Thoughts about whether or not penetration testing is a worthwhile exercise in today's world of APT attacks.
For years, penetration testing has been the mainstay of determining the security level of a company's digital infrastructure. However, more and more security pundits are questioning the effectiveness of penetration testing.
Chris Marrison, EMEA technical director of Infoblox, has given voice to that concern in his post Has the time come to give up penetration testing? "As no firewall can be 100 percent effective in keeping attackers out, and with networks continuing to grow and shift in shape," Marrison said. "It's clear that organizations now need to adopt a new approach to protecting their IT infrastructure."
What exactly is penetration testing?
Some time during their career, most digital forensic and security professionals make use of the SANS Institute's penetration testing curriculum. Knowing that, it makes sense to see how SANS defines pen testing. According to SANS, a penetration test has the following characteristics:
- Model the activities of real-world attackers
- Find vulnerabilities in target systems
- Exploit found vulnerabilities under controlled circumstances
- Determine and document risk and potential business impact in a safe fashion according to agreed upon rules of engagement
- Help an organization prioritize resources to improve its security stance
Marrison builds his case
To start, Marrison pointed out cyberattacks have evolved from bragging-about pranks into serious money-grabbing Advanced Persistent Threats (APT) where bad actors prefer to remain incognito as long as possible. To Marrison this means, "Security teams need to focus elsewhere, not on what's making its way into the system, but on what's making its way out."
Another issue confronting pen-testing viability, according to Marrison, is the lack of discernible network borders. With the proliferation of mobile devices, cloud services, IoT devices, and what Marrison called Shadow IT: it becomes difficult to delineate company boundaries from the expansive internet. "Put simply, the more miles of fencing there are to patrol, with more potential points of entry, the harder it will be to keep attackers out," Marrison said. "Logically, this would suggest that pen testing is now more important than ever, but this isn't necessarily the case."
Attack starts from the inside
Attackers are side-stepping perimeter defenses by getting company employees to initiate an external connection. The two most popular methods are using a phishing email or duping employees to visit a malicious website. According to Marrison, internally establishing a connection outside the company's network perimeter allows the APT attacker a way in. Cisco's 2014 Annual Security Report affirms Marrison's claim. It states, "Most organizations, large and small, have already been compromised and don't even know it: 100 percent of business networks analyzed by Cisco have traffic going to websites that host malware."
Marrison said, "Rather than spend resources on measures such as pen testing, it's now perhaps more relevant for IT security teams to find effective ways of monitoring for, rooting out, identifying, and taking remedial action against malware and threats already inside their network."
Matthew J. Harmon, security consultant and educator, also teaches SANS Institute classes in pen testing. I contacted Harmon asking for his opinion on the value of pen testing in combating cyberattacks.
Harmon said most APT attacks leverage "poor security hygiene." As to what that means, Harmon referred me to the Council on CyberSecurity and their Critical Security Controls framework. The framework contains 20 controls. "The controls were derived from the most common attack patterns and were vetted across a broad community of government and industry, with strong consensus on the resulting set of controls," explains the SANS website. "They serve as the basis for immediate high-value action." The first five on the prioritized list are:
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
- Continuous vulnerability assessment and remediation
- Malware defenses
Not using the Critical Security Controls framework is what Harmon considers poor security hygiene. Harmon also points out the above controls are part and parcel to pen testing, along with offering ways to improve the security posture of the client's network. Harmon sealed his argument by offering this insight, "The main goal of pen testing is to establish what attackers can exploit and exfiltrate before an organization's security can detect and respond."
Blended approach is best
I asked Jake Williams: SANS instructor, principal at Rendition Infosec, and a helpful source for many of my columns about the need for pen testing. He agreed with Marrison: monitoring and gaining visibility are both important. "But, I cannot get behind saying penetration testing is not required," Williams said. "You need a blended approach of both monitoring and penetration testing."