Internal vs external infrastructure penetration testing

March 3rd, 2023 Posted in Penetration Testing

What is the difference between internal infrastructure pen testing and external pen testing?

An internal infrastructure penetration test is conducted within an organisation’s internal systems, to identify vulnerabilities from inside the network. External penetration tests are carried out remotely by a pen testing service provider in order to find weaknesses in external facing assets, such as internet-based applications and servers.

In this blog, we take a deeper dive into the two types of pen tests. If you want a more detailed overview of penetration testing and all its different types, we suggest you read our Complete Guide to Penetration Testing which is free to download. A penetration test isn’t a one-stop shop. There are many types of pen testing, each of which focuses on uncovering vulnerabilities in different parts of your IT infrastructure, systems, and applications. First and foremost, it’s important when considering penetration testing, to look for a CREST-accredited pen test provider. Want to know how much a penetration test should cost? Learn from our experts. 

What is an internal infrastructure penetration test?

As the name suggests, an internal penetration test focuses on testing the infrastructure and devices inside of your network perimeter. These tests look for vulnerabilities that could be exploited by a would-be attacker, who has already managed to get inside your IT infrastructure. Examples of these types of attackers could be disgruntled members of staff or attackers who have successfully got a foothold within your infrastructure via an externally exposed vulnerability, malware, or using stolen user credentials. 

Internal penetration tests vary in scope (view our latest blog on scoping a penetration test); they can either focus on testing your internal network, hosts, applications – or all of the above, depending on your specific needs and concerns. The testers’ role is typically to see what they can access and how far they can move laterally across the environment. They may try to access file servers, databases, and systems and will seek to escalate their user privileges to the admin level to see which systems they could take control of.  

What is the process of an internal infrastructure pen test?

The test usually starts with a reconnaissance, where the tester uses mapping tools to determine the workings and layout of your internal infrastructure, and how its computers and servers interact.  

The tester will then move through the target infrastructure looking for exploitable vulnerabilities. Common tactics used include brute force attacks to compromise employee accounts; exploiting network protocols to gain illegitimate access to endpoints and running malicious code that exploits known software vulnerabilities. Sometimes a tester may find a list of system passwords saved in plain text on one system which provides access to other systems.   

On completion of the test, the tester will write up their penetration testing report, setting out their findings, vulnerabilities found, recommended remediation steps, and their overall risk assessment for the target systems. A wash-up call is then scheduled to talk the client through the test and answer any questions.  

While these tests help to identify internal vulnerabilities, it’s important to note that they aren’t the same as a mock cyber-attack scenario. This kind of assessment is called a red team assessment. These mimic a real-life attacker by using a combination of tactics, techniques and tools to access target systems or data.   

While the goal of an internal penetration test is usually to uncover as many exploitable vulnerabilities as possible, the goal of a red team assessment is to evade detection and harvest sensitive data. For more information on this topic, read our blog: red team assessments vs penetration tests 

What is an external infrastructure penetration test?

An external pen test focuses on testing your perimeter systems, which consist of internet-facing infrastructure and applications. These systems are your most vulnerable, as they are exposed and out in the open – making them easily visible to cyber attackers.  

The goal of an external penetration test is to discover vulnerabilities within your external-facing systems and services. External testing is vitally important because anything exposed to the internet will be constantly scanned for vulnerabilities by attackers of all kinds – including those with limited sophistication. There are a couple of methods of external infrastructure, one involves a single-approach method, and the other is a more advanced assessment of your external infrastructure – our latest blog will help you learn more about the benefits of getting an advanced external infrastructure test. 

The tester will look at your external systems from the outside in, just like a cyber attacker would. They will try to find as much open-source intelligence as possible, to help them understand the layout of your organisation and identify suitable tools, tactics, and techniques to use. 

From there, the tester will use a range of tools, including vulnerability scanners, to discover exploitable vulnerabilities within your external infrastructure. Once this is done, the tester will then seek to exploit these vulnerabilities, to see how far they can get into your systems and networks.  

At the end of the test, the tester will provide their report and attend a wash-up meeting, as with internal testing.  

Learn about our comprehensive infrastructure pen testing services here. 

Should the tester’s IP address be whitelisted on your system?

One common query with external testing is whether the tester’s IP address should be whitelisted on your intrusion prevention system for testing purposes. Ultimately, this comes down to the objectives of the test and the budget available.  

In the real world, an attacker will have unlimited time to evade the IPS. Once they do evade detection, they will seek to exploit the same vulnerabilities a tester would find in an external penetration test. 

If you want to test the performance of your IPS or defences more widely, such as during a red team assessment, it makes no sense to whitelist. If you want to understand what vulnerabilities could be exploited if an attacker does evade detection (whether by luck or by talent) then you’ll get more value from a time-limited engagement if the tester’s IP address is whitelisted.  

What type of infrastructure pen testing is right for my business?

Regular infrastructure penetration testing is an important piece of the cyber security puzzle for all organisations. We recommend conducting a full-scale penetration test, including both internal and external penetration testing, at least annually. It can be difficult to know when to carry out a penetration test, so our experts have provided some valuable advice.   

In the case of any significant changes to internal or external infrastructure, you should also conduct the relevant tests before the new systems go live in our view. This is to ensure that any new assets do not leave you vulnerable to attack.  

As well as penetration testing, we also advocate that companies deploy regular vulnerability scanning. This is because new vulnerabilities are being found by the day, so staying on top of patch management and remediation is critical. We also have some valuable advice if you want to learn more about how to choose a good penetration testing provider.  

Need help running an internal or external penetration test?

If your organisation needs help running external or internal infrastructure penetration testing, we’re here to help. We can assess your environment and run a full test. We can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat, or if you know what you need to be tested, fill out the scoping form below to get a fast quote. 

AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).