Unfortunately, the technical testing marketplace is full of vendors claiming they can find gaps in your prevention, detection and response capabilities.
However, when you look below the surface and into the details of the results and methods used, many vendors fail to mimic real-world tools and tactics and instead rely on a vulnerability-based methodology with off-the-shelf tools.
In the real-world, threat actors will use any means necessary with any combination of tools and techniques including writing their own exploits to move throughout your network. The question is, with so many cybersecurity vendors claiming the same thing, how does an organization differentiate one technical testing service from another?
In this video, David Langlands, Director of SecureWorks Technical Testing covers the questions you should be asking yourself and your potential vendor such as:
- How closely does the test mimic what real threat actors are doing?
- How relevant is this type of testing to the threat landscape?
- Is the vendor going to sit in the environment and try to use passive techniques to retrieve passwords and move laterally throughout the environment?
- How skilled are they at using manual techniques?
- Are they totally reliant on a specific tool or set of tools?
The industry has really changed quite a bit in the last few years, and many vendors haven’t changed with it. They still look at testing as more of a vulnerability-based methodology. I’m going to come into your environment, I’m going to use, basically, off-the-shelf tools to go out and identify a bunch of vulnerabilities, I’ll execute some exploits perhaps against those vulnerabilities and show you maybe what’s on those systems. And what we see in the field, and what we see with threat actors, none of them use that type of methodology. They don’t use any off-the-shelf tools. They may not even need exploits once they gained access to your environment through phishing to move throughout the environment, move from place to place. And so, what you really should look for as an end user of these types of services — penetration testing, Red Team testing, application security — is how closely does it mimic what the actual threat and the threat actors are doing. How relevant is this type of testing to the threat landscape? Is the vendor actually going to sit passively in the environment for a while and try to use passive techniques to retrieve passwords and move laterally throughout the environment? How skilled are they at using manual techniques? Are they totally reliant on a specific tool or set of tools? Or can they actually write their own exploits and can move manually? That I think is what separates, in the current day, a team that can perform testing that really mimics the real-world threat versus the simple vulnerability assessment plus a bit of exploit that many vendors are still currently saying is a penetration test.
Why is goal-based testing important?
When we talk about testing, we talk about goal-based testing, what’s important to the business? And what’s important to the business is typically protecting their information assets, avoiding a breach, being able to detect a breach as quickly as possible. And if you’re simply just doing a vulnerability assessment that does a very good job of testing whether or not your patching program is working or whether or not your vulnerability management program could be effective. But in reality, many threat actors don’t need vulnerabilities in many cases to cause significant damage to a client’s environment once they’ve gained access. What I mean by that is, once they’ve potentially, successfully phished a client, they may be able to move laterally throughout that environment just using passwords. They may use off-the-shelf administration tools that exist in the environment to move from machine to machine and deploy software on machines just by using administrative credentials. So simply identifying vulnerabilities, and being able to show a window that shows you’ve got access to a specific system, doesn’t really demonstrate any business impact. It’s really the opportunity to show a client that, for example, we’ve gained access to their HR system and we’re able to pull payroll data. We’ve gained access to their financial system and we were able to put false transactions in their financial data. Those are the kinds of things that demonstrate real business impact and that’s what a goal-based test truly is.