7.1.2. Internal, External, and Third-Party Audits
💡 First Principle: A penetration test answers a different question than a vulnerability scan: "If a motivated attacker tried to compromise this specific target, could they succeed and how?" The result is a confirmed, exploited attack path — not a list of potential vulnerabilities. Confirmed impact drives executive action more reliably than long vulnerability lists.
Engagement types by knowledge level:
| Type | Knowledge Provided | Simulates | Best For |
|---|---|---|---|
| Black box | Target name only | External attacker with no prior knowledge | Testing unknown attacker scenario |
| White box | Full access — architecture, source, credentials | Insider or attacker with full knowledge | Comprehensive coverage; code review integration |
| Gray box | Partial — user account, network diagram | Attacker with limited access or reconnaissance | Most realistic for most scenarios |
Five-phase penetration testing methodology:
| Phase | Key Activities | Output |
|---|---|---|
| 1. Planning and scoping | Define authorized targets, exclusions, rules of engagement, emergency contacts | Signed Statement of Work + RoE |
| 2. Reconnaissance | OSINT, DNS enumeration, port scanning, service fingerprinting | Attack surface map |
| 3. Scanning and enumeration | Active vulnerability enumeration, service version detection | Potential vulnerability list |
| 4. Exploitation | Exploit vulnerabilities; gain access; escalate privileges; move laterally | Confirmed exploits; evidence of access |
| 5. Reporting | Attack narrative, confirmed impact, risk ratings, remediation priorities | Executive summary + technical findings |
Red / Blue / Purple teams:
| Team | Role | Objective |
|---|---|---|
| Red | Offensive attackers | Find realistic attack paths; simulate adversary TTPs |
| Blue | Defenders | Detect and stop the red team; improve detection |
| Purple | Collaborative (red + blue together) | Maximize learning; red explains; blue improves detections in real time |
Rules of Engagement must specify: authorized IP ranges and systems, explicitly excluded systems (safety-critical, medical devices), testing hours, emergency contacts if outage occurs, data handling for captured credentials, out-of-scope techniques (social engineering? physical access?), and signed legal authorization.
Red / Blue / Purple teams — deeper context:
A standard penetration test tells you whether vulnerabilities exist and can be exploited. It does not tell you whether your defensive team would have detected and stopped an attacker. That is a different question — and it requires a different engagement.
| Engagement | Blue Team Aware? | Primary Question Answered | Best For |
|---|---|---|---|
| Pentest | Usually yes | Can an attacker exploit this vulnerability? | Vulnerability confirmation; compliance |
| Red team exercise | No | Would our SOC detect and respond to a real attack? | Validating detection and response capability |
| Purple team | Yes (collaborative) | How can we improve detection coverage together? | SOC skill development; detection engineering |
Red team operations are distinguished by their focus on stealth and realism. A red team operates over weeks or months using actual adversary tactics, techniques, and procedures (TTPs) mapped to MITRE ATT&CK. They avoid detection tools, establish persistence, and move laterally — the same way an APT would. After the engagement, the red team's activity timeline is compared against SOC detection records to answer: How long did we operate before detection? Were we ever detected? Which controls stopped us and which didn't?
Threat hunting is the SOC's proactive complement to the red team's offensive activity. Where reactive monitoring waits for alerts, threat hunting assumes compromise has already occurred and actively searches for attacker activity that evaded automated detection.
The threat hunting cycle:
Threat hunting hypothesis sources: MITRE ATT&CK techniques observed in current threat intelligence, anomalies from SIEM that did not trigger alerts, IOCs from threat intel feeds, and patterns from previous incidents. Hunters search endpoint telemetry, network flow data, and authentication logs for evidence of the hypothesized technique.
⚠️ Exam Trap: Threat hunting is proactive and hypothesis-driven — it is not the same as SIEM alerting or incident response. A threat hunt that finds nothing is still valuable: it either increases confidence that the hypothesized technique is not present, or reveals gaps in data collection that prevent detection.
⚠️ Exam Trap: Penetration testing without written authorization is criminal activity under the CFAA and equivalent laws worldwide — even testing your own systems without documentation. The signed authorization letter is legal protection for the testing team, not a bureaucratic step. Physical penetration testers should carry this "get out of jail" letter during the engagement.
Reflection Question: A CISO wants to understand the organization's security posture before presenting to the board. The CTO suggests using the internal security team as the testers. Explain why internal team testing is problematic, what the Rules of Engagement for a credible external penetration test must specify, and how the results should be presented to the board in risk language.
