This article describes the main factors that we take into consideration while estimating the cost of an internal penetration test.
The effort to perform an internal penetration test can vary depending on several factors. Here are the two most significant factors that can influence the amount of effort and, consequently, the cost associated with the penetration test.
1. Network Size
There are two aspects of network size that impact the testing effort: overall network size and the number of live hosts.
Overall Network Size
Since scanning ports in network ranges is a distinctive aspect of internal network penetration tests, the size of the network can contribute to the overall level of effort. For example, it takes much longer to scan a Class A network (about 16 million addresses) than a half-dozen class B networks (under 400,000 addresses).
Vast networks often include large ranges of "empty" space. You can significantly reduce the effort to scan these large networks by providing the testing team with organized lists of smaller network ranges.
Number of Live Hosts
The number of live hosts to be tested directly affects the effort required for a network penetration test. Although it is not strictly necessary, dividing this number into the following three categories can improve the estimate, which may lower the cost of the test:
- Number of Servers
- Number Workstations
- Number of other Devices (i.e., infrastructure devices that occupy an IP address)
A close approximation is all that is necessary.
2. Test Purpose
The goal or purpose of the test may impact the level of effort involved because it dictates the lengths to which the testing team needs to go. The test's purpose may be related to compliance requirements such as PCI, HIPAA, or even an internal mandate. Or perhaps the objective is to assess the accuracy and response of your SOC or MSP, which would require a very stealthy approach to the test. The purpose of the test will also help determine the test style (i.e., gray box, white box, or black box), which may affect the level of effort.
Our standard (gray box) internal network penetration test exceeds regulatory requirements (e.g., PCI, HIPAA, etc.) for third-party testing and serves as efficient use of our experts' time. It is essential to communicate any special requirements you may have so that we can adjust the estimate if necessary.
One common addition to an internal penetration test is network segmentation testing. Segmentation testing is not a penetration test, but it leverages some of the same expertise and is a common requirement for PCI compliance. Your QSA can determine if you need a network segmentation test.
3. Multiple Locations
An organization that requires testing from multiple locations may require more effort to assess. Here are the two main considerations in this category:
Physical Locations
Some organizations, such as retail chains, are physically decentralized. We recommend against doing internal testing over slow site-to-site VPN tunnels, so working through the logistics of multi-site tests may add complexity and effort to the overall test. Using the example of a retail chain, one strategy to address a large number of similar locations is to test a representative sample.
Network Segmentation
A well segmented network is a strong security control, but can increase the time required to properly test from multiple attacker perspectives. The added complexity of testing across network segmentation is similar to the complexity of testing multiple physical locations. Please let us know if your network has a large number of network segments with firewall rules preventing access between them.