Security must be tried, tested, and tested again. It’s become easier than ever for cybercriminals to find stealthy new ways to gain access to and navigate laterally across systems, exploit gaps in hybrid workflows, or hijack cloud accounts to gain access to a target. It is vital that every CISO can offer a clear picture of how their security is really holding up against the latest tactics, techniques, and procedures. However, all too often I’ve seen my fellow CISOs fall into a cycle of preparing annual penetration tests of point systems to be “compliant,” which in fact only makes them sitting ducks just waiting for a breach to occur.
The truth is, many CISOs simply fail to go far enough by opting only for a basic penetration test. This involves a short technical test of a specific component or system, the goal being to find and exploit technical vulnerabilities. Often, however, it’s little more than an automated scan, demonstrating outstanding vulnerabilities but without any context concerning the actual threats facing your business – or how attackers could exploit them.
In contrast, a threat-led red team exercise is more comprehensive, by considering multiple scenarios commonly used by real attackers encompassing people, processes, and technology. It offers a considerably better insight into how cybercriminals may attempt to identify and exploit the weakest links in the chain to achieve their objectives (e.g., exfiltration of customer data).
A red team exercise may not even need to exploit any technology-related vulnerability; rather, testers can rely on social engineering, phishing, or identifying shadow IT as an entry point. Red teamers may even resort to leaving malicious USB sticks outside offices and waiting for employees to plug them in.
This insight is worth its weight in gold. It enables the organization to improve its defenses incrementally, by addressing the simplest but most likely route into the organization from the attacker’s perspective. Why focus your time and attention on fixing some complex (but theoretical) technical vulnerability when a hacker always chooses the easy option?
With the knowledge gained from a red team exercise, the CISO can prioritize improvement programs to act effectively against real-life risks, spotting left-field gaps that would otherwise be missed in a standard pen-test. Of course, the CISO will certainly be under considerable pressure to quickly mitigate the most severe risks, and IT transformation doesn’t happen quickly.
CISOs should aim to first address the easy wins to immediately bolster security, and then also consider adding preconfigured network-based threat detection and mitigation capability. This approach boosts security threat detection capability significantly. It also offers far quicker time to value than endpoint detection and response, while immediately improving visibility but without requiring a wholesale change to desktop or server environments. Further, it reduces the time spent sifting through numerous alerts, prioritizing them to spot – and stop – the most urgent threats before they become a full-blown breach.
By testing to the nth degree, CISOs can both reduce their risk and identify the most impactful ways to improve their security. This procedure should be at the top of their agenda in the months to come.
This blog was first published in The Register.