How to progress toward a truly secure organization and infrastructure after penetration testing.
You did it – you paid for penetration testing services.
Whether it was to fulfill a potential client’s request, satisfy your interest or to be compliant with some framework, you tested the mettle of your environment against white-hat hackers and came out the other side, report in-hand and next steps clear.
After remediating the critical vulnerabilities, adjusting some outdated processes and even hosting some security training, your organization has a stronger security posture than ever.
You could call it a day. You could enlist the same team to attack the same scope with the same methods the next year and the year after that, but is it worth the time and money to do so?
Sure, a big zero-day appears in the wild every couple of years and puts the security industry on its heels. But, securing an already-mostly-secure environment is an easier task than securing a non-secure one.
Pentesting Blind Spots
The double-edged sword of penetration testing is the access given to testers. Most often, this looks like low-permission domain credentials, access to a guest wireless network or a set of read-only AWS keys. This is the case for two main reasons:
- Breaking the perimeter is hard. A good firewall or IDS will keep most bad guys out with relative ease and technical vulnerabilities (at least the ones that matter) are rarely visible from the outside.
- You need to know what’s going on ASAP. Not wasting time figuring out how to get into the area you’re most worried about lets you understand your biggest risks (and get to remediating them) more quickly.
Because perimeter breaches are most commonly accomplished via phishing attacks, a short-term pentest engagement won’t adequately assess the likelihood of the outer walls breaking down.
On top of that, critical systems are commonly scoped out of pentest exercises to avoid downtime, customer complaints, productivity loss, etc. But if the real bad guys are willing to go after those systems, a lack of testing is a blind spot.
Penetration tests go a long way in reducing damage potential once someone is inside. But how do you know for sure that you can account for all the ways in?
Note: if you’re interested in learning more about the types of engagements referred to by security firms like ours, you’ll like our whitepaper about them!
Enter the Red Team
During red team engagements, a team of security professionals will use methods of reconnaissance, attack, and evasion utilized by real-world threat actors. Many of these methods appear in a quality pentest, but others are more time-intensive and complex, namely:
- Open-source intelligence (OSINT) gathering and persona development
- Attack infrastructure deployment and obfuscation
- Spear phishing for credentials or malware-based compromise
…and much more.
The methods above and many more like them are tracked and documented constantly. Allow me to introduce a framework known as MITRE ATT&CK. It is, by MITRE’s definition:
“…a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.”
Teams that follow this framework during red team exercises are at least doing the bare minimum to simulate attack methods used by the highest-profile threat actors in the world.
Would physical access to a stolen employee machine result in complete domain compromise? Could someone disrupt or divert cash flow using a phished finance executive’s account? How long would it take for you to discover that your network was compromised?
Red team exercises provide answers to all those questions and more.
[fruitful_sep height=”10″ color=”#e0e0e0″]
Let’s Get Started
Are you interested in the services of a red team? Not sure where to start with penetration testing? Allow one of our world-class consultants to guide you by contacting us!
Also, if you’d like to know more about what goes on during a risk3sixty penetration test, check out our whitepaper, Pillars of Pentesting: A Guide to the Risk3sixty Attack Strategy.