Penetration testing started as a concept in 1960 as early computer industry pioneers knew there would be inherent risks to controlling access. In 1984, the US Navy commenced the idea of ethical hacking to demonstrate just how easy an attacker could breach a naval base. Both penetration testing and ethical hacking remain omnipresent today and are heavily relied upon to limit vulnerabilities.
The initial idea of penetration testing is fascinating because you place yourself in the shoes of the attacker to proactively uncover vulnerabilities. While certainly a useful exercise for security teams, there are important limitations.
First and foremost, pentesting is typically conducted once every three months. That’s it. If the pentester detects something, you work on a remediation plan until you are “secure.” Attackers take advantage of this time cycle to intrude networks.
Attackers take advantage of the pentest time cycle to intrude networks.
— Lumu Technologies
Another drawback is you assume penetration testing details everything there is to know about your exposure. If pentesting goes well, it only denotes the person who performed the test can’t breach your network. It does not signify that an attacker with higher skills cannot gain access. That is a major distinction.
Also consider that money is a powerful incentive. The person conducting the pentesting wants to quickly perform the analysis, write a report and move on to the next client or task. An attacker is highly motivated and persistent as breaching the targeted network means a big reward. So, do these shortcomings mean that pentesting is irrelevant? Absolutely not. Similar to other security tools in the shed, pentesting is necessary and in some cases even required due to regulations. At the end of the day, however, your job as a security professional is not compliance but to avoid a breach that adversely impacts the company.
What can be done? The first step is to assume that you are compromised. This is a simple statement, but it totally changes your mindset and allows you to work inside-out. With this approach, it doesn’t matter how an attacker breaches your network. What matters is your ability to identify and act upon a compromise at speed.
With this mentality, you don’t focus on vulnerabilities and try to breach your system. When all is said and done and the dust clears, breaching the system will always be as simple as clicking a link. You can have the more “secure” network, but endpoints and employees will always be exposed. So why not assume you are compromised and prove otherwise?
When you come to terms with this realization, you can think in a totally more proactive way. At LUMU we call this concept continuous assessment which means that you are constantly working to identifying IOCs (indicators of compromise) to avoid a breach before it happens. You don’t need to wait until your next scheduled pentesting or rely on the ability of the pentester. You can take action today.
Some advantages of continuous assessment
- Assumes you are compromised and proves otherwise
- Proactive approach to detect IOCs
- Monitors your traffic 24/7
- Only spotlights critical events you need to check
- Incorporates up-to-date threat intelligence
- Helps to avoid alert fatigue
Remember that hacking your system is only the first step. The attacker then needs to escalate privileges, locate the desirable data and ultimately exfiltrate. You are well on your way if you can inhibit this cycle by proactively detecting anomalous behavior.