Let’s Get Offensive – The Pros and Cons of Diverse Security Testing Methods
Most IT teams only know if they are protected against a cyber attack when one actually occurs. Organizations spend considerable resources to ensure that they have the best defenses in place. Yet the only way to ascertain those tools’ effectiveness is by launching an offensive. Combining defensive and offensive attack strategies enables you to challenge your security infrastructure and ensure that when the moment of truth comes, your organization will have the best possible security posture. This blog reviews the different defense-by-offense methods available to enterprise IT and security teams.
Vulnerability Scanning
Vulnerability scanners scour a target system to uncover software that is missing critical patches that address known vulnerabilities, such as those found in the Common Vulnerabilities and Exposures (CVE) database. Not only do security professionals scan for vulnerabilities, but rather threat actors do the same when scanning target systems for vulnerabilities that can be exploited.
Unlike the two methods below, vulnerability scans do not attempt to exploit a known vulnerability, but rather alert of the missing vendor-issued update. So, while in theory a soft spot may be identified, the test does not show if in fact it could be potentially exploited on a given machine.
Penetration Testing
Pen testers attempt to reveal if a threat actor would be able to penetrate an organization, by exploiting known that may may reside in applications, services or operating systems as a result of misconfiguration or insecure work practices. The tests also uncover the depth into which a would-be hacker would be able to dive and the amount of data that could be exfiltrated.
Pen testers can provide valuable insights and enable compliance with regulations such as PCI DSS, GDPR, HIPAA and SOX. However, given their manual nature, their scope is limited as the pen tester cannot provide a complete end-to-end review of all the systems in an enterprise’s infrastructure. Importantly, they rely on the acumen and know-how of individual professionals, which may vary from one pentester to another.
Red Teaming
Red teams take pentesting a few steps further by combining the know-how and expertise of several offensive-security professionals and launching a coordinated, reconnaissance-laden, multi-step attack on an enterprise’s infrastructure. By mimicking the tactics, techniques and procedures (TTPs) deployed by real attackers, red teams can test a SOC team’s incident-response capabilities and expose unknown issues in the organization’s systems. To be effective, they must be conducted regularly and preferably, frequently. They require resources in the form of in-house or outsourced hacking expertise.
Automated Attack Simulations
When it comes to testing all aspects of security, starting from the enterprise perimeter, to endpoint protection, and the subsequent prevention of data extraction, the above methods are limited in the scope of tests they can offer. Additionally, when it comes to knowing your risk exposure, the resulting assessments and reports provide a snapshot of your infrastructure in a certain point in time. However, they do not provide alerts or insights into how your security is faring on an ongoing basis.
That is where automated, repeatable breach and attack simulations, or BAS, tools come in handy—enabling organizations to automate the security testing process across their entire infrastructure, in a continuous on-going manner, or alternatively, as an on-demand test that can be run daily, weekly or anytime to assess an organization’s cyber stance at any given moment, while testing for vulnerabilities across the entire attack kill chain.
This blog was brought to you by our partner, Cymulate. Don’t miss their exciting presentation and demo – Using Cyber-Attack Simulations to Improve Your Cyber Security Posture – at Camp this year!
Cymulate will be presenting on Day 1 at 11:00am in the Idea Loft. They will be returning to the stage for their demo on Day 1 at 1:10pm in Grandroom C.
Blog written by Cymulate.