For far too long, penetration testing has been focused on delivering assurance on organizations defensive capabilities. Organizations have initiated penetration testing exercises against internal and external network segments, against applications and databases, and in almost all instances the focus has been to identify vulnerabilities in defenses that can be exploited. Pen testers would assess the firewall build and identify weaknesses in its configuration. They would also assess web applications and identify vulnerable code and configuration. Pen testers assess databases, network shares and other security devices in the hope of identifying vulnerabilities that could be leveraged by an attacker.
In years gone by, a purely defensive approach to cyber security was pretty much the norm. However, as threats have become more sophisticated and attacks have started to target people and process in parallel to technology so the ability to defend 100% of the time has become near impossible. Blend this with the fact that organizations are leveraging cloud services more than at any time in history, and users are leveraging mobile apps, social media and always on WIFI, means that the odds are stacked against the defenders.
Many organizations now realize that they need to have a detection and response strategy. It is no longer appropriate to pay lip services to incident planning by simply downloading a free document from the Internet and filing it away in a drawer for a rainy day. Organizations recognize that a strategy based upon detection and response in depth is much more appropriate for today’s current threat landscape.
Although organizations have been developing their detection and response capabilities for a number of years, in most instances they are a lot less mature than defensive capabilities. Technology such as IPS and SIEM devices are installed across many organizations, however it is not uncommon for the process of managing and responding to these devices to be really poor. Telling a busy systems administrator to respond to the emails that are being generated by a SIEM appliance typically results in one thing. A series of auto archive or auto file outlook rules to move the alert to a folder for review at some time in the future when the administrator has a bit more time. Detection and response isn’t a part-time role. It requires consistent and rigorous process to be executed against every event and incident, 24/7, 365 days of the year. We would recommend that a 24/7 security operations center (SOC) is the best approach for building consistent approaches for detecting malicious traffic and events.
Even if you have implemented a SOC it shouldn’t stop there. In the same way that you go out and commission penetration tests to deliver assurance against your defenses, you should be conducting technical assurance practices against the SOC function to gain confidence that the SOC can detect and respond to attacks. The types of assurance activities that are delivered against a SOC should be reflective of the current threats that the organization is likely to experience. We would recommend that these assurance activities might be tiered, first commencing with techniques, tactics and procedures, (TTPs) associated with unsophisticated threat actors. They should then build, and deliver assurance against the types of TTPs associated with Hackers, disorganized crime and organized crime units. For some organizations this may also include simulating some of the known TTPs that have been documented for state sponsored or state led adversaries.
Assurance activities that are designed to validate the effectiveness of a detection and response strategy, need to consider multiple stages of an attack. It would be foolish to focus purely on detecting malicious traffic on the core assets only. Organizations should attempt to have multiple detection points in their environment that are interspersed across the attack tree. As a consequence, their aim should be to detect malicious traffic as early on in the attack path as possible.
When delivering assurance against a number of different threats, pen testers need to be prepared to iterate through multiple paths in the attack tree so as to deliver as holistic a view as possible, within the constraints of the assessment. The goal of the exercise is to simulate real threats, and deliver assurance against the SOC’s detection and response capability.
A number of penetration testing companies are now working with clients to help deliver assurance on organizations detection and response capabilities.
At Nettitude, we can deliver purple teaming activities to achieve this goal. We also deliver detection & response assessments, (DARA) and incident response maturity assessments, (IRMA) all with the intention of helping an organization understand what types of attacks that they can see.
Contact our expert team today for a consultation.