866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How to Prepare for Your Internal Network Pen Test Blog Feature
Josh Tomkiel

By: Josh Tomkiel

Print/Save as PDF

How to Prepare for Your Internal Network Pen Test

Cybersecurity Assessments | Penetration Testing

Published: Aug 4, 2022

Last Updated: Jan 5, 2024

Famous detectives throughout history have always been thrown into cases. That’s the nature of their job—the situation to create the case occurred, and it’s up to Sherlock Holmes to follow a trail of clues to determine the solution.

When you perform an internal network pen test, the nature of the work is similar, but there are a few things you can do to help these cyber “detectives” maximize your knowledge gained and action items moving forward.

Schellman’s Pen Test Team is experienced, and we often get asked to perform this specific type of evaluation. Having gone into these sorts of engagements many times before, we want to share some helpful insight specific to this kind of test.

In this article, we’ll define clearly what an internal network pen test is—including the two different scenarios to choose from—and what’s involved during testing. That will include a list of things to check off ahead of your test, as well as some additional tips.

Leveraging all this information will help you get off to a smooth start during your internal network pen test, giving your team more time to get you results.

What is an Internal Network Penetration Test?

During an external network pen test, your tester acts as an attacker on the Internet would in attempting to breach your web-facing assets—during an internal network test, they begin once they’re already past them.

Like a detective that begins within the circumstances of a case, an internal pen test positions your Pen Test Team positioned already inside your network. The goal here is to identify the vulnerabilities on the internal network and exploit them to determine what a malicious attacker could do if they gained access.

Your Pen Test Team may “follow the clues” to see what all they can manipulate, but please note that testing will not include exploiting any vulnerabilities that could likely result in a Denial of Service (DoS) condition. These issues are verified as much as possible but without active exploitation.

2 Choices to Make Ahead of Your Internal Network Pen Test

So then, how do you get ready to let a Pen Test Team past your perimeter defenses to see what areas you need to shore up? Here are two decisions you should make to prepare for your internal network pen test:

1. Deployment: Either a Virtual Machine (VM) or a Physical Device (Small Form-Factor PC)

 

The first thing you need to choose is which of these you want to use in your test.

If you opt for a VM, make these secondary decisions and technical preparations:

  • Choose what technology will be used—VMware ESXi or Microsoft Hyper-V.
  • Will a static IP address be required or is assignment via Dynamic Host Configuration Protocol (DHCP) acceptable?
    • If static addressing is required, be ready to provide the following to your pen testers:
      • IP Addresses
      • Subnet Mask
      • DNS
      • Gateway
    • Ensure the VM will have a network adapter attached with Internet access.
    • Confirm OpenVPN is allowed outbound from the IP of the VM.

If choosing to deploy a physical device (small form-factor PC), please confirm the following and make these technical preparations ahead of your test:

  • The shipping address and the point of contact to whom your device should be sent.
  • Whether static IP addressing is required or if DHCP assignment is acceptable.
    • If static is required, please be ready to provide the IP addresses, subnet mask, DNS, and gateway.
  • If port authentication or MAC address filtering is in place, please alert your pen testers before they ship you the device so that can provide the information needed.
  • Upon receiving the device, connect it to a network jack with Internet access. Additionally, ensure that the device will not be powered off by staff.
  • Ensure OpenVPN is allowed outbound from the IP of the device.

2. Select a Scenario

 

When it comes to internal pen tests, you have options on how your assessment is performed. The two most common scenarios your Pen Test Team will present are:

  1. Act as a 3rd party vendor (e.g., a cleaning crew) that has access to your office and has plugged a device into your network after hours.
  • You won’t need to provide credentials for this scenario.
  1. Act as an insider threat (e.g., an employee with access).
    • For Active Directory networks, you will need to provide Active Directory credentials as you would to a newly onboarded employee. 

It’s also possible and beneficial to perform testing from both of these perspectives, should you so choose, particularly if your pen testers don’t identify any vulnerabilities when executing the first scenario.

Additional Tips for Your Internal Pen Test

If you take all the above steps to get ready for your internal pen test, you should be in good shape when testing begins. To help you streamline your experience further, here’s a bit more insight:

 

  • Let the security operations center (SOC) or network operations center (NOC) know that an internal pen test is scheduled and provide them with the IP address assigned to the test device.
    • As this is not a Red Team assessment, your pen testers will not be as stealthy or stay undetected during testing. Their job is to highlight as many issues as possible and provide actionable feedback within the limited timeframe available, which will go smoother without interference from your security personnel (who may if unalerted, otherwise believe a real attack is happening).
  • Do not restrict the scope or exclude hosts from your penetration test.
    • If this pen test is to serve a compliance initiative, it’s better to have a wider scope than a narrower one. You don’t want to end up in a position to have to run another test—spending more money and time—to include these hosts in the future. It’s best to just include them now.
  • Identify sweet spots and tell your Pen Test Team about them.
    • If specific hosts within your network are known to be sensitive, let the pen testers know so they can act accordingly. 

Next Steps for Your Internal Pen Test

Making all these moves ahead of your internal network pen test will help pave a clear path forward for your chosen Pen Test Team to conduct their work. In acting out this post-breach situation, they’ll be able to tell you where you’re vulnerable, as well as how vulnerable you are should an attacker make it past your perimeter defenses.

If you’re interested in using Schellman’s Pen Test Team for this type of assessment—or “detective work”—check out these articles for more insight into our specific process and team:

Once you’ve read through those, please contact us to start a more detailed discussion regarding how we can help your organization.

About Josh Tomkiel

Josh Tomkiel is a Managing Director on Schellman’s Penetration Testing Team based in the Greater Philadelphia area with over a decade of experience within the Information Security field. He has a deep background in all facets of penetration testing and works closely with all of Schellman's service lines to ensure that any penetration testing requirements are met. Having been a penetration tester himself, he knows what it takes to have a successful assessment. Additionally, Josh understands the importance of a positive client experience and takes great care to ensure that expectations are not only met but exceeded.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.