Page 108 - Cyber Defense eMagazine for September 2020
P. 108
the full range of impact a breach could have on the system or organization.
● Red team exercises are similar in nature but go beyond the scope of a penetration test. During
these exercises, a red team of security professionals (acting much like ethical hackers) will
attempt to penetrate a computer system and exploit any vulnerabilities they find. The red team
often faces off against a second team of security professionals (dubbed the "blue team") who
are tasked with countering the red team and protecting the security environment. Red team
exercises often last longer and are greater in scope than penetration tests, with red team
members employing social engineering and other techniques to mimic advanced adversaries.
Following manual testing, reports are compiled and detailed remediation or mitigation guidance may be
offered.
Automated testing, on the other hand, is typically done with a wide range of tools and applications. Let's
take a minute to review two of the most common: Vulnerability scanners and breach and attack
simulation platforms.
● Vulnerability scanners are a widely used tool that helps identify and classify security gaps within
a network, application, equipment etc. These automated tools can be run quickly and efficiently
to spot vulnerabilities that match those listed within its database.
● Breach and attack simulation (BAS) platforms also identify vulnerabilities but take things a step
further by also exploiting the vulnerabilities they find (with no impact to production) to fully
understand the risk these vulnerabilities pose. A BAS platform acts much like an automated red
team, launching continuous simulated attacks and providing prioritized remediation guidance
once security issues are identified.
Is One Approach Superior to the Other?
Manual and automated testing are not in opposition, and often work well together. Each approach
described above does have its own characteristics that may or may not make it the right fit for each
environment, however.
Penetration tests and red team exercises go well beyond the scope and mandate of a conventional
vulnerability scanner. These manual tests, which may be staged over weeks and include top-level
cybersecurity talent, are typically much more rigorous and more likely to uncover vulnerabilities that are
not widely known or catalogued. In addition to detecting a much narrower range of vulnerabilities and
offering a much more limited window into the current security posture, a vulnerability scanner will often
return many false positives -- contributing to a phenomenon called alert fatigue, which is one of the
more common reasons why breaches succeed.
There is, however, one significant edge a scanner possesses: It's automated and costs little in the way
of resources, relatively speaking. As vigorous and in-depth as a good pen test or red team exercise
may be, it is also time-consuming and expensive. Most organizations can only afford to stage them
quarterly or yearly. This creates a problem, as any changes that occur during the periods between
manual tests can create new vulnerabilities. Because manual tests are a snapshot of a point-in-time,
they are inherently unable to provide ongoing visibility into the strength of one's security posture.
Cyber Defense eMagazine – September 2020 Edition 108
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.
