Traditional Penetration test vs Objective Based Penetration Testing. Which is right for your organisation?
In just the span of 3 years, organisations have adapted quickly to the new norm – cloud services; working from home; video conferencing; Slack; digital signatures…the list goes on. This has resulted in major changes to how businesses operate, and thus, what must be secured. These changes feel like they happened almost overnight, as an organisation’s number one priority went from maximizing profits to just keeping the lights on. At the same time, threat actors saw the opportunity and upskilled, developing new ways of compromising organisations to gain access to and steal critical data.
What does this mean for you?
The risks your organisation may have taken to keep running now need to be addressed. The old adage, “it’s not if, but when” is more applicable than ever. Businesses are interconnected like never before and are relying on technologies like cloud services and remote access more heavily than ever. No longer does an attacker target just a single website or company, entire services and supply chains are now under fire. It’s time to spring clean your environment and identify the vulnerabilities that matter, before the adversaries do.
So how do you find the new gaps?
One central element is to update your approach to penetration testing. Traditional testing (e.g. narrow scopes, emphasis on identifying a breadth of vulnerabilities whether they are exploitable or not) still has its place, but it must be performed in conjunction with broader penetration testing as well. Finding the vulnerabilities not just in a single application or application environment in isolation, but also how your workforce and other layers of technology or security controls can affect the security of these environments. Finding that one hole in your access controls, that one blind spot in your endpoint detection and response, enables an attacker to gain access to critical information assets. Finding the vulnerabilities that matter. To do this, applying an adversary mindset to penetration testing is a core element of securing your environment.
So today we’re looking at the differences between a traditional penetration test versus objective-based penetration testing and its application today.
• Traditional Penetration Tests
• Objective-based Penetration Tests
• Continual Assurance Service
Let’s get started with an important question.
What is a traditional penetration test?
Traditional penetration tests (commonly known as ‘pen tests’) are a highly technical assessment of your cybersecurity environment at a particular point in time. A white-hat hacker will be given a scope for testing, identify vulnerabilities in that scope, exploit the ones that can be exploited, and tell you how to fix all the vulnerabilities – whether they were exploitable or not. This may be across the entire IT ecosystem or for just one specific application environment.
Penetration tests use a methodology designed to identify as many gaps as possible in a controlled setting. Penetration testing experts, like the team you’ll find at Loop Secure, will identify vulnerabilities across a broad range of categories such as unpatched operating systems or software, authentication weaknesses, and other weak configurations in servers and your network. They will generally try to exploit these vulnerabilities to gain the highest level of privilege possible in the given time, as more privilege means even more vulnerabilities to discover.
How does objective-based penetration testing differ from a traditional penetration test?
Objective-based penetration testing is the next level up from your traditional penetration testing. Instead of broadly looking for vulnerabilities whether they are exploitable or not, objective-based testing is about defining the critical assets as the goal or objective, and focussing on exploiting the vulnerabilities that will result in compromise of the objectives. For example, a traditional penetration test may start off with a single application environment as the scope, and finding vulnerabilities is the ‘objective’.
Objective-based testing flips this on its head, defining the PII or business IP within the application as the objective. In order to reach that objective, the scope is not only the application environment, but also the other services it interacts with, because those services also provide a pathway to the objective. The outputs of this approach are identifying the vulnerabilities that enabled that PII to be reached, instead of vulnerabilities on a system that are out of reach or of little consequence. What assets or ‘crown jewels’ do you want to set for a penetration tester to attempt to compromise? Are certain areas in your environment more susceptible and vulnerable to cyber-attacks? How would a real adversary reach that area?
This is the core of what objective-based penetration testing will solve for you. Applying red team methodology to develop a plan to reach that objective through various attack vectors to identify what your weakest links are.
With a number of penetration tests available, we’re often asked by customers which one is right for their business?
Penetration testing should be a component of your cybersecurity strategy and deeply weaved in with other activities across the cybersecurity scope; including governance, risk, continual monitoring and incident response.
Firstly, to identify which type of penetration test is suitable for your business, you need to align the test scope with your cybersecurity strategy and resources. This will include an analysis of potential breach sites or vulnerable systems. What systems matter to you, what systems are new, or have changed, or have not been reviewed for technical vulnerabilities before? Maybe a third party has developed a new web application for your organisation – a one-time web application penetration test might make the most sense. A corporate environment with servers and workstations constantly being provisioned and decommissioned? Annualised traditional penetration testing in that scenario. What it comes down to is, that it starts with scope.
As an example of a comprehensive approach, the Loop Secure team offer these types of penetration tests:
Use Cases for Traditional Penetration Testing:
- Uncover loopholes within an organisation’s system and OT environment
- Meet an information security compliance or certification for the organisation (e.g PCI DSS standard)
- Before releasing software updates, identifying vulnerabilities that may now expose you
- Securing financial or critical IP within a system or network
- Identifying current issues that are present in the internal, external infrastructure or physical environment
- Identifying and validating what vulnerabilities exist, to remediate based on priority
Use Cases for Objective-Based Penetration Tests:
- Maintaining confidentiality of credentials and critical data in a particular server
- Identify and exploit flaws, configurations and weak credentials in software within the environment
- Exploiting human error and identifying security risks through employees from methods such as social engineering
- Uncovering different attack vectors against a specific area through red team methodology
The goal of a traditional penetration test is to:
Identify and exploit as many vulnerabilities as possible within the given scope.
While an objective-based penetration test’s goal is to:
Achieve specific objectives that introduce real risk for your organisation, identifying as many vulnerabilities as possible along the way that would enable an attacker to achieve those objectives.
Penetration tests give you a snapshot of your security posture at a certain point in time. Between tests, the landscape can change significantly. New tools and techniques are always in development and cyber vulnerabilities are continually evolving. So how does an organisation stay vigilant on a 24/7 basis?
Penetration testing is only one component of an effective cybersecurity program. A strategic and risk-based approach to testing is recommended for clients to ensure that the right parts of their organisation are being tested, using the right techniques and on a frequency that reduces organisational risk. Loop’s Continual Assurance Service is an example of this, delivering continual testing and remediation advice on areas of your organisation that matter. If you’re driven by compliance, our timelines are your timelines; we’ll deliver remediation advice on issues and reporting before you need it.
How do we do it?
We start with the foundations and build based on your unique business risk appetite. This includes underpinning the program on vulnerability management and delivering reporting on a basis your team can handle. If you’ve already got vulnerability management in place, not a problem, we will then look at the next stage up penetration testing and offensive security. What cadence is required to test based on your business? What areas of your business should be in scope – web apps, workforce, Infrastructure? Whether this is cut up into smaller bite-sized pieces throughout the year, to one big test once a year, we’ve got you.
From here, the world is your oyster - mix in adversary simulation tabletops and purple teams – an incident will occur at some point, so let us help you to uplift your SOC team’s ability to respond to incidents based on the latest threats.
Metrics for improvement for us are central. Gain an understanding of how you mature through Loop’s Continual Assurance Service.
If you'd like to learn more about Loop Secure's Continual Assurance Program contact our team.