Consider a traditional penetration test as a snapshot of vulnerabilities for an environment that may be in constant flux. This snapshot may also be an incomplete picture, addressing only a portion of a more complex system. In contrast, criminal attacks continue to evolve and increase in sophistication, while organisations find themselves with an increasingly complex infrastructure to defend, constrained budgets and limited resources.
The challenge of focusing a penetration test on the most vulnerable elements of an organisation – embracing technology, people and processes – is formidable.
To give a view of real business risk, it would be far better to link vulnerabilities to real-world threats and vice versa. Starting with the threats and working down the kill chain to the target, incorporating up-to-date threat intelligence, would be a better basis for penetration testing.
I believe the answer starts with a threat analysis, to catalogue the most likely and most damaging criminal attacks, followed by a series of exercises to simulate these attacks under controlled conditions. Investing time to identify the most dangerous attackers, their targets and their expected line of approach allows us to create attack scenarios that represent a real and present risk to the business. The subsequent exercises can replicate each step of the criminal approach, from information gathering and reconnaissance, through social engineering, internet-based exploits, on-site attacks and ultimately account compromise and information theft.
Using this approach, the organisation’s defences are tested at each step of the exercise, and responses to incursions are measured. Weaknesses that a criminal could exploit to achieve their objective are revealed, permitting the organisation to focus on genuine vulnerabilities, rather than a series of generic assumptions. These types of tests are called red team exercises.
There is another significant benefit to this approach. Because the red team exercises are based on real threats to the organisation, staff and management can identify with both the “story” of the attack and the resulting impact on the business. This forms the perfect basis for improving security awareness throughout the enterprise, and raising the bar on that most challenging of security controls – the human firewall.
As it conducts more red team exercises, the business can build on this precedent and deliver more engaging stories to continue the education of everyone in the organisation.
Peter Wood is a member of Security Serious and the London Chapter ISACA Security Advisory Group, and CEO of First Base Technologies.
This was first published in December 2015
Enjoy the benefits of CW+ membership, learn more and join.