Breaking Down Two Techniques to Stay Ahead of Cybersecurity Threats
Over the last 25 years, there’s been an evolution in information security with an ever greater need to share data access and systems with customers, suppliers and partners. To effectively and proactively secure these assets across various computing platforms while enabling rapid decision making, companies often rely on defensive security best practices with timely vulnerability patch management and penetration testing along with an ever-growing assortment of security software. Yet, there’s still breaches occurring in companies who are doing all the right things.
This may lead you to wonder: “If Fortune 500 companies with enormous security budgets still get breached, what chance do we have?” Given this reality, it’s time to rethink traditional approaches and consider a new paradigm. In this blog post, we’ll look at two important techniques that’ll help you stay ahead of the current threat landscape in cybersecurity:
- Shifting left and applying the agile methodology to security testing. This approach applies incremental, targeted security testing to keep up with the fast pace of code changes from agile development to ensure new vulnerabilities don’t slip into production.
- Simulating breach and attack. This technique utilizes intelligence with the latest trends in the dark web through the “eye of the enemy,” tests your network and systems against it without the malicious payload and, most importantly, fortifies you against those attacks.
It is important to understand how bad actors breach the seemingly impenetrable walls of the biggest and best defended companies in the world. Bad actors are gaining access by exploiting known but unpatched vulnerabilities (e.g., log4Shell and F5 BIG-IP), using supply chain attacks (e.g., SolarWinds and Okta) and finding IoT devices as gateways into the network. What’s also growing are very sophisticated, custom crafted attacks using the latest exploits available on the dark web. How then do we defend against these attacks? These two approaches explained below can help by adding a level of testing that goes well beyond what most organizations are doing today.
Shifting Left: Incorporating Security Testing into Proven Agile Methodolog
Breach prominence leads us to question whether annual penetration testing or even semi-annual testing is enough. In recent years, the approach has been shifting left to accelerate development cycles and release more frequently. However, if you’re releasing on a monthly or even bi-weekly cycle but only security testing your applications once or twice a year, how can you possibly keep up with the potential vulnerabilities being introduced into every release? Using static code analysis and dynamic testing with each release alone isn’t as effective in finding vulnerabilities as manual pen testing, as successful attacks can cleverly combine multiple seemingly small risk vulnerabilities to compromise the entire system. We must apply the same approach to security testing that we do to our release schedules: shift left.
The agile approach to penetration testing evaluates risk and determines the appropriate test cadence based on substantive or material changes to your code base. It closely aligns release cycles with test cycles to increase efficiencies, streamline the testing process and reduce risk. It makes security an integral part of the development process.
But how can we take something you have budgeted to do once or twice a year and do it monthly or even bi-weekly? The answer is incremental testing. If you do a baseline assessment with every major release or at least once annually, you can focus subsequent efforts on the incremental changes in the code base. This way you are doing smaller assessments more frequently and flattening the risk curve by catching potential vulnerabilities before they make it to production. This is an important shift from the traditional approach to penetration testing.
If you are not already looking at how to accelerate your testing to be more closely aligned with your release cycles, then you are leaving your applications, and company, exposed to potential risk between penetration testing cycles.
Testing & Reinforcing Security Through Breach & Attack Simulation
The next evolution of penetration testing incorporates the same approach that a sophisticated attacker would take. It’s always been said in the security industry that nothing is 100% secure and given enough time and concentrated effort, a determined and capable attacker will always succeed in gaining access. Security research and intelligence is a critical component to this approach, as is careful and sometimes exhaustive reconnaissance of the target. A thorough understanding of the emerging threat landscape and cutting-edge attacks is necessary to map the attack vectors of interest that emerged during reconnaissance to the cutting-edge attacks that can be leveraged to bypass your defenses.
Not only do you need to understand what is new and emerging, but you need to be able to do a timely analysis of these emerging threats. Dissecting and decompiling the attacks and understanding how they work is the first step. Categorizing them into an industry standard framework like the MITRE ATT&CK framework allows the attacks to be sorted by attack vector. Finally, stripping the malicious payload so these attacks can be tested against a company’s defenses without malicious impact allows you to determine if you are vulnerable to such attacks.
A new market segment of breach and attack simulation (BAS) is emerging to do this type of testing. The true power of the solution is in the underlying or supporting intelligence and engineering capabilities.
How does BAS work? The BAS approach uses a service that gathers the most up-to-date intelligence available on the dark web about new and emerging threats and attacks. As they are identified, the intelligence team dissects those attacks and strips them of their malicious payloads to make them safe for testing in client environments. BAS services determine each company’s potential exposure and susceptibility to specific attack vectors and customizes the approach to those most likely to bypass their defenses. BAS teams select the emerging threats most likely to succeed in bypassing the client’s defenses. BAS then executes those attacks to validate susceptibility and demonstrate how the attack was successful. While knowing where you’re vulnerable is important, BAS goes a step further and provides detailed remediation instructions so you can close those vulnerabilities with the existing security tools you have.
As cyber criminals continually evolve their attacks, so must our information security defenses. Companies must keep pace and remain creative and vigilant to stay ahead of these threats. While some might suggest you throw yet another complicated layer of security technology at each emerging threat, consider changing your defensive philosophy to do more with existing budgets and tools. Everyone’s IT and security experts are always advocating for more tools and bigger budgets, but their business counterparts are always pushing us to do more with less. With shrinking budgets and ever-expanding threats from bad actors, we have to find a better way to accomplish the mission. This means embracing new paradigms and aligning your security initiatives to your business objectives. By incorporating security testing into agile methodology and testing security through breach and attack simulation, you can embrace change, increase efficiencies and align spend with positive business outcomes.