Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Shane Ryan
Shane Ryan

Penetration Testing: A Road Map for Improving Outcomes

As cybersecurity incidents gain sophistication, to ensure we are assessing security postures effectively, it is critical to copy real-world adversaries' tools, tactics, and procedures during testing activities.

Red teaming (or offensive) cybersecurity exercises take traditional penetration (pen) testing a step further by simulating real-world attacks that replicate real-world adversaries' techniques, tactics, and procedures (TTPs). For one thing, a red-team engagement takes a zero-knowledge approach: The wider organization isn't notified about the testing ahead of time and the red team isn't supplied with any prerequisite information about the organization. 

By acting as an adversary trying to bypass an organization's security controls while avoiding detection, the red team identifies ways an organization can be compromised through real-world TTPs. It also assesses how well the organization can identify, manage, and resolve attacks or incidents consistent with best practices and incident response plans and procedures. 

Related Content:

Automated Pen Testing: Can It Replace Humans?

The Changing Face of Threat Intelligence

New on The Edge: BECs and EACs: What's the Difference?

How to Improve Penetration Testing
Typically, a penetration test follows a predefined, approved, and time-boxed methodology. The organization defines which assets should be tested, and the resulting report highlights the security issues or vulnerabilities found on the in-scope assets.

Traditional penetration testing is a core element of many organizations' cybersecurity efforts because it provides a reliable measurement of the organization's security and defense measures. However, because a client can classify assets as out of scope, the pen test may not give an accurate read on the organization's full security posture. Because the pen-testing approach, authorization process, and testing ranges are defined in advance, these assessments may not measure an organization's true ability to identify and act on suspicious activities and traffic.

Ultimately, placing restrictions on a test's scope or duration can harm the tested organization. In the real world, neither time nor scope are of any consideration to attackers, meaning the results of such a test are not entirely reliable.

Objective-Oriented Penetration Testing
Incorporating objective-oriented penetration testing can improve typical pen-testing systems and, in turn, enhance an organization's security posture and incident response, as well as limit their risk of exposure. 

The first step is to agree on attackers' likely objectives and a reasonable time frame. For example, consider ways attackers could access and compromise customer data or gain access to a high-security network or physical location. Focusing on adversaries' realistic objectives, rather than their means or only the in-scope assets, allows a pen-testing team to combine testing methodologies, approaches, and tools to achieve the testing objective. 

By focusing on attackers' objectives, the testing team can do the following:

  • Perform physical penetration testing to gain unauthorized access to a target building or office and perform network penetration testing there;
  • Combine mobile, web application, and network penetration testing to gain unauthorized access to the internal network or sensitive data; and
  • Launch social engineering and phishing attacks in an attempt to compromise enterprise credentials and do network and application penetration testing armed with those credentials.

Preparing for Advanced Penetration Testing
An organization's security testing requirements depend on its current security posture and maturity level. Before initiating advanced penetration testing, frameworks like the following should be put in place so that the assessments provide the greatest value and an accurate measurement of your organization's cybersecurity posture. 

1. Regular Security Assessments
For advanced penetration tests and security assessments to provide value, you need baseline pen testing and vulnerability assessments to determine whether your information security posture is resilient and mature and it has made progress in addressing the root causes of identified vulnerabilities.

Advanced pen tests and assessments uncover more realistic threat profiles and attack scenarios than traditional penetration testing. However, if you're not also performing regular, organizationwide assessments, you may be better off performing traditional penetration testing until you have established a resilient cybersecurity posture across your organization.

2. Security Awareness Training
Attack avenues for these assessments differ from traditional penetration tests, encompassing a wider range of targets. Depending on your objective, it may make sense to target physical security controls and organizational staff. However, without a mature security awareness program in place, it may be trivial for a red team to compromise enterprise credentials through social engineering or gain unauthorized access to mission-critical infrastructure through physical penetration testing. 

3. Mature Security Operations and Intrusion Detection
If an organization is aware that its attack-detection capabilities are immature or no controls exist, there may be limited value in performing an assessment to prove what the organization already knows. If the organization doesn't have typical intrusion-detection controls and solutions, it may be impossible to measure the effectiveness of attack detection. 

4. Vulnerability Management Framework
As these assessments' scope is not limited to particular assets or approaches, they will likely uncover a multitude of security vulnerabilities across business units, teams, security controls, and locations. These vulnerabilities may have complex root causes that may require long-term security resolutions. 

To ensure that vulnerabilities are remediated correctly in a risk-prioritized and timely fashion, a robust vulnerability management framework should be in place before starting the assessments. This will identify the parties responsible for the vulnerabilities and ensure the business maintains visibility into their successful remediation. 

Increased Action Leads to Increased Knowledge
Penetration testing is a tried-and-tested method for understanding specific assets' security posture, but not that of the full organization. Therefore, conducting periodic attack-simulation exercises, in conjunction with traditional penetration testing, has become the norm for security-mature organizations. 

By utilizing both objective-oriented penetration testing and red-teaming exercises, organizations can improve their overall security posture and be confident that they're prepared for almost any security threat they face.

Shane is an experienced and well-rounded security consultant with nine years of industry experience. Shane is a Principal Security Consultant with the remit of delivering high-quality consultancy for BSI's US-based and international clients. Working with Espion and later BSI, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...