By John Meyer, Arcfield VP, Cyber Products and Services
With talent and resources stretched thin, organizations may not have the personnel or bandwidth to uncover where vulnerabilities lie in their networks, and if they do, the information is dynamic and could soon be dated. Bad actors are working overtime to stay ahead of the curve, innovating new ways to avoid safeguards, breach networks, and exfiltrate critical data. A distributed workforce increases an organization’s security concerns, expanding the attack surface by which adversaries can gain access.
As attackers quickly evolve their methods to look for new vulnerabilities, organizations would benefit from “breaking into” their own networks, through a penetration testing regimen that mimics their adversaries’ changing strategies.
Start with manual penetration testing
Penetration testing, or pen testing, involves teams ethically hacking into a target’s network and systems to find security vulnerabilities to determine what data might be open to exfiltration.
One way pen testing can give valuable insight into whether an agency is deploying the right security posture is by providing certified pen teams with information about the system being tested, known as white box testing.
Alternatively, organizations may also pursue black box testing, where they provide pen teams no system details to see what security vulnerabilities they can discover. A third approach, nestled in the middle of white and black testing is gray box testing, where a pen team is provided a limited set of information about a network and its systems with the goal of determining what network or system vulnerabilities exist.
Whether white, black, or gray box pen testing, the tactics used must include a focus on file-based attacks which continue to grow in popularity. File-based pen testing scenarios should include email attachments, website uploads and browser-based downloads which remain the most prominent attack vectors today.
Traditionally, pen teams will then assess their intelligence of the system and develop strategies around how to infiltrate the network and systems. Once any vulnerabilities are identified, pen teams will then look for what type of data they can access on the system, depending on the intelligence they have gained.
This process is generally time-consuming and deploys a targeted approach to discovering vulnerabilities. While it can have the advantage of a detailed diagnosis of your network’s weaknesses and how they may be exploited, it likely will not capture how attackers have innovated to find new vulnerabilities and where they will attack increasingly complex distributed IT environments. Luckily, there is a solution—continuous penetration testing.
What is continuous penetration testing?
Continuous pen testing combines traditional pen testing methods with automated security tools to monitor changes to your IT environment.
Because traditional pen testing is often targeted on finding vulnerabilities at a certain point in time, it doesn’t fully reflect an environment where attackers have evolved and innovated their tactics.
With continuous pen testing, an organization’s pen team can run a traditional pen test to establish a baseline and then deploy automated monitoring tools to keep track of changes to the environment.
If changes occur, such as adding new software or a new application vulnerability is disclosed, then a new pen test can be conducted to assess if any new risks to the organization’s network or systems exist. If new vulnerabilities are discovered, IT managers can take informed action and deploy solutions to mitigate them.
Most importantly, continuous pen testing allows organizations to keep pace with their adversaries’ changing attack strategies, helps provide more timely risk assessments and makes their cyber posture more flexible.
Outwitting your adversary – integrating continuous pen testing with cyber threat automation
While traditional pen testing combined with continuous pen testing can improve an organization’s cyber profile and provide more forward-looking flexibility to their cyber defensives, alone they still aren’t enough. Organizations must focus on deep integration across all their defensive cyber capabilities by analyzing and integrating across cyber processes, tool analytics and available relevant cyber threat data.
For example, integrating an organization’s cyber defenses at the process and data level can provide actionable insights unique to the organization’s specific attack surfaces. To start, an organization could focus on integrating their data and processes across their content disarm and reconstruction (CDR), data loss prevention (DLP), real-time network detection (RND) and traditional antivirus capabilities. If done right, the result will be cyber capabilities which can work in concert and share or report out real-time vulnerability intelligence enabling an organization’s cyber leader to defend their attack surfaces in a much more dynamic fashion.
As attackers constantly search for new vulnerabilities and strategies to access their target’s data, organizations must strive to integrate their already complex cyber capabilities or risk not being able to outmaneuver today’s modern cyber threats. Organizations that remain static in their cyber posture are inviting their adversaries to pay them a visit.
About the Author
John Meyer currently serves as Vice President of Cyber Products and Services at Arcfield, a leading provider of full life cycle, mission-focused systems engineering and integration, C5ISR and digital transformation capabilities for air, sea, land, space and cyber domains to the U.S. government and its allies. In his role, Meyer is responsible for managing and evolving Arcfield’s innovative and leading-edge cyber products and programs with a focus on growing the company’s footprint across securing government networks from adversarial malware attacks and exfiltration of sensitive government data. John can be reached online at the company website https://www.arcfield.com/ .