putilov_denis - stock.adobe.com
Penetration testing is among the most effective methodologies to help determine an organization's risk posture. While other standard processes, such as gap assessments, auditing, architecture reviews and vulnerability management, offer significant value, there's still no substitute for pen testing. When done correctly, it signifies where the rubber meets the road -- serving as a situational barometer for aligning security defenses with ever-evolving cyber threats and budgetary realities.
At its core, pen testing falls under the umbrella of ethical hacking, where simulated threat actors attempt to identify and exploit key vulnerabilities within an organization's security environment. Gaining this visibility spotlights the link between cyber and business risk amid rapid increases in AI-powered attacks targeting enterprise networks.
The rise of ChatGPT, for example, has been well documented as a cybercrime game changer, democratizing highly advanced tactics, techniques and procedures (TTPs) so average adversarial threat actors can increase lethal results at low costs. Empowering run-of-the-mill malicious hackers to continuously punch above their weight class will continue to amplify the volume and velocity of attacks, heightening the importance of effective pen testing programs that help mitigate the severe business impact of breaches. On average, victims lost a record-high $9.4 million per breach in 2022, according to IBM.
Compounding the issue is a pattern of poor security posture across the public and private sectors. SANS Institute's 2022 Ethical Hacking Survey, "Think Like a Hacker -- Inside the Minds & Methods of Modern Adversaries," found that more than 75% of respondents indicated only a few or some organizations have effective network detection and response capabilities in place to stop an attack in real time. In addition, nearly 50% said most organizations are either moderately or highly incapable of detecting and preventing cloud- and application-specific breaches. It's clear more must be done to swing the balance of power away from adversaries.
Enter pen testing, which can provide unrivaled contextual awareness for refining cyber defenses, threat remediation and recovery processes within an overarching risk management architecture. For organizations implementing pen testing programs at scale, keep the following fundamental tenets top of mind to maximize effect.
The goal-oriented mindset
Just over a decade ago, a longtime colleague and close friend of mine, Josh Abraham, developed a compelling case for the increased adoption of a goal-oriented approach to pen testing. He prefaced it with two simple questions: "What drives the pen tester? How do they know what they want, or what level of access is going to demonstrate the highest risks to the organization?"
The answer was a clear set of predefined goals that didn't revolve around the tactical processes and technical workflows most associated with pen testing at the time. Contrary to popular opinion across cybersecurity circles, identifying surface-level vulnerabilities wasn't the ethical hacker's golden goose.
Yes -- pen testing and vulnerability assessments are not two sides of the same coin. While the latter is static and lacking in context, pen testing is designed to uncover fundamental business risks by manually testing an organization's defensive posture to steal data or achieve a level of unauthorized access. The endgame isn't about identifying the actual vulnerabilities, but rather the doors those vulnerabilities open and the business consequences of allowing an adversary to walk through them undetected.
Fast forwarding to today, Abraham's goal-oriented approach has emerged as a foundational pillar of pen testing. For ethical hacking to offer maximized value, predefined goals need to be in place and structured around an organization's most vulnerable areas of business disruption to mirror a worst-case scenario attack. Ethical hackers target those areas to measure the organization's level of cyber resilience, revealing how pockets of low-risk vulnerabilities can combine to create an overarching high-risk scenario that puts their business in jeopardy -- for example:
- For a major TV provider, it could be a ransomware attack that blacks out a nationally televised sports broadcast to cause billions in lost advertising revenue.
- For a water treatment plant, it could be a nation-state attack that contaminates an entire city's water supply to spawn a public health crisis.
- For a federal agency, it could be an insider threat attack that leaks national security intelligence to foreign adversaries for monetary gain.
Regardless of what encompasses a doomsday scenario, pen testing must start with a firm understanding of what the attacker's ultimate goal is and how it might harm a business. That is the only real way to discover the right vulnerabilities with the right context for mitigating business risk.
Connecting the vulnerability dots
As the lines between cyber and business risk blurred over the years, pen testing emerged as a critical component to proactive risk prioritization. It enables organizations to generate detailed visibility into risk posture with probability scales and financial forecasts linked to various areas of their security environment. Armed with these high-level insights, CISOs have the foresight to make educated decisions by weighing the business risk of a potential attack against the likelihood that it will actually happen. Then, they allocate security resources accordingly to boost ROI and strengthen protection.
The distinct illumination and reassurance afforded by pen testing also help demystify the complexity of the cyber threat landscape, translating cyber-risk into actionable business terms that better resonate with the C-suite and board. Actual illustrative stories from recent pen testing engagements make it much easier for cyber-resilience leaders to articulate risk in a way that fosters collective buy-in across corporate leadership to ensure security remains a top organizational priority.
It's important to remember that, regardless of a pen testing program's effectiveness, grey areas and precarious judgement calls relative to risk prioritization will always exist. Pen testing helps ensure CISOs can come to the most informed decision possible. Otherwise, they are taking a blind shot in the dark at what their real business risks are.
Iron sharpens iron
Just as cybersecurity is a team sport, so is pen testing. Fundamentally, a pen testing program applies targeted offense -- the same TTPs used by sophisticated threat actors -- to guide how organizations should construct their defenses. Pen testing also can be a precursor to red team exercises. For more mature organizations that already conduct regular pen testing, red team exercises involve a red offensive team, along with threat hunters and security operations center analysts as the blue defensive team. And, just like we all learned in elementary -- and cybersecurity -- school, fusing both together creates the color purple and the purple team.
The concept of purple teaming is often mischaracterized. It isn't a singular team of offensive experts and hunters all operating in unison. Rather, it's a verb in this context that describes how red and blue sides can collaborate to expand knowledge, sharpen strategy and boost operational efficiency. While it's less obvious at the surface level, blue can help red just like red helps blue.
Collaborative intelligence sharing, for example, provides further perspective to ethical hackers on how particular TTPs were identified. That way, the red team can adjust its approach for the next attempt to ensure it's more lethal, which, in turn, makes the blue team stronger. Consider it like iron sharpening iron -- ultimately, everybody benefits.
The rate of AI adoption on both sides of cybersecurity's dividing line won't be slowing down anytime soon. AI-powered attackers are here to stay, and what we thought we knew about AI-based attacks two weeks ago could be irrelevant today. This reality heightens the importance of implementing scalable pen testing as a core component of the modern CISO's arsenal. With purple teaming, risk prioritization and well-defined goals, impactful pen testing and red teaming are the ultimate source of empowerment for combating adversarial threat actors.