Skip to main content

Strategy and Tactics: Penetration Testing in the Security Program

November 21, 2014

In the war of information security, the eldritch horror of knowing resides in the bowels of the vulnerability scanning report. Before, you might have had uncomfortable uncertainty, but you now have assertions that your environment is treacherous. 

The temptation to run screaming has gripped many an engineer; the experience can be overwhelming. So, how do you begin to fight this new army of findings? What weapons should you use? What battle should you start? Does it mean your entire patch management program is lost? 

You could use CVSS rankings to establish priority. You could take the time to modify them according to your specific environmental and temporal controls. You could take the vendor’s severity ranking for granted, independent of the specifics of your environment. You could manually review individual findings and put them in the greater context of internal intelligence. But, what about false positives? How do you even convince anyone that your limited resources must be spent on this? In the end, people often learn that they have more questions after scanning than they did before scanning.

So, we retire to our war room and consider the battle in terms of armies instead of soldiers. Each finding is our enemy. But, do we need to solve all of them? Are we even engaging the right army? What if we don’t allow ourselves to become mired in statistics? What if we don’t try to generate zero-length vulnerability scan results by killing our operations engineers or destroying our budget?

Impact is convincing. At the center of what really matters is the question: So what? How does this finding fit within a threat model? If a disgruntled insider wanted to do harm, what could happen? What about if an internal asset were compromised by malware and undetected? How many of the weaknesses identified by the scanner are things that would actually matter in these scenarios? In what other scenarios would they matter?

Attack simulation is an exploration of impact. Penetration testing is the “so what?” of information security programs. It’s easy to say that this type of exercise won’t matter, because you know the tester will succeed; your controls aren’t ‘there’ yet. But, that’s under-valuing the exercise. The point is not necessarily to pass the test, but to take lessons from the failure; lessons that help you to prioritize your security efforts strategically.

During a penetration test, not only do you get the opportunity to examine the attack chains that put your data most at risk – something a vulnerability scanner lacks the dynamic capability to evaluate – but, you can holistically examine whether or not your controls are effective. Whether that’s your patch management program or your incident response and monitoring, you can focus on the overall program rather than only seeing individual findings (often missing patches). 

Patching is critical. But, in most scenarios, only a small portion of vulnerabilities are able to be used to compromise an asset from the network without prior authentication. If unauthenticated network attackers are your most significant threats, that’s how you establish priority. Privilege escalation is one of the biggest threats in a BYOD or open environment. Scanners don’t do well at identifying configurations or logical weaknesses that enable propagation throughout an environment, or show what data could be compromised as a result of successful exploitation. But, an attacker can. 

So, consider an attack simulation to help identify strategic actions, not only tactical findings. Make sure you are hindering the enemy army by breaking their attack chains, that your monitoring and response are effective, and buy yourself enough time to address the rest of those findings as your time, budget and program matures.

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

January 12, 2018

Regarding Spectre and Meltdown

On January 3, 2018, the Graz University of Technology released their papers on identified vulnerabilities dubbed “Meltdown” and “Spectre” via the webs...

See Details

November 14, 2017

Can Your Organization Accept the Risk of Being First?

Optiv recently completed our 2017 endpoint security solution evaluation. For this year’s review, we constructed several use cases that would model thr...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.