Is offensive testing the way for enterprises to finally be ahead of adversaries?
The one principle the cyber-security industry is founded on is that defenders are always a step behind the hackers. Solutions are developed (FW, AV and onwards), technologies introduced (VMs, LB’s, microservices) practices emerge (DevSecOps anyone?) and yet – adversaries always find new ways. They bypass the IPS, prove WAF is not enough, exploit the endpoint – or all together in a single campaign all the way to the crown jewels.
Whenever a new crack appears, startups emerge, and a new cybersecurity niche is created. Almost instantly, dash of experts materialize, funds are raised, acquisitions are reported, and everyone seems happy – but are still a step behind. Because the next morning, hackers will find a new way to install a malware, steal identities or exfiltrate sensitive data.
Why are hackers always a step ahead?
Simply put – because they must be. Otherwise, they will not fulfill their job or achieve their goal. Whether they are looking to spy or to extort, they must find a way in. The lucky ones benefit from three contributing factors:
1. The more amorphic and abstract information networks become, the more loopholes there are.
2. Humans cannot perform at 100%, 100% of the time and as both complexity and number of solutions grow, they are error-prone.
3. Information sharing is much more common among hacking than among it is among commercial organizations that compete with each other. Establishing the cyber threat alliance is a step forward but the bottom line remains the same.
Getting into the mind of a hacker
The curriculum of cyber security programs – academic or in real-life – is usually similar and details the same fundamental principles. Practices are taught and processes are endowed yet are always based on the experience of the past. Let’s be fair though – how can you predict the unknown?
Hackers on the other hand, do not follow certain paradigms and heuristics. They just go around them. This different mindset makes them more creative than security practitioners are. In addition, they are nimbler – they don’t have to follow any procedures or comply with any regulations.
Current approaches are… meh
Information security staff recognize these differences and therefore usually hire a group of “white-hat” hackers, to show them where they are vulnerable. This exercise is called penetration testing, but its impact is usually low. Not because the pen-testers aren’t doing a good job, but rather, since there are few inherent constraints:
First, this is done once or twice a year. Not in a continuous manner. Consequently, by the time the defenders get to execute a plan based on the findings, these are long gone – whether patched, reconfigured or simply protected by a new solution. That, before even mentioning the number of new threats that were introduced since…
Turning it around
Due to all aforementioned reasons – such as mindset, training, information sharing, restrictions etc. – it’s unlikely to expect the security team to be ahead. And this is where technology comes in. No – not AI again… artificial intelligence, or machine learning, may improve detection, yes, but it can’t stop a full campaign of a determined hacker from reconnaissance to root.
In May 2021, following some high-profile campaigns against US-based institutions by APT groups, that included ransomware and supply-chain attacks, the administration enacted an executive order that – among many other things – encourages organizations to make use of offensive testing practices to assess their security posture and better manage risk.
Specifically, this is a call for enterprises to test, practice and drill their incident response plans and security controls to better prepare their people, processes, and technologies in case of a cyberattack.
Continuous security validation
Offensive testing technology, commonly known as Continuous Security Validation, provides information security staff and business executives a baseline of the posture of their current state in order to optimize their readiness for cyberattacks.
The other great thing about this technology is that it is completely automated – thousands of attacks are launched against the network, the systems, the applications, and the devices so the organization knows what is detected and blocked, what is detected but not blocked, and what isn’t detected at all (or detected but not reported).
A comprehensive assessment methodology must take a hacker standpoint and begin with exploring the attack surface – which digital assets are accessible and exploitable. The next phase following the reconnaissance is finding the penetration paths – an automated end-to-end campaign from the initial breach all the way to the crown jewels. The third phase is launching thousands of simulated scenarios against each and every security solution in the network to validate its configuration and find what it misses, and eventually help to prioritize vulnerability patching.
This technology allows organizations “invite” automated hackers continuously – not just once a year – to find all the loopholes before real hackers do. This way, the enterprise can be one step ahead for a change.