An Alternative and More Effective Approach to Commoditized Penetration Testing
Posted by Luke McLemore
In today’s environment of talent shortages, technology sprawl, sophisticated adversaries, advanced malware, and network complexity, making informed decisions about information security is increasingly challenging. There is an ever-growing array of threats and scenarios that need to be considered, and an equivalent number of products and methodologies promising to help. Sifting through all the noise to identify what investments will actually provide leverage in reducing risk, can be difficult, if not impossible. With the increasing commoditization of services in technology, these challenges will only become more difficult.
Penetration testing is a well known and understood exercise to keep your security team and procedures ahead of the curb, but due to the commoditization of testing itself, it is often not used in the most optimal way to secure your corporate assets, and more often is not conducted with the best methods. This blog serves as an introduction to the goals of corporate security, an overview of traditional security assessments, and offers a more effective strategy to leverage penetration testing by pairing it with other methods used in Red and Purple Team exercises.
The Corporate Security Journey
At the basis of the rationale behind picking the best services and service providers to fit your organization’s needs starts with the total corporate security journey. The journey is not about going down a checklist for compliance, it’s motivating continual improvement and maturity of security controls by identifying risks and gaps outside of the box. It’s clear that security services seekers are looking to fortify and improve their existing security technologies and infrastructure, but the improvement needs to align with the goals of larger corporate security initiatives:
- Balancing risk resilience, usability, and price
- Maximizing return on security investments
- Addressing talent gaps and skills shortage
- Modernizing workflows while enhancing protection
- Expanding visibility and control over what matters
- Improving threat detect and response capabilities
In turn, the goals of any security initiative should be to provide leverage at each phase in the IT security lifecycle:
Using these basic goals as the foundation of any security team, we’ll now assess how those goals align with the different methods of security assessment and penetration testing.
The Traditional Security Assessment
Due to the commoditization of penetration testing, traditional security assessments have been reduced to annual check-the-box exercises with little to no actual value to organizations. It acts as a basic check up rather than a comprehensive diagnosis. These types of assessments are not an effective way to measure risk, identify the security gaps that matter, or improve the overall security posture of your organization. We know this to be true because we often find the same issues across organizations year over year. Included in these assessments are usually the traditional commoditized pentest and a white-box security audit, broken down below.
Commoditized Penetration Testing
A penetration test evaluates the effectiveness of security controls by identifying and exploiting often vulnerabilities to demonstrate and prioritize risk. Penetration testing is useful for illuminating unknown security weaknesses that could result in a compromise, but are often confined to certain attack vectors and are limited by testing, scope, and time restrictions. The quality of a firm’s talent in pentesting can change the outcome dramatically, but can also result in the moving of goal posts to ensure a win.
PCI penetration testing simply uses the industry approach of utilizing NIST SP800-115 standards to ensure compliance, with a focus on credit cardholder data. While this is a great foundation, it does not account for more advanced attack vectors, and does not follow a model of continuous improvement. You can check boxes while searching for problems that the boxes don’t account for, but this method does not solve for that. In addition, many organizations looking to satisfy requirements like this select penetration testing vendors based on cost, not technical expertise, which often leads to a false sense of security.
White-box Security Audit
A security assessment is a more holistic review that includes direct access to key devices and servers, stakeholder interviews, network diagrams, and documented policies. Types of security auditing activities include:
- Sensitive Data Flow Analysis
- External Vulnerability Assessments
- Internal Vulnerability Assessments
- Network Architecture Reviews
- Cloud Architecture Reviews
- Firewall and VPN Security Reviews
- Active Directory Reviews
- Wireless Security Reviews
- PCI Penetration Testing
While these tests are necessary and will identify basic risks and gaps, they are only one part of an equation and too often mismanaged. You can go to your doctor for an annual checkup, but you need a continuous regiment of diet and exercise to keep yourself healthy.
A More Effective Approach
As an alternative and more effective approach to the commoditized pen and patch model, a comprehensive security program that maps an array of activities across the IT security lifecycle is the best way to achieve successful outcomes. This kind of approach gives organizations the best chance at driving meaningful security improvement over time by fixing existing problems and keeping them fixed. There are multiple facets to this approach that each answer different sets of questions, including advances Red Team operations, highly collaborative Purple Team exercises, and implementation of additional process and technology to ensure continuous improvement.
Melody Hildebrandt, Global CISO at 21st Century Fox, shares her experience working with Praetorian to “level up” the multinational mass media corporation’s cybersecurity defenses and test its investments from a technology perspective against actual simulated attacker behavior..
Red Team attack simulation exercises
A red team exercise evaluates the effectiveness of security controls by simulating a real-world attack that mimics the state of the art in adversarial techniques. Unfortunately, most security firms are incapable of truly executing this kind of advanced attack. Instead, unqualified firms fall back on activity that is easily detected and thwarted due their reliance on unskilled and unseasoned consulting labor. The exercise, often lasting a period of months, will truly test your organization’s ability to detect and stop a real-world intrusion in a timely manner. Given the sophisticated nature of a red team operation, this service offering only makes sense for advanced blue teams with broad situational awareness of the environment and seasoned operators at the helm.
Purple Team detection and response exercises
An advanced purple team engagement combines red and blue team activities to maximize effectiveness. Often taking place after the completion of a red team exercise, Praetorian resources recreate the original attack paths that led to mission success. Collaboratively working alongside your organization’s resources, security operators will perform a step-by-step walk through of the tactics, techniques, and procedures that were used during the red team. Working together, Purple Teams and your organization’s employees will map your organization’s situational awareness and identify blind spots in current detective and reactive capabilities that led to the missed opportunities of attack detection.
NIST Cybersecurity Framework profiling
The NIST Framework provides a common taxonomy and mechanism for organizations to describe current and target state cybersecurity postures, identify and prioritize opportunities for improvement, and communicate cybersecurity risk. Areas of focus for the benchmark map directly to the SANS Top 20 Critical Security Controls.
“Zero Trust” Implementation and design
Google BeyondCorp is an enterprise security model that was established after six years of building zero trust networks at Google, combined with best-of-breed ideas and practices from the community. By shifting access controls from the network perimeter to individual devices and users, Beyond Corp addresses the disappearance of the security perimeter in a mobile first, cloud first world and allows employees to work more securely from any location without the need for a traditional VPN.
Even with increasing commoditization across the information security services market, there are still approaches and strategies that follow the goals outlined in the corporate security journey. By understanding the aims of penetration testing, with its upsides and downfalls, you can work to develop better approaches to the traditional security assessment, and achieve more goals than checking a compliance box. Red and Purple team exercises are answers to the security assessment commoditization problem, and ways for your team to achieve successful business outcomes across the security organization.