Strategy and Tactics: Penetration Testing in the Security Program
In the war of information security, the eldritch horror of knowing resides in the bowels of the vulnerability scanning report. Before, you might have had uncomfortable uncertainty, but you now have assertions that your environment is treacherous.
The temptation to run screaming has gripped many an engineer; the experience can be overwhelming. So, how do you begin to fight this new army of findings? What weapons should you use? What battle should you start? Does it mean your entire patch management program is lost?
You could use CVSS rankings to establish priority. You could take the time to modify them according to your specific environmental and temporal controls. You could take the vendor’s severity ranking for granted, independent of the specifics of your environment. You could manually review individual findings and put them in the greater context of internal intelligence. But, what about false positives? How do you even convince anyone that your limited resources must be spent on this? In the end, people often learn that they have more questions after scanning than they did before scanning.
So, we retire to our war room and consider the battle in terms of armies instead of soldiers. Each finding is our enemy. But, do we need to solve all of them? Are we even engaging the right army? What if we don’t allow ourselves to become mired in statistics? What if we don’t try to generate zero-length vulnerability scan results by killing our operations engineers or destroying our budget?
Impact is convincing. At the center of what really matters is the question: So what? How does this finding fit within a threat model? If a disgruntled insider wanted to do harm, what could happen? What about if an internal asset were compromised by malware and undetected? How many of the weaknesses identified by the scanner are things that would actually matter in these scenarios? In what other scenarios would they matter?
Attack simulation is an exploration of impact. Penetration testing is the “so what?” of information security programs. It’s easy to say that this type of exercise won’t matter, because you know the tester will succeed; your controls aren’t ‘there’ yet. But, that’s under-valuing the exercise. The point is not necessarily to pass the test, but to take lessons from the failure; lessons that help you to prioritize your security efforts strategically.
During a penetration test, not only do you get the opportunity to examine the attack chains that put your data most at risk – something a vulnerability scanner lacks the dynamic capability to evaluate – but, you can holistically examine whether or not your controls are effective. Whether that’s your patch management program or your incident response and monitoring, you can focus on the overall program rather than only seeing individual findings (often missing patches).
Patching is critical. But, in most scenarios, only a small portion of vulnerabilities are able to be used to compromise an asset from the network without prior authentication. If unauthenticated network attackers are your most significant threats, that’s how you establish priority. Privilege escalation is one of the biggest threats in a BYOD or open environment. Scanners don’t do well at identifying configurations or logical weaknesses that enable propagation throughout an environment, or show what data could be compromised as a result of successful exploitation. But, an attacker can.
So, consider an attack simulation to help identify strategic actions, not only tactical findings. Make sure you are hindering the enemy army by breaking their attack chains, that your monitoring and response are effective, and buy yourself enough time to address the rest of those findings as your time, budget and program matures.