Advancing Strategic Security Goals with Offensive Testing

Your organization has a unique information security posture and nobody really understands it like you do. You are fighting a constant battle, not only against those who would attack your organization but for the resources required to perform your duties. You face competition for qualified personnel, push-back on costly best practices, and arguments against upgrading or purchasing critical new technology. Even when it seems like everything is ticking like clockwork, you know the storm is just over the horizon. The constant pressure of all these challenges can easily push the idea of offensive (penetration) testing way down the priority list. Additionally, penetration testing is often negatively framed as an unnecessary, disruptive exercise that generates additional busy-work for the already overtaxed security team.

In reality, offensive testing is a powerful tool for prioritizing and advancing your security program.

Advocating for the resources you need can be difficult, but a well-designed and executed penetration test can provide you with both the narrative and metrics to reinforce your arguments. A penetration test can answer difficult questions, uncover critical issues, and break-up analysis paralysis. The key lies in understanding what goals you are looking to achieve and working with your penetration testers to design an engagement that advances that agenda.

Often penetration testers will talk about the specific goals or “flags” for a particular engagement. An example would be “accessing credit card data” as part of a Payment Card Industry (PCI) compliance testing requirement. While it’s important to define these tactical goals that will be pursued during the test, it’s critical that everyone understand the larger, strategic goals you hope to achieve. Starting with a strong understanding of what goals you want to achieve will provide the foundation for the entire test. Effective communication of these goals helps select the right penetration testing team, ensures the test is properly scoped, and that the resulting report provides the greatest value for your budget. The exact motivations will be unique to your organization, but we detail seven of the most common starting points below.

Budget Balance

That brand new, next-gen AI powered Anti-APT wonder appliance (with customizable dashboards) might provide visibility into the dark corners of your network. However, you also need additional headcount to round out your team’s IR skillset. Or maybe you don’t really need either of those things. Offensive testing can demonstrably highlight the immediate need for your most requested resources. Setting a testing goal to determine gaps caused by a lack of resources provide insight into where your security budget would best be allocated and ammunition for why it should be increased. You could discover that instead of a new appliance, you simply need to deploy proper coverage of other technologies. Or maybe that appliance is exactly what you need to move your security program forward.

Alternative Analysis

Building secure systems is difficult. Getting Senior Developers, System Administrators, Network Engineers, and various other stakeholders to understand and properly implement security when designing a new system is an uphill battle. Their efforts are further hampered by the fact that they simply do not think like an attacker. Where a design team may see a series of reasonable and rational decisions, and assumptions an attacker may see a security hole through which they could drive a truck. Setting a goal of providing an alternative viewpoint, the viewpoint of an outside attacker, allows testing to discover gaps in the design, and provide recommendations before it’s too late.

Details Matter

Implementation errors are perhaps the single largest source of vulnerabilities in all of information security. A solid design is a great foundation but your systems are ultimately implemented by people and people can be relied upon to make bad security decisions. The gaps between the secure design and the imperfect implementation can be difficult for automated scanning tools to discover but can be easily leveraged by an attacker. Setting a testing goal of discovering these types of implementation errors results in more robust and hardened systems.

Baselines

“We have never had a test.” Maybe your organization is just reaching the size and complexity where a penetration test could provide real insight. Or maybe you have just come on-board to manage your organization’s information security program and are looking to better understand the landscape. Do you really know your current security posture, Internet-facing attack surface, susceptibility to phishing and Application/Database security?  Setting a testing goal of assessing overall security health can provide a more accurate picture of your current environment and prioritize the biggest risks to your data.

Mergers & Accusations

Growth is an important aspect of business but acquiring a new company often involves dealing with an unknown level of risks. The merger may bring in a new technology stack which seems to be exactly what your company needs to increase its competitive advantage. However, integrating systems blindly may introduce a whole host of vulnerabilities into your organization, undoing years of hard work. Standardizing security assessments as part of the M&A process can help identify vulnerabilities that carry their own remediation costs. A third-party testing firm can provide the impartial assessment needed to move forward with confidence.

Vendor Security

Partnering with various vendors is critical to the success of your organization. Every vendor is ready to assure you that they take security “seriously” or even “very seriously”. Trust but verify, a testing goal targeting vendor systems integrated with your organization is a solid starting point. Additionally, vendors should be able to produce sanitized versions of their own penetration testing reports as evidence of their “serious” commitment to security.

Blue Team Training

A key part of your blue team’s responsibility is to detect and respond to threats. Keeping these capabilities sharp requires both training and experience. Well-scoped Red Team and Purple Team engagements can provide valuable learning experiences for your blue team. Constructing a testing goal of providing a realistic attack scenario in a controlled fashion can identify gaps in your overall technology, training, processes, and design.

Working in information security requires finding the compromise between the ideal security and the reality of our chaotic world. Well planned and executed offensive testing can provide the arrows in your quiver needed to advance your information security program.