Examining Continuous Pentest Assessments

In our blog series, we’ve examined both siloed/autonomous penetration tests as well as collaborative assessments. For our third installment of the series, we will focus on continuous assessments, which we’re seeing emerging in this space. This type of assessment is a newer concept of “as a service” that includes increased automation, tight integration between the attacker and defender, and a very agile process.

When we think about a specific scope, or environments or infrastructure, by almost necessity, we have to look at it from a manual perspective first. We’re trusting humans, professionals, experience and expertise to understand the scope of the assessment, how an attacker would process that information, and the attack paths at their disposal. As you get more comfortable with the environment, and as it becomes more baked and exercised, this whole process fits more seamlessly into the groove of normal business operations. The presumption is that it won’t change much. From here we can start offloading or augmenting the manual testing with automated tools. 

Breach and Attack Simulation (BAS) is a relatively new term that was introduced by Gartner to help you categorize a lot of the tools in this space. There is certainly much potential to augment not all of what a human pen tester can do, to minimize or remove the rote or mundane tasks with automation. There’s a great play here for both humans and automation to be able to work off each other, and maximize the value during an assessment. So as we move through time, we can automate more as we understand more about the environment. If there is any change in that environment, such as a new system being deployed, then there needs to be a kickback to identify that change and recommend more manual testing for either that specific change or the system holistically. This is how you would ultimately understand the overall impact of that change. It doesn’t just need to be with the environment itself, as it could also be with a significant vulnerability was just publicly released, or it could be with a new tactic or exploitation technique and existing vulnerability. An example like these should be classified as significant change and introduce additional manual testing until things stabilize, at which point we can iterate back into higher levels of automation. 

Pros and Cons of Continuous Pen Testing

The pros and cons of continuous pen testing, by definition are that it’s always on. Additional pros are that you can maximize your budget by offloading the tediousness of some manual aspects of pen testing to automation, while also allowing those manual testers to focus on the things that only humans can do. Automation is used to give full tireless coverage of the hundreds, if not nearly thousands, of different avenues for an attacker to potentially exploit. 

With continuous pen testing, there’s this great idea of instant, zero-day feedback. Not too long ago a large hospitality provider announced a large breach. Every other vendor in that industry should have been asking themselves or asked by others, how susceptible were they to that type of breach. BAS platforms can facilitate continuous assessments alongside human pen testers to can quickly leverage newly disclosed tactics, and then quickly give you a sense of how you’re doing as an organization. You’re very rapidly, if not instantaneously, gaining information to answer those questions. Since the assessments are continuous, you can also take snapshots to show trends over different periods of time as far as vulnerability detections. Regardless of the KPIs defensive teams measure, continuous pen testing is probably the most data-rich way to go. 

Now for the cons of continuous pen-testing.  Your industry maturity level, or potentially lack thereof when it comes to this topic, is not insurmountable, but it does add complexity. The adoption curve for BAS solutions is early stages, where organizations are beginning to investigate the technology and how best to integrate them into their existing defensive controls and processes. The integration alone can be challenging to figure out where the obstacles are, what things don’t play well with each other, and so on.

Complacency setting in is another potential con. With more automation, there is more potential to let it run in the background and focus on other areas. This honestly goes beyond continuous assessment – complacency is an issue when it comes to the use of any security tool. With security staffs overloaded with work, the eye can easily move off of the ball, where you’re not  maximizing the value of the solution. For continuous assessments, we need to ensure that they’re still actively reviewed, that there’s feedback to improve the scope or the methodology, and that we’re not left pen testing individual trees as opposed to the overall forest.

In the next blog, we’ll continue to dig into continuous penetration testing and look at how to effectively plan for one.

Resources

On-Demand Webinar: Maximizing Value Through Pen Testing

White Paper: Examining Which Style Of Penetration Test Is The Best Fit For Your Organization