Thought Leadership

Nov 15, 2020

What Pentesting Is and Why It’s Not Enough


Worldwide, organizations are spending $6 trillion on cybersecurity. At the same time, cybercrime isn’t cheap either. Based on FBI ransomware statistics, between 2019 and 2023, the cost of cybercrime could reach \$5.2 trillion. [To paraphrase the old adage, “A few trillion here, a few trillion there, pretty soon you’re talking real money.”]

These top-level stats serve to underscore a critical point: In spite of all the investments made, the reality is that, at any given moment, there’s bound to be a vulnerability in your security defenses. The key is who finds out about that vulnerability first, you or the hacker?

Introduction to Pentesting

The hard reality, one underscored repeatedly by recent cyber attacks, is we know attackers are relentless and trying a variety of techniques to breach the security of enterprises and government agencies. Many of these techniques are being reused. The best way for us to
ensure our security controls are going to stand up against these attacks is to actually execute them.

While an organization may implement a number of security controls, they need to assess how effective the controls in place are. For many organizations, that’s where penetration testing, also known as pentesting, comes in. At a high level, pentesting is the process of evaluating the security of an environment by attempting to exploit weaknesses that may exist.

These assessments are typically conducted annually. However, in the case of organizations with stringent regulatory compliance requirements, these tests may be done semi-annually or quarterly. Ultimately, the outputs of pentesting are to deliver a report that offers details on tests run, vulnerabilities discovered, and risks posed by the vulnerabilities. Based on the intelligence gathered, internal teams can prioritize the fixes needed, and start to take on remediation efforts.

What Do Pentesters Do?

The nature of a specific pentesting exercise and the role of the pentester can vary. At a high level, an organization commissions a pentester or pentesting team to investigate an organization’s defenses. Pentesting engagements can differ substantially depending on the objectives and budgets of an organization. Following are a few ways testing can vary:

  • Internal staff participation and awareness. In some scenarios, only a small subset of internal team members may be aware that a pentesting exercise is even taking place. These exercises can provide a good way to not only validate the efficacy of external controls, but of internal processes for vulnerability identification and remediation.
    Alternatively, internal staff may be aware of the exercise, so they can track the
    pentester’s efforts and approaches.
  • Broad versus targeted. In some cases, engagements will be targeted, with security teams and pentesters collaborating, and looking at a specific area or domain. In these scenarios, security teams may provide a good deal of intelligence on existing defenses upfront, which can save pentesters time and enable them to focus on specific attacks. On the other hand, there are pentesting strategies that can be pursued in which a pentester is given the name of the company to target, and that’s it.
  • External versus internal. In many cases, pentesting is done from an external perspective, with the pentester focusing on externally accessible systems, such as web applications, domain name servers, email, and so on. In other cases, a pentester may be given a user’s credentials to execute what is known as an internal test. In these scenarios, teams can better understand the risks posed by a malicious insider or by exposed credentials.

Pentesters may use a number of different tools to aid in their efforts. These tools can make a big difference in determining how thorough, and ultimately effective, a pentest is. Pentesters can use port and vulnerability scanners, password crackers, network sniffers and proxies, and more.

The Limitations of Pentesting

While pentesting can be an important part of an enterprise’s security toolkit, it introduces a number of limitations:

  • Inconsistency. Pentesting is performed by specialized experts. However, the relative skill sets, backgrounds, tools, approaches, and strengths of these testers can vary substantially. Consequently, the outcomes and efficacy can vary from one engagement to the next.
  • Constrained duration. Pentesting is a costly, resource intensive effort. Organizations may be able to enlist the services of a pentester for a single engagement, perhaps spanning a week or two, and repeating these engagements on an annual basis. Or, teams may elect to do a pentesting exercise on a more ad hoc basis, for example, after a major infrastructure upgrade, the opening of a new facility, or after a new set of controls, policies, or procedures have been put in place. However, given the fast- changing nature of today’s environments and cyber threats, an organization’s security posture can be changing every minute of every day.
  • Constrained testing scope. As the term would imply, pentesters are typically focused on penetration of networks, devices, and other assets. However, penetration is only a part of the entire cyberattack process, which also includes lateral movement, and ultimately the theft or unauthorized access or modification of data or assets. Therefore, penetration testing only offers a slice of the visibility teams really need to establish holistic, continuous security.

Additional Approaches for Validating Controls, and Their Limitations

In addition to employing pentesting, security teams can also pursue the following approaches for assessing and improving their security controls:

  • Red teams. Some organizations have developed internal teams, often referred to as
    “red teams,” who work together to simulate a team of cyber attackers. These teams
    take an offensive approach, seeking to pursue vulnerabilities and wage attacks.
    Typically, the types of experts that are needed to staff effective red teams are in short
    supply and demand high salaries. In fact, according to one report, four million
    cybersecurity jobs are expected to go unfilled this year. These realities make the
    prospect of building a new red team a costly and daunting one. Consequently, red
    teams are typically only found in the largest, most well-funded, and mature enterprises.
  • Vulnerability scanning. These systems scan devices in order to uncover vulnerabilities
    that may exist. However, vulnerability management systems don’t incorporate context,
    and as a result the output of these systems can be a lot of “noise,” uncovering a lot of
    issues that may not accurately reflect real security risks. The high volume of issues
    raised makes it difficult for teams to actually address them all, while offering little
    insight to guide prioritization. Further, even if all vulnerabilities identified actually were
    addressed, it may not materially enhance the organization’s overall security posture.
  • White hat or ethical hacking. The phrase “white hat” is used to distinguish between
    those who are seeking to help find security weaknesses and mitigate them, and the
    black hat hackers who are actively looking to wage attacks for their own nefarious
    purposes. White hat hackers use their skills to help protect against attacks. White hat
    hackers work to proactively find security weaknesses in order to fix them before they
    can be exploited by attacks. In the enterprise security arena, white hat hackers have
    traditionally offered pentesting services.

Breach and Attack Simulation: Automating the Pentesting Process—and More

Breach and attack simulation is an approach that promises to augment a lot of the limitations posed by pentesting, white hat hacking, red teams, and similar security control validation approaches. These technologies build upon the talent and expertise of pentesters and white hat hackers and automate their cyber threat analysis techniques.

Rather than relying on a small team to do cyber threat analysis on an annual basis, breach and attack simulation executes thousands of proven attack techniques at scale, continuously and automatically. In this way, enterprises can now be as relentless as real attackers, to truly find
the “unknown unknowns” in their security architecture.

Unlike traditional attack techniques, breach and attack simulation can also be 100% safe for
production environments. The best solutions only run attack simulations on and between simulators, and never put sensitive data at risk. This way, even the most sensitive production networks can have security validated continuously to stay ahead of real attackers.

Conclusion

While pentesting is and will remain an important effort for enterprise security teams, it’s also clear that it is not enough. Fundamentally, these types of manual, one-and-done techniques will not enable teams to validate their controls and gain the insights needed to establish continuous security. It is for these reasons that the use of an advanced breach and attack simulation platform is emerging as such a vital mandate.

Additional Reading:

Learn more about the SafeBreach Labs team and their critical work here.

Get the latest
research and news