I was on a call with a client the other day and she was in a great mood as she shared with me that her company's recent penetration test had come back with zero findings. There were only a few recommendations that were well in line with the goals that she had previously shared with the testing team.
She trusted this team as they had been used for a few years; they knew when she liked the testing performed, how she liked things documented, and could test faster (and cheaper). Certainly, the compliance box was being check with this annual pen test, but was the organization truly tested or protected against any of the most recent cyberattacks? No. If anything, the organization now had a false sense of security.
She also mentioned that their recent tabletop exercise (the portion of the penetration test where key stakeholders involved in the security of the organization discuss their roles, responsibilities and their related actions and responses to the mock cyber breach) for incident response was for ransomware. You should be focused on ransomware if it hasn’t already been covered in previous testing, but what about human risk or insider threat? While, according to recent findings, three out of four cyber threats and attacks are coming from outside of organizations, and incidents involving partners tend to be much larger than those caused by external sources. According to those same studies, privileged parties can do more damage to the organization than outsiders.
So, why are we still doing perfunctory penetration testing when we can be emulating realistic threats and stress-testing the systems most at risk for maximum business damage? Why aren’t we looking at the most persistent threats to an organization using readily available insights from ISAC, CISA, and other threat reports to build realistic and impactful tabletops? We can then emulate that through penetration testing and increasingly realistic stress testing of systems to allow a sophisticated ethical hacking team to help, versus waiting for what is likely an inevitable breach at some point in the future.
Audit organizations and regulators expect companies to perform due diligence on their own tech and security stack, but they are still not requiring the level of rigor that's required today. Forward-looking organizations are becoming more sophisticated with their testing and incorporating their threat modeling tabletop exercises with their penetration testing and adversary simulations (also called red team testing). This helps ensure that they’re holistically modeling threat types, exercising their probability, and then testing the efficacy of their physical and technical controls. Ethical hacking teams should be able to progress from a noisy penetration test to a stealthier adversary simulation over time, working with the client to tailor the approach around touchy and off-limits equipment, such as financial services trading platforms or casino gaming systems.
Red teams are not just the offensive group of professionals pen testing a company’s networks; these days, they are made up of some of the most sought after cyber experts that live and breathe the technology behind sophisticated cyberattacks.
Strong offensive security partners offer robust red teams; organizations should be looking to ensure they can protect and prepare for today’s dangerous cybercriminal or nation-state threat actor. When considering a cybersecurity partner, there are a few things to consider.
Is This Partner Trying to Sell You Something or Is It Agnostic?
A legitimate and robust cybersecurity program is built by a team looking to equip your organization with the technology that is right for your circumstances. Not all technologies are one-size-fits-all, and therefore, products shouldn’t be recommended upfront but should be suggested following a thorough review of your company's needs and unique requirements.
Deriving R&D From Defensive Data
Find out if their team researches and develops custom tools and malware based on the most recent endpoint detection and response and other advanced defenses. There is no cookie-cutter approach to cybersecurity, nor should there ever be. The tools used to both prepare and defend an organization against advanced cyberattacks are constantly being upgraded and nuanced to combat the criminals' increasing sophistication.
Get the Best
Are their offensive security engineers truly nation-state caliber to evade detection and maintain stealth, or are they compliance-based pen testers? Simply put, do you have the best, most experienced team working with you? If not, find another partner.
Check the Mindset
Does the team lead with a compliance mindset or one of threat readiness? While compliance checklists are important to ensure you have the basics in place, it is just that: a checklist. Organizations should understand what, beyond the checklist, they need to stay safe 24/7.
Ultimately, find a cyber partner that will ask the hard questions and identify the broadest scope of considerations when analyzing a program. It should offer an offensive solution that will keep your organization one step ahead of the cybercriminals that continues to raise the bar for maximum resilience. Go beyond the pen test!