Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Shane Ryan
Shane Ryan

Penetration Testing: A Road Map for Improving Outcomes

As cybersecurity incidents gain sophistication, to ensure we are assessing security postures effectively, it is critical to copy real-world adversaries' tools, tactics, and procedures during testing activities.

Red teaming (or offensive) cybersecurity exercises take traditional penetration (pen) testing a step further by simulating real-world attacks that replicate real-world adversaries' techniques, tactics, and procedures (TTPs). For one thing, a red-team engagement takes a zero-knowledge approach: The wider organization isn't notified about the testing ahead of time and the red team isn't supplied with any prerequisite information about the organization. 

By acting as an adversary trying to bypass an organization's security controls while avoiding detection, the red team identifies ways an organization can be compromised through real-world TTPs. It also assesses how well the organization can identify, manage, and resolve attacks or incidents consistent with best practices and incident response plans and procedures. 

Related Content:

Automated Pen Testing: Can It Replace Humans?

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

How to Improve Penetration Testing
Typically, a penetration test follows a predefined, approved, and time-boxed methodology. The organization defines which assets should be tested, and the resulting report highlights the security issues or vulnerabilities found on the in-scope assets.

Traditional penetration testing is a core element of many organizations' cybersecurity efforts because it provides a reliable measurement of the organization's security and defense measures. However, because a client can classify assets as out of scope, the pen test may not give an accurate read on the organization's full security posture. Because the pen-testing approach, authorization process, and testing ranges are defined in advance, these assessments may not measure an organization's true ability to identify and act on suspicious activities and traffic.

Ultimately, placing restrictions on a test's scope or duration can harm the tested organization. In the real world, neither time nor scope are of any consideration to attackers, meaning the results of such a test are not entirely reliable.

Objective-Oriented Penetration Testing
Incorporating objective-oriented penetration testing can improve typical pen-testing systems and, in turn, enhance an organization's security posture and incident response, as well as limit their risk of exposure. 

The first step is to agree on attackers' likely objectives and a reasonable time frame. For example, consider ways attackers could access and compromise customer data or gain access to a high-security network or physical location. Focusing on adversaries' realistic objectives, rather than their means or only the in-scope assets, allows a pen-testing team to combine testing methodologies, approaches, and tools to achieve the testing objective. 

By focusing on attackers' objectives, the testing team can do the following:

  • Perform physical penetration testing to gain unauthorized access to a target building or office and perform network penetration testing there;
  • Combine mobile, web application, and network penetration testing to gain unauthorized access to the internal network or sensitive data; and
  • Launch social engineering and phishing attacks in an attempt to compromise enterprise credentials and do network and application penetration testing armed with those credentials.

Preparing for Advanced Penetration Testing
An organization's security testing requirements depend on its current security posture and maturity level. Before initiating advanced penetration testing, frameworks like the following should be put in place so that the assessments provide the greatest value and an accurate measurement of your organization's cybersecurity posture. 

1. Regular Security Assessments
For advanced penetration tests and security assessments to provide value, you need baseline pen testing and vulnerability assessments to determine whether your information security posture is resilient and mature and it has made progress in addressing the root causes of identified vulnerabilities.

Advanced pen tests and assessments uncover more realistic threat profiles and attack scenarios than traditional penetration testing. However, if you're not also performing regular, organizationwide assessments, you may be better off performing traditional penetration testing until you have established a resilient cybersecurity posture across your organization.

2. Security Awareness Training
Attack avenues for these assessments differ from traditional penetration tests, encompassing a wider range of targets. Depending on your objective, it may make sense to target physical security controls and organizational staff. However, without a mature security awareness program in place, it may be trivial for a red team to compromise enterprise credentials through social engineering or gain unauthorized access to mission-critical infrastructure through physical penetration testing. 

3. Mature Security Operations and Intrusion Detection
If an organization is aware that its attack-detection capabilities are immature or no controls exist, there may be limited value in performing an assessment to prove what the organization already knows. If the organization doesn't have typical intrusion-detection controls and solutions, it may be impossible to measure the effectiveness of attack detection. 

4. Vulnerability Management Framework
As these assessments' scope is not limited to particular assets or approaches, they will likely uncover a multitude of security vulnerabilities across business units, teams, security controls, and locations. These vulnerabilities may have complex root causes that may require long-term security resolutions. 

To ensure that vulnerabilities are remediated correctly in a risk-prioritized and timely fashion, a robust vulnerability management framework should be in place before starting the assessments. This will identify the parties responsible for the vulnerabilities and ensure the business maintains visibility into their successful remediation. 

Increased Action Leads to Increased Knowledge
Penetration testing is a tried-and-tested method for understanding specific assets' security posture, but not that of the full organization. Therefore, conducting periodic attack-simulation exercises, in conjunction with traditional penetration testing, has become the norm for security-mature organizations. 

By utilizing both objective-oriented penetration testing and red-teaming exercises, organizations can improve their overall security posture and be confident that they're prepared for almost any security threat they face.

Shane is an experienced and well-rounded security consultant with nine years of industry experience. Shane is a Principal Security Consultant with the remit of delivering high-quality consultancy for BSI's US-based and international clients. Working with Espion and later BSI, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178754781
PUBLISHED: 2021-04-15
CASAP Automated Enrollment System version 1.0 contains a cross-site scripting (XSS) vulnerability through the Students > Edit > ROUTE parameter.
PUBLISHED: 2021-04-15
Cross Site Scripting (XSS) in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "sername" parameter.
PUBLISHED: 2021-04-15
SQL Injection in the "add-services.php" component of PHPGurukul Beauty Parlour Management System v1.0 allows remote attackers to obtain sensitive database information by injecting SQL commands into the "sername" parameter.
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...