What You Need to Know About Internal Network Penetration Tests

If you find yourself wondering what exactly an internal network penetration test is and whether or not your organization needs one, then you're in the right place. Many businesses invest heavily in external security but unknowingly remain vulnerable from the inside. That’s where internal pen tests come in handy. Yet despite their proven ability to help strengthen your overall security posture among numerous other notable benefits, it can be difficult to know where to start. 

Our team at Schellman is experienced in delivering our wide range of penetration testing suite of services, including internal network pen tests, making us well prepared to answer all of your questions. In this article, we'll explain what internal pen tests are, why they benefit your organization, how to prepare effectively, and what to expect from the results so that you'll have the knowledge needed to confidently move forward with your internal security testing plans. 

What is an Internal Network Penetration Test? 

During an external network pen test, your tester acts as an attacker on the internet attempting to breach your web-facing assets. In contrast, an internal network test begins with the assumption that this perimeter has already been breached. An internal network penetration test simulates what happens when someone has already gained access to your internal network environment. Your penetration testing team positions themselves inside your network infrastructure and attempts to identify and exploit vulnerabilities that a malicious actor could use if they somehow gained access to your internal systems.  

This exercise is a collaborative effort between your IT and security teams and the tester, meaning your teams should be aware that a pen test is being performed and not interfere with the tester. Of course, verifying any anomalous network traffic or alerts triggered are in fact associated with the test, but otherwise, there should be no other interference in order to get the full value of the assessment. An internal network pen test examines your organization's security controls, access permissions, network segmentation, and system configurations from an insider's perspective.  

The goal is to discover security weaknesses that might not be visible from outside your network but could lead to significant data breaches or system compromises if exploited. Your pen test team follows potential attack paths to see what they can manipulate, but they won't exploit vulnerabilities that could cause system outages or disruptions. These issues are verified as thoroughly as possible without risking a Denial of Service (DoS) condition. 

Benefits of an Internal Network Penetration Test 

An internal breach can be devastating to business operations, company morale, and brand reputation. Internal pen testing is a valuable tool to identify and address vulnerabilities that come with weak or compromised internal security practices. 

Effective internal network pen tests benefit your organization in the following ways: 

• Identifies insider threat vulnerabilities: Discover what a malicious employee or compromised account could access or damage. 
  
• Tests access control effectiveness: Verify that users only have access to the resources they need.
• Reveals lateral movement possibilities: See how far an attacker could spread through your network after gaining initial access.
• Validates security control implementation: Confirm that your security policies work as intended in practice. 
  
• Meets compliance requirements: Satisfy regulatory frameworks like PCI DSS, SOC 2, and others that require internal testing. 
  
• Provides actionable remediation guidance: Receive expert recommendations for addressing discovered vulnerabilities. 

With a clear understanding of the benefits internal penetration testing provides, it's time to consider the logistics of the process to ensure your organization is properly prepared to deploy and start the test. The first step is to determine how internal access will be granted to the testing team—an essential decision that sets the stage for a successful engagement. 

Two Options for Providing Internal Access 

So how do you prepare to let a pen test team past your perimeter defenses to identify vulnerabilities? First you choose your method of deployment, and then you select the testing scenario.  

Deployment: Virtual Machine (VM) or a Physical Device (Small Form-Factor PC) 

There are two common ways pen testers establish a foothold to perform the test: 

1. VM  

If you opt for a VM, there are secondary decisions and technical preparations to also consider: 

• Choose what technology will be used: VMware ESXi or Microsoft Hyper-V.
• Consider if a static IP address will be required or if an assignment via Dynamic Host Configuration Protocol (DHCP) is acceptable. 
  • If static addressing is required, you’ll need to be prepared to provide the following information to your pen testers:  
    • IP Addresses
    • Subnet Mask
    • DNS 
    • Gateway

• Ensure the VM will have a network adapter attached with Internet access. 
• Confirm OpenVPN is allowed outbound from the IP of the VM. 

2. Physical Device 

If choosing to deploy a physical device (small form-factor PC), you’ll need to make these technical preparations ahead of your test: 

• Provide the shipping address and point of contact to whom your device should be sent. 
• Decide whether static IP addressing is required or if DHCP assignment is acceptable.
  • If static is required, be prepared to provide the IP addresses, subnet mask, DNS, and gateway. 

• If port authentication or MAC address filtering is in place, you'll need to alert your pen testers before they ship you the device so they can provide the information needed. 
• Upon receiving the device, connect it to a network jack with Internet access and ensure that the device will not be powered off by staff. 
• Ensure OpenVPN is allowed outbound from the IP of the device. 

Select a Testing Scenario 

Once you’ve selected your deployment method and it’s almost time to start the internal pen test, the next step is to choose the testing scenario for how your assessment will be performed. 

The two most common scenarios your pen test team will present are: 

1. Third-party vendor scenario:  

• Act as a 3rd party vendor, such as a cleaning crew, that has access to your office and has plugged a device into your network after hours.
• You won't need to provide credentials for this kind of scenario.

2. Insider threat scenario: 

• Act as an insider threat, such as an employee with access.
• For Active Directory networks, you will need to provide Active Directory credentials just as you would to a newly onboarded employee. 

It's also possible and beneficial to perform testing from both perspectives, should you so choose, particularly if your pen testers don't identify any vulnerabilities after executing the first scenario. 

What to Expect in Your Report 

After your internal network penetration test is complete, you should receive a comprehensive report including the following: 

• An executive summary explaining key findings in business terms 
• A detailed list of all vulnerabilities discovered with risk ratings 
• Step-by-step explanations of how vulnerabilities were exploited 
• Screenshots and evidence of successful exploits 
• Specific remediation recommendations for each finding 
• Strategic recommendations for improving your overall security posture 

The Cost of an Internal Network Penetration Test 

Many organizations are curious about the investment required for proper internal testing. While costs vary based on network complexity and scope, most internal network penetration tests for mid-sized organizations range from $13,500-$39,500.  

Factors and variables that affect price include: 

• Size and complexity of your internal network 
• Number of hosts and servers to be tested 
• Testing duration (typically 1-2 weeks) 
• Chosen test scenarios (third-party only vs. both scenarios) 
• How quickly you need the report in hand 

Bundling an internal test with your external penetration test provides the most comprehensive security assessment and the best value. 

Next Steps for Your Internal Pen Test 

Thorough preparation and consideration of the factors mentioned throughout this article ahead of your internal network pen test will help pave a clear path forward for your chosen pen test team to conduct their work. In acting out this post-breach situation, they'll be able to tell you where you're vulnerable and how vulnerable you are should an attacker make it past your perimeter defenses. 

If you're interested in using Schellman's Pen Test Team for this type of assessment, simply fill our short penetration testing scoping questionnaire to start a more detailed discussion regarding how we can help your organization. 

In the meantime, discover other helpful penetration testing insights in these additional resources:  

• Schellman's Year in Penetration Testing: Key Statistics Revealed 
• Get the Pen Test Report You Deserve: A Leader’s Guide 
• Quality Penetration Tests: What Your Provider Won't Tell You