5 minute read
UNMASKING VULNERABILITIES
ED SKOUDIS, PRESIDENT OF SANS TECHNOLOGY INSTITUTE, EXPLORES THE POWER OF PENETRATION TESTING IN COMBATING AI-POWERED THREAT ACTORS.
Penetration testing is undoubtedly among the most effective methodologies that help determine an organisation’s risk posture. While it’s true that other standard processes like gap assessments, auditing, architecture reviews, and vulnerability management all offer significant value, there’s still no substitute for impactful penetration testing. When done correctly, it signifies where the rubber meets the road – serving as a situational barometer for aligning security defenses with ever-evolving cyber threats and budgetary realities.
Advertisement
At its core, penetration testing falls under the umbrella of ethical hacking, where simulated threat actors attempt to identify and exploit key vulnerabilities within an organisation’s security environment. Gaining this visibility casts a spotlight on the link between cyber and business risk amid rapid increases in AI-powered attacks targeting enterprise networks.
The rise of ChatGPT, for example, has been well-documented as a cybercrime gamechanger, democratising highly advanced tactics, techniques, and procedures (TTPs) so average adversarial threat actors can increase lethality at low costs. Empowering run-of-the-mill hackers to continuously punch above their weight class will only continue to amplify the volume and velocity of attacks, heightening the importance of effective penetration testing programs that help mitigate the severe business impact of breaches. On average, victims lost a record-high $9.4 million per breach in 2022.
Compounding the issue is a pattern of poor security posture across both the public and private sectors. The SANS 2022 Ethical Hacking Survey found that more than three-quarters of respondents indicated “only a few or some” organisations have effective Network Detection and Response (NDR) capabilities in place to stop an attack in real-time. Furthermore, nearly 50% said that most organisations are either moderately or highly incapable of detecting and preventing cloud- and application-specific breaches. It’s clear that much more must be done to swing the balance of power away from adversaries.
Enter penetration testing, which can provide unrivalled contextual awareness for refining cyber defenses, threat remediation, and recovery processes within an overarching risk management architecture. For organisations implementing penetration testing programs at scale, keep the following fundamental tenets top of mind to maximise impact.
The Goal-Oriented Mindset
Just over a decade ago, Josh Abraham developed a compelling case for the increased adoption of a goal-oriented approach to penetration testing. He prefaced it with a simple question: What drives the penetration tester? How do they know what they want or what level of access is going to demonstrate the highest risks to the organisation?
The answer was a clear set of predefined goals that didn’t revolve around the tactical processes and technical workflows most associated with penetration testing at the time. Contrary to popular opinion across cybersecurity circles, identifying surface-level vulnerabilities wasn’t the ethical hacker’s golden goose.
Penetration testing and vulnerability assessments are not two sides of the same coin. While the latter is static and lacking in context, the former is designed to uncover fundamental business risks by manually testing an organisation’s defensive posture to steal data or achieve a level of unauthorised access. The end-game isn’t about identifying the actual vulnerabilities themselves, but rather the doors that those vulnerabilities open – and the business consequences of allowing an adversary to walk through them undetected.
Fast forwarding to today, Abraham’s goal-oriented approach has emerged as a foundational pillar of penetration testing today. For ethical hacking to offer maximised value, there needs to be predefined goals in place structured around an organisation’s most vulnerable areas of business disruption to mirror a worse-case scenario attack. Ethical hackers target those areas to measure the organisation’s level of cyber resilience, revealing how pockets of low-risk vulnerabilities can combine to create an overarching high-risk scenario that puts their business in jeopardy.
For a major TV provider, it could be a ransomware attack that blacks out a nationally televised sports broadcast to cause billions in lost advertising revenue.
For a water treatment plant, it could be a nation-state attack that contaminates an entire city’s water supply to spawn a public health crisis.
For a federal agency, it could be an insider threat attack that leaks national security intelligence to foreign adversaries for monetary gain.
Regardless of what encompasses that doomsday scenario, penetration testing must start with a firm understanding of where the attacker’s ultimate goalpost lies and how that might harm your business. That is the only real way to discover the right vulnerabilities with the right context for mitigating business risk.
Connecting the Vulnerability Dots
As the lines between cyber and business risk have blurred over the years, penetration testing has emerged as a critical component to proactive risk prioritisation. It enables organisations to generate detailed visibility into risk posture with probability scales and financial forecasts linked to various areas of their security environment. Armed with these high-level insights, CISOs have the foresight to make educated decisions by weighing the business risk of a potential attack against the likelihood that it will actually happen, and then allocating security resources accordingly to boost ROI and strengthen protection.
The distinct illumination and reassurance afforded by penetration testing also help demystify the complexity of the cyber threat landscape, translating cyber risk into actionable business terms that better resonate with the C-Suite and Board. Actual illustrative stories from recent penetration testing engagements make it much easier for cyber resilience leaders to articulate risk in a way that fosters collective buy-in across corporate leadership to ensure security remains a top organisational priority.
It’s important to remember that regardless of a penetration testing program’s effectiveness, grey areas and precarious judgement calls relative to risk prioritisation will always exist. Penetration testing helps ensure CISOs can come to the most informed decision possible. Otherwise, they are taking a blind shot in the dark at what their real business risks are.
Iron Sharpens Iron
Just as cybersecurity is a team sport, so too is penetration testing. Fundamentally, a penetration testing program applies targeted offense – the same TTPs leveraged by sophisticated threat actors – to guide how organisations should construct their defenses. Penetration testing can also be a precursor to red team exercises. For more mature organisations who already conduct regular penetration testing, red team exercises involve a “red” offensive team, along with threat hunters and SOC analysts as the “blue” defensive team. And just like we all learned in elementary (and cybersecurity) school, fusing both together creates the color purple. The concept of purple teaming is often mischaracterised. It isn’t a singular team of offensive experts and hunters all operating together in unison. Rather, it’s a verb in this context that describes how red and blue sides can collaborate to expand knowledge, sharpen strategy, and boost operational efficiency. And while it’s less obvious at the surface level, blue can help red just like red helps blue.
Collaborative intelligence sharing, for example, provides further perspective to ethical hackers on how a particular TTP was identified. That way, the red team can adjust their approach for the next attempt to ensure it’s more lethal, which in turn makes the blue team stronger. Consider it like iron sharpening iron –ultimately everybody benefits.
The rate of AI adoption on both sides of cybersecurity’s dividing line won’t be slowing down anytime soon. AIpowered attackers are here to stay, and what we thought we knew about AI-based attacks two weeks ago could very well be irrelevant today. This reality heightens the importance of implementing scalable penetration testing as a core component of the modern CISO’s arsenal. Between purple teaming, risk prioritisation, and welldefined goals, impactful penetration testing and red teaming are the ultimate sources of empowerment for combatting adversarial threat actors.
