In my past
16+ years as a tech writer, one of the themes that I have written a lot about is
Penetration Testing. I have written man blogs
and articles, even published an eBook (through Amazon) and an actual published
book about, through CRC Press.
I have even
formed some partnerships with various Cyber vendors offering their Penetration
Services as well. Some of them have ranged the gamut from doing manual testing
to having it completely automated.
There is a
huge debate about this, and in all the writing and discussions I have had about
it, I am in the middle of it. I think
certain parts of the Penetration Testing process can be automated through
Generative AI, but you need the human component as well, especially when it
comes to communicating with and preparing the final report for the client.
But the bottom
line is this: In order to launch a
successful Penetration Testing exercise, whoever is doing the offensive work (which
is called the “Red Team”) needs to take the mindset of an actual
Cyberattacker.
Normally, a
checklist or some kind prepared agenda is followed, with written permission from
the client. But given just how stealthy
the Cyberattacker has become, and the interconnectedness of both digital and
physical based assets, is simply having this enough?
Again, there
is debate about this, but the consensus from what I have seen so far is that this
is “No, it is not enough”. So, what can be
done about it? Here are some tips that I
came across in a recent article:
1)
The
Need for Creativity:
In
this instance, and I really do hate using this tired quote is to literally “Think
Outside of The Box”. This simply means
that the people doing the offensive work need to take a careful stock of what the
physical and digital assets of the client are.
Once this has been done, do not prepare a checklist. Instead, as the question of “Why?”. “Why is this asset so attractive to me, from the
standpoint of breaking into it?” In
other words, the actual Cyberattacker will know that the Red Team in this regard
will too often be predictable. So, it is
important here to break away from this trend and become unpredictable. This will yield even better results in the end.
2)
Avoid
“Button Pushing”:
This
is the actual term that was used in the article. This simply means find that fine line between
automation and human control. Just do
not simply rely upon Generative AI and canned scripts to do the entire
job. As the Red Team, you need to push
the boundaries just a little bit more each time you conduct an actual
exercise. This is where group effort and
having a clear line of communication plays a crucial role. From some of the Penetration
Testers that I know of, they tend to be introverted and isolationists. Break away from this mold and “bang heads together”
with your team to accomplish this.
Remember two heads are better than one.
3)
Take
Notice of Intention:
When
things were On Premises, it was clear to find out what the intent hacker would
be. But with a lot of businesses now making
it to the Cloud, this has become a murky area to figure out. To crack this, try to figure out what the
intent of an actual Cyberattacker would be.
But just do not look for the obvious things such as theft of passwords
and Data Exfiltration, instead try to find those exceedingly small, minute
points that the Cyberattacker would be most interested in tapping into. In this regard, one of their main intentions
of them is to launch what are known as Supply Chain Attacks. This is where a malicious payload can be inserted
into one tiny vulnerability and from there a cascading effect will take place that
will impact hundreds or even thousands of victims. We saw this in the Solar Winds hack, and even
though CrowdStrike denies it was an actual attack, just one mistake made in their
software update tool created havoc around the world. Remember, the Cloud is still to some degree an
undefined territory, especially in Public Deployments. This is where the Cyberattacker is trying to
find those very tiny cracks in which to slip into.
4)
Create
The Culture:
This
is the role for the CISO of an organization.
They must take the initiative to create a “Hacker Culture” from within
their IT Security team. Meaning, it is
not just one person that should try to have this kind of mindset, but rather,
everybody needs to. One of the best ways
to do this is to launch simulation exercises, and there are many tools online
that you can use to do this. Or even
better yet, engage a true Cyberattacker that has now turned to the “good side”. Have conversations with them as to what they
hacked into in the past, why they did it, and what their primary intention
was. If you trust them implicitly, then it
would also be best to have them engage in the actual Penetration Test with your
team. After all they have been in the
trenches before, and what more assets can you have?
My
Thoughts on This:
Well, there
you have it, some tips to launch a better Penetration Test. In the end, complete automation can only take
you so far. In fact, in my view, these
tools are far more vulnerable to making mistakes than what a human being would do. For example, what if they hit the wrong
target by mistake? Or, what if the results
they provide are not even accurate?
The argument
here is that with an automated tool, for just one flat annual fee, you can run multiple
Penetration Tests as needed. This is
stands in sharp comparison to a manual one conducted by a human team, which can
range anywhere from $30K-$40K per test. But
in the end, remember you get what you pay for.
No comments:
Post a Comment