If you’ve think the average pen test is decreasing in value, you’re not alone. Don’t get me wrong, a well-scoped and well executed pen test provides a valuable snapshot of the technical (and not necessarily business) risk of a given system. But let’s face it, the pen test is a snapshot in time of a small subset of your computing environment.
So how do you increase the value of a pen test? Not just by a little, but exponentially? The answer is surprisingly simple. Rather than just pen test an application or network, start testing your processes.
What do I mean by that?
I’m actually not suggesting anything revolutionary here. This is really just another form of a red team exercise. But rather than having the end goal of breaking in to your environment, the red teamers use attacker techniques to test your processes.
For example, it’s pretty common for attackers to use a Microsoft tool called PSExec to move from system to system across a corporate LAN. And lucky for us, using PSExec leaves a robust forensics trail behind in the form of event logs. In this case the red team will test your process for detecting and alerting on this behavior.
Another example ripped from everyday breaches:
Attackers like to steal legitimate credentials from actual users. And again, there are some pretty easy methods for detecting the tools and activity attackers use to steal credentials. Which is another process that could be tested.
Ok, so testing your processes for detecting and preventing attacker activity.
But how does testing these processes amount to a 10x increase on the value of a regular pen test?
Well, testing your processes provides a snapshot in time of your capabilities to prevent or at least detect attacker activity. And that attacker activity could be directed at anything on your network, not just the stuff being pen tested.
But here’s a crucial point:
You test your processes, then you fix the gaps you find. And your pen test just turned into an exercise that leaves your entire organization in a better position to block or at least detect attacks early on. Not just a single application or network that might have been tested and remediated.
And having your entire computing environment in a better position after the exercise is worth at least 10x the value of a standard pen test. The only catch is that you need a structured approach to running such an exercise, and make sure you’re starting with a robust set of processes to test.
Now, you could put together a list of processes or detections that you should be testing on a regular basis to determine how well you can block or at least detect attacker activity. Or take a look at the Mitre ATT&CK framework. They’ve done a lot of the heavy lifting for you.