Simply using point-in-time penetration testing to identify vulnerabilities gives hackers the upper hand says Tom Eston. Here he explains the advantages of moving pen testing towards 'offensive security'.
Enterprise attack surfaces are growing continuously, fuelled by insecure applications, cloud adoption, IoT, and flexible working; and security teams face an uphill battle to outpace adversaries to external exposures. Recent research from SANS on the behaviour of malicious actors shows that the majority of attackers can identify and exploit a perimeter in under 10 hours. More than ever, securing company assets is a race against time and when those companies only use point-in-time pen testing to identify vulnerabilities, hackers have the upper hand.
The problem with point-in-time pen testing
Levelling the playing field in the race against hackers can only begin by addressing the fatal flaw that holds security teams back: you don’t know that you’re in second place if you don’t realise that the race has already started. Point-in-time pen testing is this flaw in action.
Irregularly testing your perimeter, i.e., treating pen testing like a box ticking exercise at various points throughout the year, is not the solution for continuously uncovering exposures. An organization’s view of their risk posture is only as good as when the last test was conducted, and given the speed that the threat landscape evolves, these results will quickly become outdated.
While it is possible to use automation to pick up some of the slack here, this can result in an overwhelming number of exposures being identified, many of which are false positives or lack real world exploitability. This then creates more work for an in-house security team with limited capacity, needing to sift through piles of low-risk vulnerabilities, while at the same time a hacker is making a beeline towards the gaps in the perimeter.
Taking the lead with continuous red teams
To beat hackers, organizations need to move beyond a simple, reactive, ‘defensive’ mindset to a continuous ‘offensive’ one. This means not relying on vulnerability reports and patch cycles and become more proactive to fill the gaps left by point-in-time pen testing with continuous red teaming, to understand and keep pace with an attacker mindset.
Levelling up from traditional pen testing to continuous offensive security testing emphasises prevention over cure. Point-in-time pen testing is an important step, but it tends to focus on individual elements and the current state. Continuous red teaming proactively interrogates the entire attack surface and tests for individual as well as systemic weaknesses. Red teams will do this continuously and relentlessly to gain insights that look for potential to compromise and ability to reach critical assets, rather than simply looking for vulnerable points of entry. This puts defenders one step ahead of hackers by giving them the power to not only fix security flaws, but minimise the impact of any potential compromise, well before they can be exploited.
Red teaming also leverages technology for the right mix of automation and human testing. There is no substitute for the intuition of the human mind and many compromises don’t begin, or progress without, exploiting non-technical elements. Red teams are made up of highly skilled security consultants, all with experience of probing weaknesses in networks for proactive security assessment. These are the people that can mimic the behaviour of hackers and know how to navigate the vast amount of data to find the most impactful vulnerabilities. By taking advantage of this expertise, companies can rest easy knowing that their cyber security operation is getting the best of both worlds.
Are you ready? Ask these six questions
For those unsure whether it’s time to level up from point-in-time pen testing, it’s crucial to consider the following six questions.
How are you managing assets across the attack surface?
In other words, are you confident that you have full oversight across your IT infrastructure and asset inventory? It’s possible that a hacker can identify attack surfaces that IT teams didn’t know could be a risk, surfaces that a red team can bring into the light.
How are you identifying exposures?
If this identification is solely through point-in-time pen tests, you might be concerned that it is happening irregularly, at short notice, or at intervals too far apart. One worry is that teams should be identifying more high-risk exposures with each test and some might be slipping through the net.
How are you triaging discovered exposures to prioritise critical issues?
You must be able to recognise the high-risk exposures as early as possible to give yourself the most amount of time to address it. Red teams have the experience and knowledge of how hackers could use these exploits to inform decisions on what the priority issues are.
How are you validating identified exposures and determining their post-exploit impact?
Red teams know how hackers behave and will pull the thread of an exposure until it unravels. They have the skills to eliminate the noise and raise the alarm when a flaw has real-world exploitability, ordering these issues based on urgency.
How are you verifying remediation?
Are the methods you’re using to remove the vulnerability sufficiently reducing your threat-level? A red team could find out. Once the vulnerability is fixed, it will still be continuously tested by experts, that will adapt as hackers do, to make sure that your security update has addressed the issue.
How do you inform the improvement of the overall security posture?
Pen testing too often scratches the surface and doesn’t provide security teams with a clear list of actions to follow, but bringing in a red team gives you a guided tour of your attack surface. Teams therefore know the immediate steps to take for stronger security and understand the ways their network can be manipulated so that action can be taken in good time.
In the absence of knowing what happens in the shadows, it’s vital that organizations recognise that attack is the best form of defence. In this race, there can only be one winner. Offensive security measures, spearheaded by red teams, will elevate cyber security beyond pen testing and ensure that companies are leaving hackers in the dust.
The author
Tom Eston is VP of Consulting & Cosmos Delivery, Bishop Fox.
