Let’s start off by getting on the same page about what a penetration test is.
The goal is generally to provide or your management team with an evaluation and snapshot of the organization’s security posture at a specified time. The actual testing involves mimicking what real attackers do, usually by leveraging a chain of vulnerabilities (i.e. attack path) in an attempt to reach critical assets. Using the results of this test, customers can break the attack path chains and (hopefully) make would-be hackers’ lives a little harder.
A lot has changed since penetration testing was first introduced as a way of evaluating the security of an IT infrastructure. Strategic attacks traversing countless networks from all corners of the globe were probably not on the minds of first generation pen testers, but they’re very much a part of our reality today. So if pen testers haven’t updated their approach in the past decade, the time is now!
Today’s pen testing can, and should, revolve around the concept of “thinking like an attacker.” Here’s what that looks like:
- Identify the crown jewels. Which of your critical assets are hackers most likely to go after, and where to those live within your network?
- Define your attacker profile. Decide where the attacker will sit (internal network? external?), what knowledge/access about the target company the attacker has (does the attacker know the systems, or have accounts on some apps?), what level of knowledge the attacker has (script kiddie that uses automatic tools, or a government organization with access to 0-days?) and how much time the attacker would realistically spend trying to penetrate the systems.
- Test continuously. Organizations are not breached at particular points in time, so their testing and validation can’t be limited to particular points in time, either. This is really a best practice for all areas of security. Consider the reasons why elite special forces units train constantly for any potential mission on any given terrain at any given moment. Threat landscapes changes quickly and in order to be prepared to respond to any threat, constant vigilance and improvement is required. The same is true on the cyber-battlefield. If your organization is not consistently addressing potential weak points in its security, it will be slower to react in times of crisis.
- Validate. The point of the exercise really not just to identify vulnerabilities and report them so they can be addressed – it’s also a validation that the various parts of the IT and IS organizations have done what they said they would do. Are the right controls in place? Are they still in place two weeks later?
- Bring in the white hats! After all, it takes one to know one. Over the past five years we have seen a real evolution in the types of security personnel that have been brought into corporate security organizations. Hackers and pen testers now work for corporate information security teams. This means that those teams finally have not only budget, but the ability to conduct real simulations or what we like to refer to as “Red Team” operations.
Perhaps the biggest change in the penetration testing space has been that more and more companies are realizing it’s a critical part of their security programs, which is bad news for hackers and good news for the rest of us. Now we just have to convince these organizations to approach pen testing exercises with an attacker’s mindset – it’s really the only way to objectively and accurately evaluate your defenses.