Is your Security Operations Centre awake? Your adversaries are. And so are we.
Updated: Oct 7, 2020
It is time for conventional cyber security measures to be challenged.
CovertSwarm’s Constant Cyber Attack service is the answer.
Threat actors are attacking your systems every 39 seconds. They seek to find a weakness in your cyber defences that can lead to a successful point of compromise or even breach. Their attacks are constant and tenacious. The ramifications of these malicious attempts to exploit your business are huge and pose a constant risk to your reputation, shareholder value and longevity.
Across industries, this constant ‘cyber pressure’ creates a tension between threat actors who are ‘on the attack’, and businesses cyber security teams ‘playing defence’. Attackers only need to find a single route through your cyber defences, with your security teams having to plan to identify and mitigate every possible route that could be exploited to breach your organisation.
Traditional measures aimed at providing exploit insights to internal security teams come from Penetration Testing or Red Teaming engagements. However, countering modern-day cyber threats requires significantly more than such point-in-time security testing.
So, what is the answer to enabling businesses to better understand and prepare to deflect modern cyber attacks?
CovertSwarm - an embedded security service that targets testing against the organisation as a whole. Constant, holistic cyber research and challenge. A service that can work in-line with your Security Operations Centre (SOC) by continuously challenging their methods, and in doing so complementing and continuously improving their defence practices so that they remain ‘awake’ and always ready to defend your business against malicious cyber attacks.
The Problem with Conventional Testing Procedures
Conventional cyber security testing uses point-in-time procedures that only provide a narrow view of an organisation’s security posture. And one that is a static ‘snapshot’ that is immediately out of date once the results have been gathered.
Let us elaborate and explore the details of various point-in-time cyber test procedures and their shortcomings:
A penetration test refers to a simulated cyber attack with the aim to detect known vulnerabilities within the target scope. There are numerous vendors able to deliver this service and their testing is typically mandated by compliance standards (PCI-DSS, ISO27001:2013, PSN CoCo, NIST etc.) or third-party supplier’s security frameworks.
Penetration tests are often checklist driven and are always point-in-time. There can also be a vast difference in quality between vendors testing abilities - and even within vendors own teams due to varying quality of their personnel. Some vendors will deliver their service via the use of fully employed staff whereas others may outsource the work to contractors or ‘own label’ partners. The variability of the talent being engaged and knowing who is actually delivering the testing can be difficult to fathom.
Typically, tests will commence with ‘scanning’ using a common set of software tools that check for known and easily detectable vulnerabilities. The penetration tester(s) then take the results of the tooling and sometimes test the target scope further, looking for areas of weaknesses or ones missed by the scanning tools.
Depending on the ‘rules of engagement’ agreed between the target business and the Penetration Testing vendor, the testers may then look to exploit vulnerabilities but rarely go much beyond a superficial depth of exploration.
The tests typically produce reports (typically, long PDF docs or Excel sheets) that contain a lot of finding ‘noise’ supported by a high volume of data for the target business’ internal security, engineering and TechOps teams to then work to understand and remediate: this often saturates engineering and development teams who are inevitably bogged-down by remediation work that may in fact have totally missed the identification of deeper and more serious points of compromise that may exist for the business.
The tests being ‘point in time’ only provide a snapshot of the organisations’ security posture. Meaning they are out of date the moment they are published.
Penetration testing has its place but does not align well to reducing the cyber risk of modern fast-paced businesses with agile approaches and continuous software release cycles.
Playing ‘in defence’ during these tests are in-house TechOps or SOC teams who are usually made well aware of when the testing is taking place and as the testers tend to explore for known issues – are very much ready for it; a good analogy is a student seeing their exam questions the week before their test. Clearly, ‘real’ attackers don’t share their methods in advance, and the unexpected should be expected by your teams.
There is a lot of confusion in the industry between “Penetration Testing” and “Red Teaming”. Many vendors will sell you a “Red Team engagement” but often they are simply rebadging a traditional “Penetration Test”.
A Red Team assessment is normally more in-depth than a Penetration Test; it will often have a broader scope and look specifically for a point of compromise or have a specific goal in-mind: for example, to compromise the target company’s CEO inbox, or compromise intellectual property.
Red Teams typically focus on exploitation via targeted attacks. Whilst also ‘point-in-time’, the engagements themselves are somewhat longer that Pentests, sometimes spread over many days or weeks.
Whilst Red Teaming is designed to more closely simulate a genuine cyber attack it falls prey to the shortcomings of point-in-time testing, and the resulting reports are out of date the moment they are presented. Real threats and malicious actors - such as Advanced Persistent Threats (APTs) and state-sponsored actors - never stop. They are relentless and constantly looking for new ways to breach organisations. Just as your business doesn’t ‘pause between point-in-time testing’, neither does the continuously increasing risk posed by cyber assaults from malicious actors.
Red Teaming can be stealthier than Penetration Testing, which may catch your SOC off guard: however, your SOC team knows it is point-in-time and will eventually end. Red Teams also tend to use an array of well-known hacking techniques and so SOCs often know what to expect from the behavioural patterns of Red Teams, particularly if you outsource your SOC services.
Bug Bounty Program
A bug bounty program is a service where you invite ethical hackers to look for ‘bugs’ (vulnerabilities) in your technology software or estate; for example, your client web application; or e-commerce web site.
You will then compensate the ethical hackers for their valid reports whether that be monetary, recognition (entries on ‘Halls of fame’ etc.) or other token rewards such as company-branded ‘swag’.
When a company sets up a Bug Bounty Program, it will typically attract ethical hackers with a varying degree of experience. Some will focus on where the biggest payouts might be and as such are never aligned to the target client’s software development release cycle (SDLC) or business processes. It’s often a case of the ethical hacker seeking to make the largest reward as easily as possible.
Whilst there are some extremely talented ethical hackers on these bounty platforms, there can be massive variance in skill levels. Add to this the risk of unknown members of the public potentially impacting your operational stability, as well as unstructured vulnerability reporting. Both of these risks can induce significant workload and ‘noise’ onto in-house teams needing to perform time consuming and costly triage before action can be taken (and bounties paid out).
Target ‘scopes’ on said platforms can also often be limited and rarely do you place the whole organisation via such a public-facing platform.
A somewhat modern approach to Penetration Testing is ‘PenTest-As-A-Service’ (PTaaS). This typically means that results are output to a platform for ease of on-going management. There are only a few providers in this space, but many ‘crowdsource’ their people – they sub-contract the work. This can result, as with traditional Pentesting, Red Teaming or Bug Bounties, in the same variances in testing quality and reporting ‘noise’. Many independent consultants will also work for ‘PenTest-As-A-Service’ vendors alongside other full-time roles, meaning they are not dedicated to you or able to understand and become aligned to your business processes and objectives.
In addition, this repetitive method of ‘looking for the known’ cyber issues in the wild results in multiple ‘point-in-time’ testing projects that only compound to creating even more reporting noise and volume to manage – whilst missing deep, exploitable cyber risks.
Similar to Penetration Testing, PTaaS scopes are often limited and incur limited cyber attack simulation and little-to-no research to identify your specific 0-day vulnerabilities.
SOCs quickly detect Penetration Testing delivered via ‘PenTest-As-A-Service’ as a result of their typical, highly visible and ‘loud’ cyber approaches. If you really want your SOC tested and kept awake, PenTest-As-A-Service is unlikely to be in the best answer.
The Solution: Constant Cyber Attack by CovertSwarm
Instead of continuing to use traditional and outdated point-in-time Penetration Tests and Red Team Assessments, upgrade your organisation’s cyber security by removing the cyber risk gap that results from a reliance upon ad hoc testing for known cyber issues.
The focus of most companies has now shifted from formulating a static cyber security strategy to constant monitoring of their system to detect threats, patch vulnerabilities and implement advanced cyber technologies and services.
Working with a collective ‘Hive’ mindset, C
overtSwarm’s team of ethical hackers perform continuous vulnerability detection and simulated attacks against our clients’ organisations that constantly seek to discover and exploit their unknown risks. Keeping their SOC teams alert and awake at all times.
CovertSwarm is driven by the world’s first Offensive Operations Centre (OOC) that closely integrates into all business workflows, especially those from modern Agile or JIRA-powered companies. This makes CovertSwarm the most appropriate solution for researching, testing and proving your organisation’s security posture. Every day.
The OOC also makes use of Focused Sting Reporting (point of compromise detail), which separates our findings from the ‘noise’ produced by all other cyber testing programs on the market today.
At CovertSwarm, our Hives of ethical hackers collaborate within our Offensive Operations Centre to share detailed information about your business structure, processes, technology roadmap and architecture. We focus on people, process, technology and physical targets, therefore providing enabling us to build a holistic view of your cyber risks and removing the cyber risk gap left by less modern testing programmes and methods.
Direct Your Swarm
Using a conventional point-in-time testing procedure requires a pre-meditated checklist to be created in order to detect and exploit vulnerabilities and to put your SOC under attack.
With CovertSwarm our clients have total control to direct our research and continuous testing and attack procedures via our OOC portal. Enabling two-way communication between our attackers, and your defence teams.
Why you should choose CovertSwarm to test your Security Operations.
We adopt a focused, ethical and consistent approach to improving your cyber security and the quality of your technology estate and software product cycle. Our simulated 24/7 attacks expose real cyber vulnerabilities with us focusing perpetual research against your organisation’s 0-day issues and the unique risks that exist within your technology stack.
To get started with the world’s first Offensive Operations Centre, contact CovertSwarm today.