Pentesting methodologies, frameworks, and technologies

This section discusses common penetration testing methodologies, frameworks, and technologies

• Become familiar with key penetration testing methodologies (e.g., OSSTMM, NIST SP 800-115, ISSAF, and PTES), frameworks (e.g., OWASP Testing Guide and MITRE ATT&CK/cyber kill chain), and technologies (e.g., Nmap, OpenVAS, Metasploit, and Burp Suite).

Common Penetration Testing & Security Assessment Methodologies

Security assessments follow structured methodologies to ensure thorough testing. Below are the most widely used frameworks, including OSSTMM, and how they compare.

1. OSSTMM (Open Source Security Testing Methodology Manual)

  • Focus: Scientific, rules-based security testing (not just pentesting).

  • Key Features:

    • Covers operational security (OpSec), physical, wireless, networks, and human security.

    • Uses RAV (Risk Assessment Values) for measurable risk scoring.

    • Emphasizes legal compliance and safety.

  • Best For: Comprehensive audits beyond just hacking (e.g., compliance, physical security).

2. OWASP Testing Guide

  • Focus: Web application security.

  • Key Features:

    • Detailed checklist for OWASP Top 10 vulnerabilities (SQLi, XSS, CSRF, etc.).

    • Covers APIs, serverless, and cloud apps.

  • Best For: Web app pentesters, DevSecOps teams.

3. PTES (Penetration Testing Execution Standard)

  • Focus: Standardized phases for pentesting.

  • 7 Phases:

    1. Pre-engagement (Scope, contracts).

    2. Intelligence Gathering (Recon).

    3. Threat Modeling (Identify attack vectors).

    4. Vulnerability Analysis (Scanning).

    5. Exploitation (Gaining access).

    6. Post-Exploitation (Persistence, pivoting).

    7. Reporting (Remediation guidance).

  • Best For: General pentesting (network, web, cloud).

4. NIST SP 800-115 (Technical Guide to Information Security Testing)

  • Focus: Aligns with NIST Cybersecurity Framework (CSF).

  • Key Features:

    • Covers vulnerability scanning, pentesting, and social engineering.

    • Used heavily in government and compliance (e.g., FISMA).

  • Best For: Organizations needing regulatory compliance.

5. ISSAF (Information Systems Security Assessment Framework)

  • Focus: Step-by-step pentesting (older but still referenced).

  • Key Features:

    • Detailed exploitation techniques (now outdated in parts).

    • Covers network, web apps, and databases.

  • Best For: Learning historical pentesting methods.

6. MITRE ATT&CK-Based Testing

  • Focus: Emulating real-world adversary TTPs (Tactics, Techniques, Procedures).

  • Key Features:

    • Maps attacks to threat groups (APT29, Lazarus, etc.).

    • Used for red teaming, purple teaming, and detection engineering.

  • Best For: Advanced adversary simulation.

Comparison Table

Methodology
Scope
Strengths
Weaknesses
Best Used For

OSSTMM

Broad (physical, networks, human)

Scientific, measurable

Less focus on exploitation

Compliance, full-spectrum audits

OWASP

Web apps

Covers OWASP Top 10

Limited to apps

Web security

PTES

General pentesting

Structured phases

Not industry-enforced

Network/web pentests

NIST 800-115

Compliance-focused

Aligns with NIST CSF

Less technical depth

Government/regulated industries

ISSAF

Historical pentesting

Detailed exploitation steps

Outdated in parts

Learning basics

MITRE ATT&CK

Adversary emulation

Real-world TTPs

Not a full methodology

Red teaming, threat hunting

Which Should You Use?

  • For compliance?OSSTMM, NIST SP 800-115

  • For web apps?OWASP Testing Guide

  • For general pentesting?PTES

  • For red teaming?MITRE ATT&CK

Open source penetration testing methodologies

Markedly different testing methodologies are developed independently within the open source community. Key open source penetration testing methodologies include Open Source Security Testing Methodology Manual (OSSTMM) (Herzog, 2006), NIST 800-115 (2008) Technical Guide to Information Security Testing and Assessment, The Open Web Application Security Project (OWASP), The Penetration Testing Execution Standard (PTES), The Information System Security Assessment Framework (ISSAF), PCI-DSS v.1 2015 Penetration Testing Guide, and Communications Security Establishment/Royal Canadian Mounted Police, Harmonized Threat and Risk Assessment Methodology (CSE/RCMP, 2007) (see Bradbury, 2010; Faircloth, 2011; Goel & Mehtre, 2015; Shah & Mehtre, 2015; Valvis & Polemi, 2005).

Key open source penetration testing methodologies discussed here are Open Source Security Testing Methodology Manual (OSSTMM 3.0), NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment (NIST 800-115), and Communications Security Establishment/Royal Canadian Mounted Police, Harmonized Threat and Risk Assessment Methodology (CSE/RCMP, 2007).

A comparative analysis of three open source methodologies—OSSTMM, NIST, and Canadian Threat Risk Assessment—offers insights into establishing a harmonized penetration testing methodology (see Table 20: Information Security Assessment Methodologies).

The original Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed manual of security testing and analysis, “a methodology for a thorough security test, known as an OSSTMM audit” by the Institute for Security and Open Methodologies (ISECOM), was published on December 18, 2000. The current version OSSTMM 3.0 was published on August 2, 2008. In version 3, OSSTMM encompasses tests from all channels: Human, Physical, Wireless, Telecommunications, and Data Networks. A set of security metrics used, Risk Assessment Values (RAVs), provide a tool that can provide a graphical representation of changes in state over time. The primary focus in version 3 has been to move away from solution-based testing, which assumes specific security solutions will be found in a scope and are required for security (like a firewall). Instead, the focus is on a metric for the attack surface (the exposure) of a target or scope, allowing for a factual metric with no bias (the risk-based approach). The purpose of NIST SP 800-115: Technical Guide to Information Security Testing and Assessment (September 2008) is “to provide guidelines for organizations on planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies” (NIST, 2008, p. ES-1).

NIST SP 800-115 Section 4 Target Identification and Analysis Techniques focuses on “identifying active devices and their associated ports and services, and analyzing them for potential vulnerabilities” (p. 4-1). It includes Network Discovery which “uses a number of methods to discover active and responding hosts on a network, identify weaknesses, and learn how the network operates.”

Passive (examination) and active (testing) techniques discover devices and active hosts on a network. Passive techniques can use a network sniffer to monitor network traffic and record the IP addresses of the active hosts, and they can report which ports are in use and which operating systems on the network have been discovered–without sending out a single probing packet (p. 4-1). Section 4 also covers Network Port and Service Identification. “Some scanners can help identify the application running on a particular port through a process called service identification” (p. 4-3). Banner grabbing involves “capturing banner information transmitted by the remote port when a connection is initiated. This information can include the application type, application version, and even OS type and version.” The result of network discovery and network port and service identification is “a list of all active devices operating in the address space that responded to the port scanning tool, along with responding ports” (NIST, 2008, p. 4-3). Port scanners can identify active hosts, operating systems, ports, services, and applications, but they can not identify vulnerabilities. “To identify vulnerable services, the assessor compares identified version numbers of services with a list of known vulnerable versions, or performs automated vulnerability scanning” (p. 4-4).

Vulnerability scanners can be broadly divided in to two categories: Web application scanners such as Acunetix, WebInspect, and NetSparker; and network and infrastructure scanners such as Nessus, Qualys, and Metasploit. Vulnerability scanners can check compliance with host application usage and security policies, identify hosts and open ports, identify known vulnerabilities, and provide information on how to mitigate discovered vulnerabilities. Vulnerability scanners often use their own proprietary methods for defining the risk levels. One scanner might use the levels low, medium, and high; another scanner might use the levels informational, low, medium, high, and critical, making it difficult to compare findings among multiple scanners. Vulnerability scanners rely on a repository of signatures which requires the assessors to update these signatures frequently to enable the scanner to recognize the latest vulnerabilities. NIST SP 800-115 Section 5 Target Vulnerability Validation Techniques focuses on using information produced from target identification and analysis to further explore the existence of potential vulnerabilities. The objective is to prove that a vulnerability exists, and to demonstrate the security exposures that occur when it is exploited” (p. 4-5).

The Harmonized Threat and Risk Assessment Methodology (TRA-1) by the Communications Security Establishment (CSE) and the Royal Canadian Mounted Police (RCMP) (CSE/RCMP, 2007) presents a flexible approach which can be automated and serves as a general framework for a harmonized penetration testing methodology by applying a project management frame (see Table 20: Information Security Assessment Methodologies). The TRA approach provides “a clear rationale for cost-effective risk mitigation strategies and safeguards to meet business requirements; and a transparent audit trail and record of risk management decisions to demonstrate due diligence and accountability, thereby satisfying statutory obligations and policy requirements” (CSE/RCMP, 2007, p. EO-2).

MITRE ATT&CK® Framework

MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary behaviors, based on real-world cyber threats. It serves as a foundation for threat intelligence, detection, red teaming, and defense strategies.

1. What is MITRE ATT&CK?

  • A structured framework mapping how attackers operate, from initial access to data exfiltration.

  • Used by security teams, threat hunters, red teams, and SOC analysts to:

    • Understand attacker Tactics, Techniques, and Procedures (TTPs).

    • Improve detection & response (e.g., SIEM rules, EDR alerts).

    • Conduct red team exercises (simulating real attacks).

    • Benchmark security controls ("How well can we detect Technique X?").

2. ATT&CK Matrices: Breaking Down the Structure

The framework organizes threats into matrices for different environments:

Matrix
Focus

Enterprise ATT&CK

Covers Windows, Linux, macOS, cloud (AWS, Azure, GCP), and networks.

Mobile ATT&CK

Android & iOS threats (e.g., spyware, malicious apps).

ICS ATT&CK

Industrial Control Systems (OT/SCADA environments).

Core Components:

  1. Tactics (The "Why" – Attacker Goals)

    • High-level objectives (e.g., Initial Access, Execution, Persistence, Privilege Escalation).

    • Example: Lateral Movement (TA0008).

  2. Techniques (The "How" – Methods Used)

    • Specific methods attackers use (e.g., Pass the Hash, Spearphishing, DLL Side-Loading).

    • Example: Phishing (T1566) → Spearphishing Link (T1566.002).

  3. Sub-Techniques (More Granular Details)

    • Variations of techniques (e.g., Spearphishing Attachment vs. Link).

  4. Procedures (Real-World Examples)

    • How threat groups (e.g., APT29, Lazarus) use these techniques.

3. How Organizations Use MITRE ATT&CK

Defensive Use Cases (Blue Team/SOC)

Threat Detection – Map detection rules (SIEM, EDR) to ATT&CK techniques. ✔ Gap Analysis – "Can we detect Credential Dumping (T1003)?"Incident Response – Investigate breaches using ATT&CK as a playbook.

Offensive Use Cases (Red Team/Pentesters)

Simulate Real Attacks – Test defenses against known TTPs. ✔ Purple Teaming – Collaborate with defenders to improve detection.

Threat Intelligence

Track Threat Actors – Compare APT groups (e.g., Russian Cozy Bear uses T1195.002).

4. Example: Mapping an Attack with ATT&CK

Scenario: Ransomware Attack

  1. Initial Access (TA0001) → Phishing (T1566).

  2. Execution (TA0002) → PowerShell (T1059.001).

  3. Persistence (TA0003) → Registry Run Keys (T1547.001).

  4. Lateral Movement (TA0008) → Pass the Hash (T1550.002).

  5. Impact (TA0040) → Data Encrypted for Ransom (T1486).

5. ATT&CK vs. Other Frameworks

Framework
Purpose
Comparison

MITRE ATT&CK

Describes how attacks happen (TTPs).

More granular than Kill Chain.

Lockheed Martin Cyber Kill Chain

Focuses on stages of an attack.

Less detailed than ATT&CK.

NIST CSF

Risk management framework.

High-level, not TTP-focused.

6. Getting Started with ATT&CK

  • Explore: MITRE ATT&CK Website

  • Tools:

    • ATT&CK Navigator (Visualize TTPs).

    • CALDERA (Automated adversary simulation).

    • Atomic Red Team (Test detections for ATT&CK techniques).

Final Takeaway

MITRE ATT&CK is the "encyclopedia of hacking"—helping defenders understand attackers and build better defenses. Whether you're in red teaming, threat hunting, or SOC operations, ATT&CK is a must-know framework.

PreviousTypes of penetration testingNextCommon attack targets

Last updated