Scanning, Testing and Simulating – Where does PTaaS Fit?
Posted by: Terry Cordes
Understanding Vulnerability assessment, penetration testing, and attack simulations requires a better understanding of who will be using the results and for what goals.
Working with customers on Penetration Testing as a Service engagements, I often encounter confusion when talking about vulnerability scanning, penetration testing, and attack simulation. The confusion is understandable. While the three exist independently of one another, at a high level they all seem to be accomplishing the same thing, and from one perspective that’s true: all three are working towards bettering your organization’s cybersecurity. However, the end audience, specific goals, and final output of each is significantly different. In order to get the most value from each activity, it’s critical for professionals to understand the subtle, but important, differences between the three practices. In this article, I hope to break down those three practices and offer some insight into how GuidePoint PTaas can fit into the mix.
If we look at the purpose of each practice, the output, and who the target audience of that output is, we can see how the practices differ and overlap.
The goal of vulnerability scanning is to identify the vulnerabilities present in an environment and provide cybersecurity managers with a high-level understanding of what is vulnerable and why it is vulnerable. The practice of vulnerability assessment usually includes conducting scans and assessing the criticality of vulnerabilities identified. Vulnerability scanners excel at finding known technical vulnerabilities and common misconfiguration issues. Vulnerability information from scanners is typically used to help system owners and managers understand what remediations are needed to harden systems as part of prevention.
Similarly, penetration testing can identify vulnerabilities in an environment, but the real goal is to determine how those vulnerabilities can impact an organization. While most penetration tests will include vulnerability scans, a penetration test should go much deeper than just telling you that a vulnerability exists; it should demonstrate how a vulnerability would be exploited and how that exploit impacts your organization. Penetration testing excels at describing exploitation and identifying logical vulnerabilities that scanners cannot. Penetration testing reports, like vulnerability scan results, are used by system owners and managers to harden systems.
Ultimately, vulnerability scanning and penetration testing are commonly seen as part of a vulnerability management program, where the output of each practice is used to harden the environment and prevent attacks.
Conversely, attack simulations are typically used to understand if an attack would be detected or stopped, and how effective the response would be. As such, the output from attack simulations is typically used by the blue team (defenders) to test, verify and improve detection policies, tools and procedures.
Attack simulations are conducted using commercial breach and attack simulation (BAS) tools, custom tools or manual threat emulation. The overall practice constitutes what most people think of in terms of “control validation” or “control efficacy.” Attack simulations don’t often identify vulnerabilities or explain how an attack would exploit those vulnerabilities; they help defenders understand if they are capable of handling an attack.
To put it shortly, scanning and penetration testing are about understanding your vulnerability and the attacker’s potential capabilities in your environment while attack simulation is about understanding your defense capabilities.
How does GuidePoint Security’s Penetration Testing as a Service fit in?
While vulnerability scanning is inherent to many of the tools that make up the technology stack in GuidePoint Security’s PTaaS, it is not the primary focus of the service and is definitely not a replacement for a vulnerability management program. Instead, our PTaaS fits neatly into and supports nearly any vulnerability management program.
Today, GuidePoint Security’s PTaaS is focused on providing penetration testing utilizing a unique blend of automated and manual testing. Built around cutting-edge automated penetration testing platforms and delivered by Attack Simulation Operators and GuidePoint expert penetration testers and red teamers, PTaaS has the ability to perform penetration testing with the breadth of vulnerability scanners while maintaining the depth of traditional penetration tests.
As GuidePoint PTaaS evolves, so will its capabilities and its fit into cybersecurity programs. The PTaaS team is currently working to implement an attack simulation capability built around popular BAS tools. Like our penetration testing capability it will be based on a unique blend of automation and manual effort. As PTaaS extends into the attack simulation space it will be able to support incident response and security operations programs by providing customizable and repeatable control validation. More to come on that.
To learn more about PTaaS or schedule a demonstration contact your GuidePoint Account Executive or visit the PTaaS home page.
Terry Cordes
Terry Cordes, Attack Simulation Architect at GuidePoint Security, began his information security career in 2012 after 18 years developing complex software systems for the logistics and financial industries. Since moving into security full time, he has focused on vulnerability management with emphasis on penetration testing and attack simulations. He has experience running a vulnerability management program for a financial services company as well as performing and managing security assessments for a global life sciences company.
Terry’s experience in software development was focused on integration, tool and telemetry software for complex systems including custom packet capture and analysis, integration with monitoring and control systems and automated test harnesses. He has professional experience as a programmer, technical and product architect, quality control engineer, build engineer, development team lead and development manager.
Terry is passionate about using his software development and penetration testing experiences to build out the next generation of penetration testing software in GuidePoint’s Penetration Testing as a Service (PTaaS) offering.