Collaborative Penetration Testing: Examining the Pros and Cons of this Approach
Posted by: Victor Wieczorek
In the last penetration testing blog, we discussed the most common type – siloed or autonomous pen-testing. In this blog, we’ll explore Collaborative penetration testing, which is also known as a purple team assessment. This test goes to the next level, where the attackers are working shoulder to shoulder (or in pandemic times such as now, leveraging collaborative tools to accomplish the same goal, but from remote locations) with the defenders.
Pros
This style is where the objectives are set by the defender, where information is shared freely and the test itself leverages the defender’s knowledge. This is a true alignment between the attacker and the defender. Collaborative assessments allow for thinking about the current objective from the perspective of the business and/or the security organization.
Let’s put this in more real world terms where the goal is to tighten the defensive controls of a workstation. In order to accomplish this goal the organization decides to deploy a new endpoint detection platform. As part of that research process, attackers look across multiple capabilities and multiple functions. So before a pen test is conducted, attackers must speak with the defenders and with the business to understand their objectives and then determine the proper test plan. The test plan should focus on achieving those identified objectives. From there, we can iterate through those objectives in a very meaningful and specific way to ensure that the goals are hyper-focused to maximize that value.
Cons
On the flip side, because the pen testers are so ingrained with the defenders for the period of the assessment (typically a week or two), it can detract from typical day-to-day operations. Consider all of the tasks a defender has on a day-to-day basis – if they have to switch off from those tasks to communicate with the tester, they are losing efficiency with their standard operating procedures. There is a lot of information with a collaborative pen test and a lot of back and forth communication answering questions, talking about technology, or reconfiguring exploitation or vulnerabilities. While everyone’s learning, you do have to invest that extra time.
So Which Pen Test is Right For You? Autonomous or Collaborative?
The reality is there is value in both approaches, and they test amazing things based off what we can find from Open Source Intelligence. They offer the ability to conduct a real-world test of what the threshold of detection is for your external monitoring and alerting. Maybe you have an Managed Security Service Provider (MSSP) that you rely on for security monitoring and you want to keep them honest. By doing this, you may put the internal teams at odds with one another.
Collaborative assessments are the emerging way to maximize new value. The important aspect with a collaborative test is that it helps us start to understand and move towards that continuous aspect of assessments. So collaboration enables continuous assessments based off ensuring that those objectives are tightly aligned.
In the next blog, we’ll examine yet another type of pen-test… continuing assessments, including the pros and cons of this approach. Again, the goal of this series is to help you determine which approach is the best fit for your organization.
Resources
On-Demand Webinar: Maximizing Value Through Pen Testing
White Paper: Examining Which Style Of Penetration Test Is The Best Fit For Your Organization
Victor Wieczorek
VP, AppSec and Threat & Attack Simulation,
GuidePoint Security
Victor Wieczorek is an information security professional with a broad range of experience in both defensive and offensive security roles. His prior work included delivering various security projects to a wide spectrum of clients with a primary focus on penetration testing, social engineering and security architecture design. As a penetration tester holding both the Offensive Security Certified Expert (OSCE) and Offensive Security Certified Professional (OSCP) certifications, he has helped organizations identify a multitude of weaknesses with a focus on root cause remediation.
Prior to joining GuidePoint, Victor consulted for a global firm where he worked to mature and standardize the security assessment practice while leading various penetration testing engagements. Before that, he was a Systems Security Engineer focused on secure architecture design for multiple federal organizations. Victor has developed skills in effective communication with client stakeholders to detail security issues, illustrate business impacts, and consult on remediation efforts.
Victor earned a bachelor’s degree in computer and information technology from Purdue University and has held multiple professional industry certifications including Certified Information Systems Security Professional (CISSP), Payment Card Industry Qualified Security Assessor (PCI QSA) and Certified Information Systems Auditor (CISA).