Has the time come to give up penetration testing?

By carrying out “white hat’ attacks to identify potential entry points in the externally facing parts of an organization’s IT network, such as its firewalls, email-servers or web-servers, pen testing can bring to light any existing security weaknesses. These potentially vulnerable external facing aspects, however, are rapidly increasing in number.

Phenomena, such as BYOD, the cloud, and shadow IT, have seen more and more different devices being added to an organization’s infrastructure, each using an increasing number of applications for both business and personal purposes. This growth has seen network boundaries expand to such a degree that they have almost dissolved, leaving networks essentially amorphous. And the imminent explosion of devices set to be introduced by the Internet of Things will only redefine the shape of the network even further.

This new environment is likely to allow increasingly more complex and sophisticated threats to flourish, as billions of connected devices continue to change and extend the network perimeter, increasing the number of potential entry points for attackers.

Put simply, the more miles of fencing there are to patrol, with more potential points of entry, the harder it will be to keep attackers out. Logically, this would suggest that pen testing is now more important than ever, but this isn’t necessarily the case.

The threat within
Recent research by Cisco revealed that every single one of the corporate networks it tested had suspicious traffic going to websites that hosted a form of malware. Organisations can be reasonably confident therefore that their network has already been compromised. With two thirds of breaches laying undiscovered for months, security teams should be focusing less on whether their network has been compromised, and more on what they should do now that it probably has been infiltrated.

As no firewall can be 100 percent effective in keeping attackers out, and with networks continuing to grow and shift in shape, it’s clear that organisations now need to adopt a new approach to protecting their IT infrastructure.

Rather than spend resources on measures such as pen testing, it’s now perhaps more relevant for IT security teams to find effective ways of monitoring for, rooting out, identifying and taking remedial action against malware and threats already inside their network.

Essentially, the sooner an organisation is able to recognise that it has been compromised, the better able it will be to take appropriate action to mitigate against the attacker.

Changing tactics for changing motives
Malware is evolving. In the past, cyber-attacks were carried out as a means of achieving prestige or notoriety for the criminal behind them or simply to prove a point. As a result, they tended to be noisy, generating logs and alerts in their trail and were, therefore, easy to identify and quarantine.

Today though, such attacks tend to be used primarily for monetary gain. Once a compromised, a system can leach valuable, sensitive business, personal or financial information over the course of days, weeks or even months.

In order to succeed, the new breed of advanced persistent threats (APTs) are designed to be almost invisible, silently entering a network and remaining undetected for as long as possible.

Where an organization’s computers were once connected to an internal system protected by a corporate firewall, increased mobility means that end-users are now continually accessing the Internet via a range of devices, providing them with more opportunity than ever to download applications and content, greatly increasing the risk of compromise.

Interestingly, almost half of compromised machines are found to have no malware on them. In these cases, the APT relies on the end-user to click on something that appears innocuous, usually within an email or file. Once this happens, a connection is established with a website from which the main element of the attack will be downloaded.

Calling home
APTs are no exception and use DNS as the prime means of “calling home” to receive instructions from their Command and Control servers, to download additional malware payloads, and to steal data. DNS should, therefore, be considered an ideal choke-point for detecting malware communications that have slipped past other security solutions.

As it’s here, at the heart of an organisation’s IT network, that today’s sophisticated APTs are most effective, having silently slipped past the perimeter, then it’s here that security teams should now be directing their scrutiny. Rather than focusing on what’s making its way into the system, it’s now time that organisations should be focusing on what’s making its way out.