We recently worked with a large, multinational manufacturer to test their defenses against cyberattacks in a controlled setting. Although the company had used penetration testing to uncover vulnerabilities before, the results of our engagement were shocking to them: We were able to harvest more than 900 credentials, enough to take down their entire domain.
If our team could do this, they could be sure it was just a matter of time before a malicious actor would try the same thing. Fortunately, the organization had the opportunity to remediate these gaps before they experienced a major security breach.
Testing Your Incident Response Plan
I attended a session on incident response planning at a recent conference. There was a lot of focus on ensuring companies have a documented plan with stakeholders, roles, and responsibilities. They stressed the need to test the plan at least once annually to understand how well it would be executed and whether those involved truly understood their roles. The plan should also give insight into modifications needed to improve speed and efficiency in the event of an actual critical incident.
Testing the response plan should be a core component of every organization’s security strategy. However, testing typically starts in the later stages of the attack cycle such as the Command-and-Control phase of Cyber Kill Chain or the MITRE ATT&CK Framework. However, a strong security strategy should also include testing your defenses further upstream using a pen test.
What Is Pen Testing?
Pen testing is a way to understand the effectiveness of your organization’s security posture holistically, including where vulnerabilities reside. It helps you change your mindset to that of an attacker, pressure testing your defenses to find areas that can be exploited. Testing real-word scenarios and attacks that a malicious actor could carry out gives you visibility into attack vectors that could otherwise be dismissed or overlooked.
Below are just a few of the scenarios our pen testing team has uncovered when working with customers:
- Machines with an unpatched vulnerability within the remote management tool
- A privilege elevation vulnerability in the operating system
- Weak password discipline
- Network misconfigurations
Pen Testing Approaches
The IT footprint is dynamic for every organization, and any change can add complexity. Executing pen tests regularly will surface gaps in your security posture. In the story above, a customer worked with Fortra to execute the pen test. There are also tools available to enable organizations to do this themselves depending on the skillsets they have internally.
Ideally, your security strategy should include a mix of in-house and third-party testing completed throughout the year. Regardless of your approach, it’s important to keep in mind that while the results of a pen test can be unpleasant, they provide invaluable findings that help you proactively close gaps and harden the attack vectors upstream.
The Role of Pen Testing in Maintaining Regulatory Compliance
Just about every compliance mandate (PCI DSS, GDPR, HIPAA, etc.) requires some sort of risk analysis to be completed for IT infrastructure. Notably, the recently adopted Digital Operational Resilience Act (DORA) specifies the need for financial services organizations in the EU to assess cyberattack risk as well as resilience capabilities. Pen testing can be a great way to satisfy the risk assessment portion of such requirements.
Pen Testing: The Cornerstone of Your Offensive Security Strategy
Keeping threat actors out requires a keen understanding of how they operate and the kinds of weaknesses they look for in networks, databases, and more. Pen testing enables you to look at your security defenses in a new way to proactively identify vulnerability and take the steps necessary to protect your organization.