Chinese military strategist Sun Tzu is quoted as saying, “if you know the enemy and you know yourself, you need not fear the results of a hundred battles.” In cybersecurity terms, this means knowing the cyber-adversaries and associated tactics, techniques, and procedures (TTPs) they use to attack your organization. Additionally, Sun Tzu’s quote extends to an organizational reflection where you must know everything about your technical, human, and even physical vulnerabilities in order to apply the best protection for critical assets.
How can organizations gain this knowledge? By attacking themselves through penetration testing and red teaming exercises. According to ESG research, organizations pursue penetration testing and/or red teaming at least once a year for the following reasons:
- 26% conduct penetration testing/red teaming as a best practice for risk assessment.
- 17% conduct penetration testing/red teaming because they are required to do so for regulatory compliance.
- 14% conduct penetration testing/red teaming because it is mandated from executive management or the board of directors.
- 13% conduct penetration testing/red teaming because it is mandated as part of third-party contracts.
Penetration testing and red teaming are finite projects – 75% of organizations say they have a duration of 2 weeks or less. Despite this short timeframe, however, penetration testing and red teaming produce useful results and benefits. Organizations use these exercises to find/fix vulnerabilities, review risk status with executives, use the results to reassess IT and security priorities, and determine where they need to hire and/or train employees.
Yup, penetration testing and red teaming can be quite beneficial but there are several problems with the current processes including:
- Testing frequency. Like any other type of IT or security scanning, penetration testing/red teaming results have a short shelf life in any dynamic IT environment. Testing results from Q1 are ancient history in Q3.
- Testing methodologies. The ethical hackers who conduct these tests are highly skilled for the most part, but many testers use the same playbook repeatedly for months and years. While it’s important to test security against tried and true hacking techniques, it’s also critical to assess defenses against new and evolving attacks.
- The output of penetration testing and red teaming is often highly technical. This means that cybersecurity professionals must translate results into a business context for business executives. Unfortunately, this translation skill set isn’t always very strong and what’s important to the cybersecurity team may be gobbledygook to business managers.
To maximize the benefits, organizations need continuous penetration testing/red teaming using the latest exploits seen in-the-wild. Furthermore, the results of these tests must be available for viewing through a business and technical lens to understand risk to business-critical assets and prioritize remediation actions.
I’m encouraged by a relatively new category of security technologies called continuous automated security validation (CASV). CASV tools use a variety of current hacker techniques to hammer corporate networks continually. These tools then gather this data in dashboards that can be used to constantly monitor vulnerabilities and track remediation progress. Some tools can align results with the MITRE ATT&CK framework, and the best tools provide role-based dashboards for positions like security analysts, IT auditors, and business managers so they can review the results and use real-time data to prioritize remediation decisions. CASV tools and services come from vendors like AttackIQ, Censys, Metronome, Pycsys, Qadium, Randori, SafeBreach, SCYTHE, Verodin, and others.
Penetration testing and red teaming can really help with cyber risk identification and mitigation, but you can’t measure a dynamic environment like cybersecurity using static data. CASV can help organizations maximize the benefits of penetration testing and red teaming continuously and in real-time which I why I am bullish on the future of CASV technology.