It’s one of the most direct and proactive cybersecurity activities organizations can do to protect themselves from an attack—penetration testing. Also known as ethical hacking, it involves legally breaking into computers to test an organization’s defenses. Companies make it a part of their overall security process and posture because regardless of the outcome, if a paid “hacker” can get into a system, it’s relatively reassuring because penetration testing teams can either know their systems are strong or they’ve identified a vulnerability before a malicious hacker did and can now take steps to resolve it.
The ethical hacking process usually involves working with the client to establish goals and define what systems can be tested, when and how often without service interruptions. In addition, pen testers will need to gather a lot of information about your organization including IP addresses, applications, number of users who access the systems, and patch levels. These things are considered “targets” and are typical vulnerable areas. Next, the pen tester will perform the “attack” and exploit a vulnerability (or denial of service if that’s the case). They will move “horizontally or vertically,” depending on whether the attacker moves within the same class of system or outward to non-related systems, CSO Online notes.
Penetration Testing Challenges
As you can imagine, being an ethical hacker naturally requires continuous learning of the latest attack methods and breaches to stay ahead of the “black hatters.” That alone can be a challenge. In addition, the following penetration testing challenges are keeping organizations up at night:
- There were more than 10,900 pen testing jobs unfilled between April 2017 and March 2018 alone.
- High costs prohibit hiring dedicated and skilled CPTs.
- Not all CPTs are created equal, while some third parties only perform vulnerability analysis as opposed to thorough pen tests.
- Most tests are conducted via downloaded tools or as one-off engagements focused on known threats and vulnerabilities.
- Many third-party engagements have to be scheduled well in advance and run sporadically throughout the year.
A New Penetration Testing Solution
Recent reports note that 31% of pen testers test anywhere from 24-66% of their client’s apps, leaving many systems untouched by professionals and open to vulnerability. In the face of these penetration testing challenges, government, enterprise, and academic institutions are turning to technology to pick up the slack. Automated tools can help the entire test hacking process from asset discovery to scanning to exploitation, much like today’s hacker would.
Circadence is proud to have developed a solution (available soon) that automates and augments the penetration testing cyber workforce with a platform called StrikeSetTM, which increases the efficiency and thoroughness by which pen testing is performed. Specifically, the platform’s machine learning capabilities provide session analysis and the create unique threat playbooks for operators. It also monitors and tracks tool behavior for classification. In addition, data is gathered from distributed operators who can remotely collaborate on exploit development, forensics analysis, phishing campaign orchestration, and much more. That data analyzes Red Team’s TTPs with the aim of mimicking approaches to save on resources and time.
With cyberattacks becoming the norm for enterprises and governments, regular scans and pen testing is key to protecting sensitive data. Coupled with holistic cyber training for offense, defense, and governing professionals and enterprise-wide cyber hygiene education, enterprises and governments will be better prepared to handle the latest and greatest threats. It’s time for organizations to leverage tools that automate and augment the cyber workforce in the wake of an ever-evolving and complex threat landscape.