Before joining the Cycognito team, I spent more than half of my cybersecurity career in the offensive side performing pentests and red team operations. I worked as a consultant and as an internal resource. Pen tests are an invaluable part of cyber security, but have lost some of their efficacy in recent years. If a company or organization is going to get the most out of pen tests, it’s important that they understand what limits their capabilities and what can be done to make them most effective. Here are two challenges that must be overcome regarding pen tests and six ways you can get the most out of pen tests.
Two Challenges for Pen Tests
The Rise of Compliance-Based Pen Testing
Over the years, pen tests have increasingly become a mandated component of regulatory and compliance standards. The Payment Card Industry Data Security Standard (PCI DSS) requiring pentests be performed in card data environments (CDEs) grew this need for compliance-based pen testing.
On the one hand, this was a good thing because it means that pen testing has gotten more attention. But this also presents a challenge because this type of compliance-based pen testing has turned the focus more towards compliance, narrowing the scope of the tests. The cost and resources for compliance-based pen testing consumes a lot of the pen testing budget, which means the pen testing team or consultant’s time is spent on the compliance side and doesn’t give attention to other aspects of pen testing.
Narrow Focus and Limited Time
Pen testing is often referred to as a time boxed assessment in the pen testing world. This means that testers are limited in the number of hours to test in-scope pen test targets. The shorter the duration of time, the more difficult to thoroughly test the targets that are in scope for the assessment. When using consultants, the time can be more limited due to the hourly bill rates of consultants, which is also a reason a lot of companies have built their own internal pen test teams. By narrowing the focus and limiting the amount of time that can be alloted to pen testing, inevitably it develops the potential of being less effective.
When compliance pen testing takes the majority of the focus and budget from the overall pen testing needs of an organization. The requirements and scope of these types of tests become even narrower and ends up leaving some items not adequately tested. Things like social engineering and physical assessments of buildings get missed, for example.
For these, Open Source Intelligence (OSINT) or external attack surface management software like CyCognito can be very helpful in uncovering information on the external attack surfaces or information that could be used with social engineering to spearphish employees of organizations, a common attack vector of threat actors. Adversary emulation, or red teaming as it is often referred to, is also often overlooked, although it is becoming more popular thanks to the narrowing of pen test scopes.
In contrast, full scope pen testing offers a way to cover the compliance side without losing its full value. Full scope pen tests are more similar to the way pen tests used to be before compliance-based pen testing became the norm and include things like OSINT and social engineering.
In order to get the most out of pen testing, we recommend utilizing things like OSINT, asset inventory, social engineering, education and automation, adversary emulation, and purple teaming.
6 Ways to Improve Pen Testing
Pen testing is part of the bigger picture known as Attack Surface Management (ASM), so improving pen testing helps your organization with its overall ASM. Important areas for improvement for pen testing, which will help build a comprehensive ASM program:
1 – OSINT, as mentioned earlier, is often excluded from pen tests, this is a big opportunity for improvement. OSINT helps you uncover external assets that you may not know about as well as uncover information threat actors could use to launch an attack against your organization. For example, I had a pen test I was performing and using the Shodan tool for OSINT, I was able to uncover an FTP server that was not included in the network IP subnets I was testing. The clear-text authentication of FTP is a security risk especially when accessible from the Internet.
2 – Asset inventory is another area that can affect pen tests, since you can’t test what you can’t see. Having an updated view of all of your assets ensures your pen tests are covering every potential attack surface. This is more easily accomplished on your internal assets, as external assets can be more difficult to discover. But, OSINT can be used to help discover your external-facing assets. Although most pen tests include reconnaissance, OSINT is not always used, but goes a long way in improving asset discovery.
3 – Social engineering is often overlooked or limited to internal email phishing campaigns. Internal phishing campaigns typically only test for clicks of links contained in the phishing email and do not use payloads to see if a threat actor could gain access to systems or sensitive data. Phishing and social engineering are common ways attackers exploit their victims. Social engineering goes beyond phishing and includes vishing using phones as a way to socially engineer victims. SMS is another vector used for SMishing attacks. Social engineering and building security assessments are ways of testing the security of employees and building controls, which helps expand the effectiveness of pen testing.
4 – Education and automation can help teams do more with less. Skills gaps and shortages have long been identified as a problem in cybersecurity and the lack of enough skilled practitioners make it difficult for organizations to meet their staffing needs.
Educating employees is a serious need in this area, but the time to get staff skilled up in a timely manner is a hurdle. Educating employees along with cross training can help prepare employees for their next step in your organization. Having a career path and training are valuable for retaining talent. Vulnerability management teams can be trained on retesting findings from previous pen tests, giving pen testers more time to focus on new tests and to educate vulnerability management teams to become pen testers at the same time.
Automation is another opportunity to do more in less time with your existing staff. This can also make tasks easier and more repeatable for junior team members. Automation is popular among bug hunters to focus their attention on more important talks.
5 – Adversary Emulation (aka Red Teaming) is another area that should be included to enhance your program effectiveness. Pen tests focus on finding and exploiting all exploitable vulnerabilities, but red teaming focuses on exploiting vulnerabilities that could lead to an actual breach. Red teamers try to go undetected to test the technologies and the defenders. Both pen testing and red teaming are needed. Red teaming alone would miss critical exploitable findings. Social engineering is typically leveraged in red team operations, since it is a common attack vector of threat actors.
6 –Purple Teaming is another opportunity for improvement on the internal environment of your organization. During a purple team exercise, the defensive and offensive teams work together to tune EDRs and other defenses systems to detect and/or prevent tools and techniques used by threat actors. Offense executes different hacking tools and scripts to see if they are detected and they work with defenders to tune systems to detect, and/or prevent successful execution of tools and attacks.
Improving Your Overall Attack Surface Management Program
Improving pen testing can help improve your overall ASM program. One of the reasons I joined CyCognito is that CyCognito uses a lot of the same tools and techniques used by offensive cybersecurity professionals and threat actors. It leverages reconnaissance, including OSINT, vulnerability scanning, and other testing tools, as well as automates these processes.
CyCognito makes it easy for your employees to do things that would take training and experience to accomplish on their own.You can leverage staff on the vulnerability management team or vulnerability scanning team to conduct more advanced testing, which takes some of the pressure off of the pen test team. The time that can be saved with CyCognito gives pen testers more time to spend on things that often get missed due to lack of time. CyCognito helps prioritize items that need to be focused on more or tested deeper, leaving the pen tester with more time to test.