Attackers take advantage of the pentest time cycle to intrude networks.
— Lumu Technologies
Penetration testing started as a concept in 1960 as early computer industry pioneers knew there would be inherent risks to controlling access. In 1984, the US Navy commenced the idea of ethical hacking to demonstrate just how easy an attacker could breach a naval base. Both penetration testing and ethical hacking remain omnipresent today and are heavily relied upon to limit vulnerabilities.
The initial idea of penetration testing is fascinating because you place yourself in the shoes of the attacker to proactively uncover vulnerabilities. While certainly a useful exercise for security teams, there are important limitations.
First and foremost, pentesting is typically conducted once every three months. That’s it. If the pentester detects something, you work on a remediation plan until you are “secure.” Attackers take advantage of this time cycle to intrude networks.
— Lumu Technologies
Another drawback is you assume penetration testing details everything there is to know about your exposure. If pentesting goes well, it only denotes the person who performed the test can’t breach your network. It does not signify that an attacker with higher skills cannot gain access. That is a major distinction.
Also consider that money is a powerful incentive. The person conducting the pentesting wants to quickly perform the analysis, write a report and move on to the next client or task. An attacker is highly motivated and persistent as breaching the targeted network means a big reward. So, do these shortcomings mean that pentesting is irrelevant? Absolutely not. Similar to other security tools in the shed, pentesting is necessary and in some cases even required due to regulations. At the end of the day, however, your job as a security professional is not compliance but to avoid a breach that adversely impacts the company.
What can be done? The first step is to assume that you are compromised. This is a simple statement, but it totally changes your mindset and allows you to work inside-out. With this approach, it doesn’t matter how an attacker breaches your network. What matters is your ability to identify and act upon a compromise at speed.
With this mentality, you don’t focus on vulnerabilities and try to breach your system. When all is said and done and the dust clears, breaching the system will always be as simple as clicking a link. You can have the more “secure” network, but endpoints and employees will always be exposed. So why not assume you are compromised and prove otherwise?
When you come to terms with this realization, you can think in a totally more proactive way. At LUMU we call this concept continuous assessment which means that you are constantly working to identifying IOCs (indicators of compromise) to avoid a breach before it happens. You don’t need to wait until your next scheduled pentesting or rely on the ability of the pentester. You can take action today.
Remember that hacking your system is only the first step. The attacker then needs to escalate privileges, locate the desirable data and ultimately exfiltrate. You are well on your way if you can inhibit this cycle by proactively detecting anomalous behavior.
Visit us at www.lumu.io or contact us at info@lumu.io if you would like to learn more how LUMU can help you on your path to cyber-resilience.
Reading Time: 4 mins48% of ransomware attacks successfully evade EDR. Threat actors like Qilin are…
Reading Time: 6 minsAI-powered autonomous malware now generates unique threats at machine speed. This makes…
Reading Time: 4 minsThe Education sector is the number one global cyber target. It is…
Reading Time: 5 minsContact is not compromise. True proactivity means prioritizing rapid response not blindly…
Reading Time: 6 minsAsyncRAT is an adaptable open-source Trojan that has evolved into a global…
Reading Time: 10 minsThis technical deep-dive analyzes a sophisticated Amadey Stealer campaign leveraging Living-off-the-Land tactics…