As cybersecurity incidents gain sophistication, to ensure we are assessing security postures effectively, it is critical to copy real-world adversaries' tools, tactics, and procedures during testing activities.

Shane Ryan, Global Practice Lead - Application Security for BSI's Cybersecurity and Information Resilience Team

December 11, 2020

5 Min Read

Red teaming (or offensive) cybersecurity exercises take traditional penetration (pen) testing a step further by simulating real-world attacks that replicate real-world adversaries' techniques, tactics, and procedures (TTPs). For one thing, a red-team engagement takes a zero-knowledge approach: The wider organization isn't notified about the testing ahead of time and the red team isn't supplied with any prerequisite information about the organization. 

By acting as an adversary trying to bypass an organization's security controls while avoiding detection, the red team identifies ways an organization can be compromised through real-world TTPs. It also assesses how well the organization can identify, manage, and resolve attacks or incidents consistent with best practices and incident response plans and procedures. 

How to Improve Penetration Testing
Typically, a penetration test follows a predefined, approved, and time-boxed methodology. The organization defines which assets should be tested, and the resulting report highlights the security issues or vulnerabilities found on the in-scope assets.

Traditional penetration testing is a core element of many organizations' cybersecurity efforts because it provides a reliable measurement of the organization's security and defense measures. However, because a client can classify assets as out of scope, the pen test may not give an accurate read on the organization's full security posture. Because the pen-testing approach, authorization process, and testing ranges are defined in advance, these assessments may not measure an organization's true ability to identify and act on suspicious activities and traffic.

Ultimately, placing restrictions on a test's scope or duration can harm the tested organization. In the real world, neither time nor scope are of any consideration to attackers, meaning the results of such a test are not entirely reliable.

Objective-Oriented Penetration Testing
Incorporating objective-oriented penetration testing can improve typical pen-testing systems and, in turn, enhance an organization's security posture and incident response, as well as limit their risk of exposure. 

The first step is to agree on attackers' likely objectives and a reasonable time frame. For example, consider ways attackers could access and compromise customer data or gain access to a high-security network or physical location. Focusing on adversaries' realistic objectives, rather than their means or only the in-scope assets, allows a pen-testing team to combine testing methodologies, approaches, and tools to achieve the testing objective. 

By focusing on attackers' objectives, the testing team can do the following:

  • Perform physical penetration testing to gain unauthorized access to a target building or office and perform network penetration testing there;

  • Combine mobile, web application, and network penetration testing to gain unauthorized access to the internal network or sensitive data; and

  • Launch social engineering and phishing attacks in an attempt to compromise enterprise credentials and do network and application penetration testing armed with those credentials.

Preparing for Advanced Penetration Testing
An organization's security testing requirements depend on its current security posture and maturity level. Before initiating advanced penetration testing, frameworks like the following should be put in place so that the assessments provide the greatest value and an accurate measurement of your organization's cybersecurity posture. 

1. Regular Security Assessments
For advanced penetration tests and security assessments to provide value, you need baseline pen testing and vulnerability assessments to determine whether your information security posture is resilient and mature and it has made progress in addressing the root causes of identified vulnerabilities.

Advanced pen tests and assessments uncover more realistic threat profiles and attack scenarios than traditional penetration testing. However, if you're not also performing regular, organizationwide assessments, you may be better off performing traditional penetration testing until you have established a resilient cybersecurity posture across your organization.

2. Security Awareness Training
Attack avenues for these assessments differ from traditional penetration tests, encompassing a wider range of targets. Depending on your objective, it may make sense to target physical security controls and organizational staff. However, without a mature security awareness program in place, it may be trivial for a red team to compromise enterprise credentials through social engineering or gain unauthorized access to mission-critical infrastructure through physical penetration testing. 

3. Mature Security Operations and Intrusion Detection
If an organization is aware that its attack-detection capabilities are immature or no controls exist, there may be limited value in performing an assessment to prove what the organization already knows. If the organization doesn't have typical intrusion-detection controls and solutions, it may be impossible to measure the effectiveness of attack detection. 

4. Vulnerability Management Framework
As these assessments' scope is not limited to particular assets or approaches, they will likely uncover a multitude of security vulnerabilities across business units, teams, security controls, and locations. These vulnerabilities may have complex root causes that may require long-term security resolutions. 

To ensure that vulnerabilities are remediated correctly in a risk-prioritized and timely fashion, a robust vulnerability management framework should be in place before starting the assessments. This will identify the parties responsible for the vulnerabilities and ensure the business maintains visibility into their successful remediation. 

Increased Action Leads to Increased Knowledge
Penetration testing is a tried-and-tested method for understanding specific assets' security posture, but not that of the full organization. Therefore, conducting periodic attack-simulation exercises, in conjunction with traditional penetration testing, has become the norm for security-mature organizations. 

By utilizing both objective-oriented penetration testing and red-teaming exercises, organizations can improve their overall security posture and be confident that they're prepared for almost any security threat they face.

About the Author(s)

Shane Ryan

Global Practice Lead - Application Security for BSI's Cybersecurity and Information Resilience Team

Shane is an experienced and well-rounded security consultant with nine years of industry experience. Shane is a Principal Security Consultant with the remit of delivering high-quality consultancy for BSI's US-based and international clients. Working with Espion and later BSI, Shane has gained valuable experience and skills, delivering consultancy across a large number of industries, being exposed to a wide variety of technologies and assessment types, and leading teams of all sizes. Shane has skills in delivering a wide range of testing types while previously leading BSI's EMEA testing team.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights