The vast majority of attackers are opportunist criminals looking for easy targets to maximize their profits. If defenses are sufficiently fortified, finding a way through will be so difficult and time consuming that all but the most elite nation-state level threat actors will give up and go search of easier prey.
Penetration testing is one of the most effective methods for achieving this level of security. A team of ethical hackers can discover and close off obscure attack paths that standard vulnerability scanning methods miss but adversaries may exploit.
Despite its value, we find that penetration testing is poorly understood outside of the security industry. This was highlighted in 2019, when two penetration testers carrying out an exercise that included testing physical security of an Iowa courthouse were arrested and charged with burglary and trespass.
The lack of penetration testing knowledge
As director of Trustwave’s SpiderLabs in EMEA, I find a lot of my time goes into explaining what penetration testing is, how it differs from vulnerability scanning, and most importantly of all, why it’s worth investing in. The waters are also muddied by a tendency to conflate pen testing with red teaming, which is both more expansive and more expensive.
Most organizations operate with tight security budgets and the human element of pen testing makes it notably more expensive than standard automated vulnerability scanning and management tools. Without a clear understanding of the value generated by in-depth pen testing, it’s easy to see why non-technical executives and boards will prefer to sign off on lower cost automated tools instead.
Automated processes such as asset management and vulnerability scanning are essential baseline activities that should be part of every company’s security strategy. Regular scans will discover new and existing vulnerabilities and help the security team prioritize patching and closing the most dangerous issues before they can be exploited in an attack.
This is particularly important when it comes to databases and other assets that are set up and managed in the cloud. The risk posed by common security issues such as outdated software or misconfigured databases and user permissions is vastly amplified in a cloud environment as they are far more accessible to a threat actor. For example, we commonly encounter issues like Amazon S3 buckets that do not require user credentials for access. This means any data in them can be accessed by anyone who can find it – a trivial task for automated bots.
Automated scanning and management tools are an efficient and cost-effective way of finding these issues. However, businesses must also look at a more hands-on approach to increase their security maturity.
The next step in security
Pen testing is the next logical step, with a focus on finding more complex issues that are likely to be missed by initial scans. Some of the most common threats uncovered by pen tests are logic-based bugs which require a degree of experimentation and multi-stage attacks that combine different techniques.
Finding and exploiting these gaps requires human experience and intuition, something that is still outside the grasp of even the most advanced machine-learning-powered analytics tools. The issues discovered through pen testing will often go beyond simple software updates and may require changes to operational processes and staff training.
It’s important for business decision makers to understand that this is not an either/or scenario – ideally, they should be deploying both automated scanning and pen testing. The former will discover the bulk of vulnerabilities that can be exploited by common malware and attack techniques, but the latter is required to uncover hidden issues that will be exploited by more advanced attackers.
Addressing these security gaps is an important step for businesses to advance their security maturity. However, there is still a tendency among non-technical executives to assume that security problems can be solved by investing in the latest shiny technology – ignoring the need to factor in people and processes as well.
Good planning is essential for pen testing
Pen testing will only be truly effective if it is implemented with the right processes, including both preparation and follow-up.
Before carrying out the test, it is important to have the scope and boundaries thoroughly documented. This includes safeguards and processes to cover any issues that might result in discovery, particularly when social engineering and physical security are involved.
We provide our team with Get Out of Jail Free cards that explain their purpose and who to contact at the business to avoid a scenario like the Iowa arrest. However, while someone at the organization must be aware of everything the pen testers may be doing, it would be ideal that as few people as possible know about it.
It’s also important to have a clear strategy for following up once the pen test results are in. Organizations are often fixated on the number of issues a pen test uncovers (usually a greater number than they were expecting). This information alone is useless, and priority should be given to implementing a plan of action to close those gaps.
Given the huge variation of potential threats, the results of a pen test can feel overwhelming and dispiriting. Nevertheless, even if a large number of issues are unearthed, the pen testing team can help with prioritizing which to tackle first.
Ideally, regular pen testing should be scheduled as part of the organization’s security strategy as it matures. How often tests need to be carried out varies greatly depending on a firm’s unique structure and risk profile – that said, performing them on an annual basis is usually a good start. We also recommend ad-hoc testing when major infrastructure changes are implemented.
Meanwhile, there should be a fairly continual level of automated activity. For instance, asset management should be an everyday occurrence, while vulnerability scans could be conducted quarterly, monthly, or even weekly depending on the company’s risk profile and resources.
Keeping up with evolving threats
The cyber threat landscape is notoriously fast moving, and the worst thing any tester can do is stand still. Adversaries are constantly innovating their attack techniques, often specifically to evade detection by automated scanning tools. Pen testers play an essential role in keeping up with these developing tactics, and we have encountered several trends over the last year that show the human touch is more important than ever.
Chained vulnerabilities are one such growing issue, where attackers link together several low-level vulnerabilities to achieve unexpected results. Automated tools are unable to make these same leaps of logic, so identifying these gaps requires human intuition. For example, a Trustwave pen tester discovered that the security question form on a website could be exploited to discover usernames, as questions would be repeated if a genuine name was inputted. From here an attacker could brute force their way into reaching the password reset screen and access the account.
IoT is another growing area of concern. The market is growing rapidly and continues to hold a notoriously low standard of security. There is a prevalence of operating systems that are poorly tested and difficult to update, and systems are often fairly chaotic and open to chained vulnerabilities. In addition, many IoT devices are also exposed to physical security threats.
Our investigators often discover devices that can be directly accessed, such as public kiosk terminals. Plugging in directly allows an adversary to bypass security layers in a way that most automated scanning tools cannot predict.
Experienced personnel also play a key role in integrating open-source intelligence (OSINT) into security strategies. OSINT includes readily available data such as information from social media, as well as data from breaches and leaks on the open and dark web.
Attackers have become increasingly adept at scraping and aggregate this information using automated tools and using it to pull off more effective targeted strikes. Defenders can also use automated tools to gather and collate the same information, while pen testers can take things a step further by finding, testing, and closing potential vulnerabilities.
As threat actors continue to evolve and innovate their attack strategies, organizations need the intuition that only a skilled practitioner can deliver. With a regular drumbeat of automated security scanning supplemented by occasional deep dives by experienced personnel, organizations can establish defenses to see off any level of threat.