Penetration testing is an important component of an organization’s cybersecurity strategy.  A penetration test (or pen test) is a human-led assessment of an organization’s security.  Pen testers will simulate real-world cyber threats to see how well an organization’s defenses detect and defend against the tools and techniques used by modern threat actors.

However, not all penetration tests are created equal.  Different types of pen tests are designed to achieve different purposes and simulate different types of threats.  One of the major classifications of pen tests is an external vs. internal assessment. In this article, we’ll review external vs. internal pen tests and outline the key differences between the two.

What Is an External Pen Test?

As its name suggests, an external penetration test starts from outside of the organization’s network.  The penetration tester is provided with no login credentials or initial access and needs to perform their own reconnaissance and find their own way inside of an organization’s cyber defenses.

An external pen test is designed to test an organization’s defenses against external threat actors and their ability to block these attempts at initial access.  If an attacker can’t gain access to an organization’s systems, then many types of attacks (data breaches, ransomware, etc.) are impossible.

An external pen test is focused on identifying the security holes by which an attacker can slip inside an organization’s network.  By highlighting these gaps, the penetration tester enables the organization to take steps to close these holes before they can be exploited by an attacker.  As a result, the organization’s digital attack surface is hardened, making it more difficult for an attacker to gain an initial foothold.

What Is an Internal Pen Test?

If an external pen test evaluates an organization’s defenses against external threats, then an internal one logically addresses the potential for internal threats.  In an internal pen test, the penetration tester is granted initial access to an organization’s environment in the form of login credentials to a legitimate account.  From there, the pen tester uses many of the same tools and techniques as an external pen tester but focuses on identifying internal vulnerabilities that could be used to move laterally through the organization’s network and achieve the objectives of the attack.

An external pen test may seem less valuable than an internal one because, in theory, all attacks will originate from outside the organization and should be caught and blocked by the defenses evaluated during an external pen test. 

 However, there are several scenarios where an internal pen test can be a critical security tool:

  • Insider Threats: While most threats originate from outside the organization and over the Internet, trusted insiders may also carry out attacks.  If an employee tries to plant ransomware or carry out a data breach, they don’t need to exploit a vulnerability to gain initial access to an organization’s systems.  As a result, the defenses that external pen tests focus on are blind to these attacks.
  • Failed Defenses: External pen tests focus on the defenses that secure an organization’s attack surface, but no defenses are perfect.  If an attacker overcomes or evades these defenses, then they have the same access as the pen tester in an internal assessment.  An internal pen test ensures that an organization has multiple lines of defense and opportunities to detect, block and attack.
  • Supply Chain Exploits: Supply chain exploits like the SolarWinds hack exploit trust relationships to grant an attacker internal access to an organization’s network and systems.  If an attacker can slip backdoor malware into an update to a trusted application, then they have internal access to an organization’s network.

Internal threats are a significant and common risk to an organization’s security.  Internal pen testing helps to identify and close the vulnerabilities and security gaps that an attacker may use to move from their initial access point to their final objective.

External vs. Internal Penetration Testing

External and internal penetration testing have many significant similarities.  In both cases, the pen testers will use many of the same tools and techniques to exploit vulnerabilities and gaps in an organization’s cyber defenses.  And, in both cases, the attackers attempt to move from their initial access point to achieve an objective (accessing sensitive data, deploying fake malware, etc.).

The primary difference between the two forms of penetration testing is the initial access point, which determines the main objective of the test.  External pen testing starts from outside the organization and attempts to harden the organization’s attack surface and prevent attackers from gaining initial access to an organization’s environment.  Internal penetration testing focuses on threats that already have access to an organization’s environment and attempts to identify vulnerabilities, visibility gaps, and security holes that attackers could exploit to move laterally through the network and gain the access and permissions necessary to achieve their goals.

Which Type of Penetration Test Should You Choose?

External and internal penetration testing are different but complementary approaches to penetration testing.  Ideally, an organization prevents an attacker from gaining any access to their environment (external penetration testing), but this is not always possible.  In this case, internal penetration testing attempts to make it as difficult as possible for an attacker to achieve their goals.

External and internal penetration testing should not be an “either-or” but a “both-and”.  An effective pen testing strategy incorporates both approaches.  To learn more about Halborn’s pen testing services and the approaches that are most suited to your organization’s security needs, reach out to us at halborn@protonmail.com.

Rob Behnke
03.24.2022