It's time for organizations to embrace penetration testing as the best source of siutational awareness for post-incident breach investigation.


The Internet has evolved and so to have its denizens.  A modicum of respect must be paid to the sophistication and organization of today’s hacker community. The blended, staged attacks of 2009 demand it.

handofdoomFor years, organizations in the government and private sectors have relied on a far more passive approach in gauging the potential consequences that exist as a result of cyber-attacks, online fraud and electronic data theft.

However, this traditional model – centered on processes that include the use of traditional incident analysis and data aggregation tools, attempts to patch the affected systems and to inform law enforcement – has not proven sufficient at determining the full scope of possible actions that attackers can exercise once they’ve compromised protected IT assets.

Sometimes in order to understand that useful solutions to our greatest challenges already exist, our problems must first become so endemic that many less useful alternatives are exhausted before we stumble onto the answers that are sitting right in front of our eyes.

In relation to the use of penetration testing as a means of post-incident forensics response to cyber-attacks and subsequent clandestine activity, I would argue that this very scenario has transpired.

I would submit that just as penetration testing is a far more proactive process to embrace in improving your organization’s exposure to malware attacks, compared to the use of, say, perimeter AV tools, pen tests should be recognized and adopted by government agencies and businesses as a more effective method of improving their situational awareness in the wake of ongoing cyber-incidents.

Spinning the Chess Board

It’s not to say that traditional incident response and forensics tools and strategies do not provide important value, for they do. Information gathering and reporting must play a vital role in this response ecosystem, and even as subsets of the penetration testing process itself.

However, the primary value proposition of pen testing – attempting to exploit available vulnerabilities to determine the precise risks that these issues represent – offers organizations the most comprehensively informative method of understanding the true implications of electronic breach incidents. 

The threat of the digital insider, ranging from remote-controlled malware attacks implanted on networks by external parties all the way to trusted individuals abusing their IT privileges, represents one of the most pernicious risks faced by organizations today.

And unlike other techniques that attempt to estimate what the most likely paths taken by attackers during a breach might have been, penetration testing can provide organizations with the most complete and specific list of potential routes to sensitive systems or data that assailants may have availed themselves of.

By using a technology like CORE IMPACT, I would argue, IT security and forensics teams can “spin the chess board” to gain a more expansive vantage point into the many scenarios that they must consider as tangible outcomes of cyber-attacks – and to begin to assess the real-world risks they may face based on the opportunities that may have been available to their adversaries.

And beyond educating breach responders about what they may be facing in the wake of an incident, features such as IMPACT’s new Attack Paths Report – which provides a graphical illustration of available points of conveyance between vulnerable systems or programs – can be vitally important in helping non-technical leaders to understand the full scope of breach implications.

Offense that Informs Defense

We are already seeing the most informed and influential constituencies in the U.S. government space forward penetration testing as a best practice that must be embraced more broadly to arm IT security teams with the more detailed and actionable data that they need to assess their posture and protect themselves going forward.

For example, in the recent release of the Consensus Audit Guidelines (CAG) – a set of 20 recommended IT security practices produced by a team that included the NSA, DoD and NIST, among many others – we’ve seen a mandate established for government agencies and their private-industry service providers to pursue strategies through which IT defensive efforts are better “informed by offense.”

In the CAG these most influential stakeholders specifically highlight penetration testing as just the type of proactive process necessary to achieve this larger goal.

My central argument is that in matters of cyber-incident response and investigation, penetration testing must be viewed in a similar light as a tremendous enabler of post-breach situational awareness.

I cannot think of a more practical manner for these staggering security quandaries we currently face to begin to be answered.

-Tom Kellermann, Vice President of Security Awareness