Annual Penetration Testing is no longer enough
Updated: Sep 16, 2020
The ‘annual penetration test’ has long been a cornerstone of cybersecurity defences for organisations of all sizes. The premise behind such ad-hoc testing is that it allows insights into your security weaknesses and vulnerabilities so that you can mitigate the risks identified and remain ‘cyber secure’.
Is this still true today? Is an annual pentest test (or perhaps even a quarterly one) enough to protect your organisation against the growing number of cyber threats?
The proliferation of internet use and the increase of cyber-exploitation against organisations has risen dramatically in recent years.
The situation is complicated further by today’s IT heterogeneous and complex environments with lean software delivery teams running at a pace to put out features and software, often with multiple releases per day being made into production. To this end, operating an ad-hoc pentest or red team engagement model means it is now impossible to keep security risk mitigation running at the same pace as development.
Ad-hoc testing being 'point in time' presents a useful albeit very narrow view of your security posture. Rapid development cycles and highly variable infrastructure topologies mean that your organisation’s attack surface is constantly changing, and that you are increasingly vulnerable to constant attack. Cyber risk trends have been progressing this way for several years with a survey showing that the number of organisations that believe - or have found - that they were under constant attack jumped 300% from 2013 to 2014 along, with almost 20% of respondents indicating they were under constant attack.
Many companies including giants such as Facebook, Netflix and Amazon have adopted a DevOps framework to underpin continuous delivery. In recent times Netflix has moved from a 3-week update cycle to a daily cycle; Amazon is rumoured to release multiple times per minute. Your own IT environment release cycle may be as rapid as Netflix’s or a little less frequent. The point is, it’s unlikely that your environment stays in any stable, ‘fixed’ state for any long period of time.
For these reasons, a point in time test or ad-hoc red team offensive engagement fails to adequately protect your organisation. Let’s look at a few of the key reasons in more detail.
‘364’ days of exposure
Once your annual penetration test is completed, that’s it for another 364 days with no further testing. This is ineffective for two reasons, firstly the threats against your organisation and the current known areas being exploited by threat agents change day by day.
While the traditionally accepted process of running a penetration test annually may be beneficial and undoubtedly provide some enhancements to your security - it fails to meet or replicate the reality of the real world - one of being constantly vulnerable to an increasing number of threats.
Your organisation is under threat every day from external, illicit forces looking to exploit your cyber weaknesses. It stands to reason then that to mitigate and reduce this risk any progressive organisation should consider performing constant testing on their IT estate not just at the level of IT but at the complete organisational level. Engaging with a partner who can induce constant, positive pressure cyber attacks on your organisation - as a whole - driven by a team of cyber specialists provides a more lifelike scenario where threats are discovered in real-time and attempted to be exploited.
CovertSwarm has developed a 365 day per year method that delivers this constant attack, whilst being a ‘friendly adversary’ to your engineering, DevOps, SOC and risk teams.
Penetration tests fail to deliver the most valuable information
More often than not penetration tests deliver a lot of ‘noise’ in their results. The test may pick up misconfigurations that can and should be fixed but are not critical or likely to be an attack vector that would be targeted or penetrated by criminals. To further add to the noise and pentest-generated confusion, many of the companies offering penetration testing will deliver inconsistent results, leaving clients not knowing exactly which vulnerabilities to address.
Because penetration testing has been seen to be a de facto ‘must-do’ item to ‘tick off’ for compliance (PCI-DSS etc.), and because it is very rigid in its approach - it can be ineffective at addressing the true value-add it is intended to deliver. With a rigid scope, repetitive testing patterns and methods and CTO’s steadily gaining a fear of their pentesters finding more weaknesses that need to be fixed - worries about the costs involved with addressing the ‘noisy’ vulnerabilities often means many businesses stick to only limited testing each year and fail to achieve true benefit from such external cyber offensive tests.
APT’s don’t care about your scope
While your pentester’s scope may be rigidly set to cover the basics, and perhaps even set up in a way to limit the number of items you need to fix, malicious threat actors - often referred to as ‘Advanced Persistent Threats’ (APTs) - don’t care about this nor need to play by such artificial rules: They will look at your organisation as a whole and look for weaknesses. Permitting your cyber testing to be approached in this way does not make sense if true cyber risk mitigation is your prerogative especially when you consider the financial and reputational damage a breach causes. In early 2020 Travelex’s services went offline for more than a month after a major cyber attack.
More recently in July 2020, international brand Garmin is believed to have paid some or all of a $10 million crypto ransom to criminals who targeted it in a major ransomware attack.
What is constant ‘positive pressure’ cyber testing?
The industry must now move beyond the annual, or at best ‘ad-hoc’, penetration test as events like the Garmin and Travelex breaches become increasingly common. CTO’s and CCOs should be asking what they can to avoid being the next Travelex of Garmin:
The CovertSwarm answer is through us replicating the way these kinds of ‘real world’ attacks work Via specialist groups of cyber subject matter experts putting pressure on a targeted organisation until they find a weakness to exploit. And doing so relentlessly.
At CovertSwarm we organise our teams into ‘Hives’ of experienced, ethical hackers that constantly and brutally probe our client’s organisations for known and unknown Zero-Day issues. As more clients trust us to constantly attack them, our Hives grow - as does our swarm. We become more knowledgeable, run more frequent and deeper attacks, assimilate more information leading us to ‘Sting’ (compromise) more: therefore, as we grow, you benefit.
Our method of approach is already used in other areas by businesses including Netflix, who run simulations on user activity and demand via ‘Load testing’ and their famous ‘Chaos Monkey’. This constant positive-pressure testing lets them understand their requirements better to avoid being overwhelmed to the point of failure.
Applying the same approach to cybersecurity vulnerability detection and exploitation makes much more sense than trying to pick up the pieces after a cyberattack or only rattling the locks of your security periodically. CovertSwarm have firm values one of which is to support the cyber community to help raise awareness and to constantly defeat the online and social engineering threats that all successful and attractive organisations face. Our approach provides your business with the true cyber clarity it seeks and delivers value through the removal of noise that often clogs product delivery and change pipelines.. By working in a way that reflects the real world today, and applying constant positive-pressure cyber offensives CovertSwarm can help you to move beyond traditional, ad-hoc penetration testing to deliver much more effective results and improve the pace of your innovation.
If you would like more information about CovertSwarm and how we can help you, please get in touch with our team.