How to evolve pen testing into offensive security

The rapid and constant expansion of enterprise attack surfaces is an ongoing, unrelenting pressure for security teams. With the Internet of Things (IoT), vulnerable web applications, hybrid working and the mass migration to the cloud, staying one step ahead of adversaries has never been more difficult. So much so that attackers can now actually identify and exploit a perimeter in under 10 hours.

If security teams want to regain the lead in the race against threat actors, they need to address the fatal flaw that is holding them back: they don’t know the course conditions, or where they are in the pack. Sticking solely with traditional, point-in-time pen testing is this flaw realised. Too often, companies treat pen testing like a box ticking exercise, testing irregularly at lengthy intervals. This is not the solution for continuously uncovering exposures, in fact it jeopardises security by providing a view of risk posture that is only as good as when the last test was conducted. 

In an ever-evolving threat landscape and ever-changing business and technology environment, point in time testing therefore needs to evolve into a continuous, offensive approach to security.

Embracing red teams

Levelling up from point-in-time pen testing to continuous and offensive security with the support of red teams highlights the value of prevention over cure. Traditional pen testing is a key step, but it focuses too heavily on individual elements and the current state of security, whereas red teaming interrogates the attack surface and checks for weaknesses across people, process and technology.

This is a relentless process to gain insights into the potential to compromise and how this would impact critical assets, rather than only focusing on vulnerable points of entry. Defenders therefore gain an advantage over attackers; they’re empowered to fix security flaws as well as minimise the impact of any potential compromise.

What’s more, while automation can assist traditional pen testing, it can result in an enormous amount of false positives that simply creates more work for teams to sift through. With a continuous red team approach, automation and human intuition meet well in the middle. Skilled and experienced red teams can mimic the unpredictability of attacker behaviour, and use techniques that technology may not anticipate in order to identify the most impactful vulnerabilities. Automation in this context, drives projects more efficiently, garners more focused results, and can remove the mundane tasks from their ‘to do’ lists.

Is your pen testing up to the task? 

Security teams should consider a number of elements when looking to explore red teaming as a level up from point-in-time pen testing. First, it’s worth asking how you are managing assets across the attack surface. And how certain you are that you have absolute visibility across your entire IT infrastructure? Malicious actors are adept at finding attack surfaces that IT teams didn’t know could be a risk. A red team will be able to discover these surfaces and tell you where it could take them.

It’s also important to interrogate how your team is identifying exposures, and find out how often you are completing point-in-time pen tests? Is this only at short notice, or at lengthy intervals? Perhaps you think that you should be identifying more high-risk exposures with each test, or you’re worried that some are going undiscovered. 

Thirdly, how are you triaging discovered exposures to prioritise critical issues? It’s pivotal that you recognise the high-risk exposures as early as possible to create time for remediation. Red teams know how attackers could use these exploits; they’ll be using this experience to decide which issues to prioritise.

Validating identified exposures and determining their post-exploit impact is also key. Red teams know how attackers behave and will probe an exposure until they break through. They have the skills to eliminate the noise and raise the alarm when a flaw has real-world exploitability, ordering these issues based on urgency. And after you’ve removed a vulnerability, how do you verify remediation and measure if your risk level is reduced? Red teams can tell you. Remediation isn’t the end, and what was once vulnerable should be continuously tested by experts. 

Finally, how do you inform the improvement of the organisation’s overall security posture? While pen testing may only scratch the surface, continuous red teaming provides a deep understanding of your attack surface and how your network could be manipulated. From this knowledge, a bespoke list of actions can be developed for stronger security to shut the door on an attacker before they knew it was there.

Taking a proactive, offensive approach to cybersecurity is necessary to keep pace with an attacker mindset and plug the gaps left by point-in-time pen testing. To go on the offensive, organisations should deploy red teams to continuously scrutinise cyber defences, ending an overreliance on outdated vulnerability reports and elevating cybersecurity to stay steps ahead of attackers.