How to Gain More Value with Continuous Pen-Testing

Over the last several blogs, we’ve taken a deep dive into the different types of penetration tests:

• Siloed/Autonomous Penetration Tests 
• Collaborative Assessments
• Continuous Pen-Tests

As noted in the last blog, continuous assessments are enabled by a lot of the great automation platforms we’re seeing emerging in this space. Generally speaking, more mature security organizations are in a better position to take advantage of continuous, collaborative pen-testing. 

When planning for a continuous pen-test, it is critical to:

• Ensure collaborative threat modeling, which let’s face it is foundational for what pretty much any pen test. In a siloed, or autonomous assessment, the red team must conduct the threat model themselves to understand what they can find about an organization and then pair that with what they know.
  
  Now in a collaborative or continuous assessment, it’s important to leverage the experience and expertise of the defending team, which knows the crown jewels – what is critical and core to the business that those attackers are trying access. The most effective threat modeling is when the red and blue teams are working together to understand both perspectives.
  
• Set clear goals and objectives to ensure you maximize the value of a pen-test.  Communication is critical. Set the common goals and objectives from those involved, and ensure the feedback during a test is instant. There has to be a method that allows the defenders and the attackers to communicate back and forth, and adjust as necessary. 

In this blog series, we’ve reviewed the three most common types of penetration testing with the hopes of helping you identify which style is right for your organization. Ideally, you will continue to mature your security program and process and as part of that explore how to gain more value out of your penetration testing efforts. 

We’ve found that the most effective and efficient penetration test assessments typically include both manual, human elements as well as automated tests and technology. Building a more collaborative effort between the offensive and defensive staff on your team, setting clear goals and objectives from a more holistic perspective, and determining where you can automate certain tasks, and where to put the effort in from a manual perspective are key to ensuring you get the most value out of your penetration test.

Contributing Author

Victor Wieczorek, Practice Director, Threat & Attack Simulation. Victor is an information security professional with a broad range of experience in both defensive and offensive security roles. His prior work included delivering various security projects to a wide spectrum of clients with a primary focus on penetration testing, social engineering, and security architecture design. As a penetration tester holding both the Offensive Security Certified Expert (OSCE) and Offensive Security Certified Professional (OSCP) certifications, he has helped organizations identify a multitude of weaknesses with a focus on root cause remediation.

About Guidepoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. By taking a three-tiered, holistic approach for evaluating security posture and ecosystems, GuidePoint enables some of the nation’s top organizations, such as Fortune 500 companies and U.S government agencies, to identify threats, optimize resources and integrate best-fit solutions that mitigate risk. Learn more atwww.guidepointsecurity.com.

Resources

On-Demand Webinar: Maximizing Value Through Pen Testing

White Paper: Examining Which Style Of Penetration Test Is The Best Fit For Your Organization