
Evolution of Cybersecurity Testing
Lumu's tip on continuous compromise assessmentBy Felipe Ruiz | March 17, 2020 | Category: Opinions
The activity of cybersecurity testing at present, according to the information given to us by Sylvester and Cuervo, can prompt us to remember its beginnings. Among them, for example, what was carried out by the US Navy in the eighties. On that occasion, it was a pentesting procedure, intended to reveal how simple it might be to breach on one of its own bases. This type of process, framed in the ethical hacking activity, has achieved remarkable improvements. It can be considered a 'traditional' security testing together with the vulnerability assessment process. This testing continues to be enormously important in a variety of industries and organizations within our current society.
Nevertheless, according to the authors, something is happening with this traditional procedure. It seems that the breaches in companies continue to grow exponentially and are accumulating. This happens despite the effort that is being made in their security with the tools and programs available. Many of the companies have taken months or even years to detect those ‘compromises’ or risks. The problem seems to stem from handling the same processes. Those that years ago, and today are often seen as sufficient in cybersecurity assessment. It is required then, as suggested, an evolution in cybersecurity testing.
Citrix
, for example, is one of those companies. Possibly by doing two
cybersecurity tests a year (for 10
years), with the traditional
vulnerability scanning, they had not realized that the adversaries were
already inside their network. They had not noticed that their security
had been breached. Traditional tests are leaving aside the fact that
networks may already have been compromised.
The requested evolution in cybersecurity, following the reports of the authors, can take as examples the advances in some methodologies. Specifically those in the medical and aviation industries. They have really sought to learn from their mistakes. Both industries have followed a long process of improvement. This has been done through detailed research, with the aim of immediate remediation of any inconvenience. These industries have tried to be open communities and to share information between entities, in addition to establishing standardized processes. Their testing exercises continually aim for an approach to 'perfection.' At least assuming the alteration of some controllable variables. And hoping that some methods result even more predictable and successful, always to the benefit of the user.
Therefore, it is established that we cannot conclude that a network is secure only with pentesting and vulnerability scanning. These processes focus on testing risks outside the corporate network. And they are established as preventive techniques and assessment of defenses. Accordingly, they deliver information on potential attacks. They don’t do it on confirmed attacks. They may constitute a work with a limited vision, starting from a ‘false hypothesis,’ taking that the attacker is outside. It’s not being considered that the attacker may already be inside. In the latter, prevention may no longer be useful.
Cuervo talks about a typical "misconception that all attacks occur on servers and databases." When in fact most attacks start with emails addressed to an organization's employees, from malicious subjects (recall our ransomware blog post). This is intended to affect certain devices initially, and then "move laterally until higher value assets are found."
Figure 1. taken from Sylvester’s presentation
These experts then propose as indispensable the analysis of network
metadata
for the location of compromises. Next, to compare with
traditional tests and verify if there is additional information.
Afterwards, the possible contribution of the findings to the
organization’s posture on risk must be analyzed. Finally, a continuous
repetition of compromise assessments is suggested.
Such assessments are expected to provide ongoing insights. All of them
about the timing, locations, and communication procedures of the
infrastructure with adversaries and potential attackers. We cannot
forget that an organization’s metadata
generation can be enormous. But
being aware of the DNS
queries, for example, can be a significant
advantage in knowing whether the organization’s network has already been
compromised. The same goes for firewalls
and proxy
data. Being
attentive to this type of data, and analyzing it, can allow the
monitoring of the activity of adversaries already present within the
network. It is then established as fundamental to carry out measurements
and then manage the findings.
The development of fairly advanced cybersecurity testing is of vital
importance. Especially for the sustainability of multiple organizations
in this highly-connected world. Based on what we have learned from the
aforementioned authors: it is advisable to maintain the position that
within our organization’s network there may already be adversaries. From
this, and beyond a traditional vulnerability scanning, we can move on to
analyze network metadata
. We can complement traditional methods with
an evaluation of compromises. We can work incessantly, with real-time
data, on proving that our system really is free of all adversaries and
possible attackers. And if necessary, we can work on the elimination of
those compromises or present risks and thus improve the security of our
systems. These are recommendations that we should not simply ignore.
“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.” Mistakenly attributed to Charles Darwin
Any questions about what Fluid Attacks
can do for you as part of the
cybersecurity process in your organization? Contact
us.