and threat communities that may target the client.

The relative risk to each of the assets is then assessed so correct prioritisation can take place.

Think of the potential threat actor wondering "what is the juiciest target in this business?"

Vulnerability Analysis- This is where vulnerabilities are looked for and discovered in a pentester's attempt to breach the client's systems.

Exploitation- vulnerabilities found in the previous stage are taken advantage of in this stage to see what access could be obtained and to what extent client systems could be compromised.

Post-Exploitation- This is where the value of compromised systems are considered. Value is based on what data the pentester can access now that the system is compromised, as well as how the compromise of a system may help the pentester further compromise other machines on the client's network.

Reporting- A report is made consisting of 2 main sections.

1) The technical report, which includes a detailed account of what was done during the pentest, what targets were met that were discussed with the client during the Pre-Engagement Interaction Stage and the remediation guidance for vulnerabilities that were present on the client's systems.

2) The executive summary, which is a high level overview that talks about the overall goals of the pentest, the various security risks identified and the order of priority in which these risks should be addressed.

Further Reading:

The Penetration Testing Execution Standard (pentest-standard.org)