Skip to content ↓ | Skip to navigation ↓

Today, I will be going over Control 20 from version 7 of the top 20 CIS Controls – Penetration Tests and Red Team Exercises. I will go through the eight requirements and offer my thoughts on what I’ve found.

Key Takeaways from Control 20

  • Rely on the previous controls. So much of what’s happening in Control 20 leverages some of the earlier Controls. Understanding your attack surfaces from Controls 1 and 2 can help scope sections 1-3. Control 3 is going to define your vulnerability management toolset, which can be leveraged across most of the sections in this control. The findings from your red team exercises are going to help mature your coverage in every previous control.
  • Where’s the remediation? Section 7 states that results should be compared over time; however, there is no guidance on giving these results to the Blue Team to close the gaps discovered from the penetration tests.

Requirement Listing for Control 20

1. Establish a Penetration Testing Program

Description: Establish a program for penetration tests that includes a full scope of blended attacks such as wireless, client-based, and web application attacks.

Notes: This has taken the place as the starting point for those looking to start penetration tests against their assets. If you’re just beginning, don’t try to tackle the full blend of attacks at once. Start with something you may have expertise in and/or a critical finding from a vulnerability scan. Over time, you can get to having the full blend of attacks in your arsenal.

2. Conduct Regular External and Internal Penetration Tests

Description: Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.

Notes: This section remains relatively intact from the previous version of the controls, albeit with more simple language. As with section 1, you can start with an internal scan then work towards eventually having the external scan results.

3. Perform Periodic Red Team Exercises

Description: Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively.

Notes: The difference between sections 2 and 3, is that the defenders (Blue Team) will not be aware of an attack happening. This is designed to test the defenses rather than purely determine if there are holes in the network.

4. Include Tests for Presence of Unprotected System Information and Artifacts

Description: Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, email or documents containing passwords, or other information critical to system operation.

Notes: If you’re not already leveraging Control 13.1, then it will be difficult to be successful in this section. Knowing where your sensitive data is before the attackers do is critical.

5. Create a Test Bed for Elements Not Typically Tested in Production

Description: Create a test bed that mimics a production environment for specific penetration tests and Red Team attacks against elements that are not typically tested in production, such as attacks against supervisory control and data acquisition and other control systems.

Notes: This section provides a safe proving ground for testing systems that cannot afford to have any downtime. Even for systems that can afford downtime, it’s good to have a testing environment to develop proof of concept attacks which can then be leveraged on the production environment, if applicable.

6. Use Vulnerability Scanning and Penetration Testing Tools in Concert

Description: Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.

Notes: Results from the vulnerability scan can and should be used to feed the penetration testing tools. Unless you are doing a black box attack, having the knowledge of what the attack surface is will help the red team be successful. However, be mindful that this could create a bias towards testing only results from the vulnerability scan. Make sure that the red teams are actively testing items that the vulnerability scanner is not reporting, as well.

7. Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards

Description: Wherever possible, ensure that Red Teams results are documented using open, machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that results can be compared over time.

Notes: Using SCAP will be valuable if there are multiple tools from multiple vendors being leveraged by the various security teams. However, the more important requirement here is that you compare your results internally over time regardless of what format is being used.

8. Control and Monitor Accounts Associated with Penetration Testing

Description: Any use or system accounts used to perform penetration testing should be controlled and monitored to make sure they are only being used for legitimate purposes and are removed or restored to normal function after testing is over.

Notes: This is part of the clean-up that happens after each engagement by the red team. However, as discussed in the key takeaways above, there is still much to be done after the tests are ran.


See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.

Read more about the 20 CIS Controls here:

Control 20 – Penetration Tests and Red Team Exercises

Control 19 – Incident Response and Management

Control 18 – Application Software Security

Control 17 – Implement a Security Awareness and Training Program

Control 16 – Account Monitoring and Control

Control 15 – Wireless Access Control

Control 14 – Controlled Access Based on the Need to Know

Control 13 – Data Protection

Control 12 – Boundary Defense

Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

Control 10 – Data Recovery Capabilities

Control 9 – Limitation and Control of Network Ports, Protocols, and Services

Control 8 – Malware Defenses

Control 7 – Email and Web Browser Protections

Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs

Control 5 –Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Control 4 – Controlled Use of Administrative Privileges

Control 3 – Continuous Vulnerability Management

Control 2 – Inventory and Control of Software Assets

Control 1 –  Inventory and Control of Hardware Assets

You can also learn more about the CIS controls here.