{"id":38143,"date":"2022-10-17T16:29:44","date_gmt":"2022-10-17T05:29:44","guid":{"rendered":"https:\/\/www.institutedata.com\/?p=38143"},"modified":"2022-11-04T17:08:34","modified_gmt":"2022-11-04T06:08:34","slug":"beyond-penetration-testing-in-cyber-security-part-two","status":"publish","type":"post","link":"https:\/\/www.institutedata.com\/sg\/blog\/beyond-penetration-testing-in-cyber-security-part-two\/","title":{"rendered":"Beyond Penetration Testing in Cyber Security (Part Two)"},"content":{"rendered":"<div class=\"pulse-card-cell-wrapper\">\n<div class=\"pulse-card-cell-wrapper-component\">\n<div class=\"cell-wrapper can-edit\">\n<div class=\"cell-component long-text-cell col-identifier-long_text\">\n<div class=\"long-text-cell-component\">\n<div class=\"long-text-cell-value\">\n<div class=\"ds-text-component\" dir=\"auto\"><strong>By Ez Yiap \u2013 Cyber Security Consultant (GRC) and Assistant Trainer for the Institute of Data\u2019s Cyber Security Program.<\/strong><\/div>\n<div dir=\"auto\"><\/div>\n<div class=\"ds-text-component\" dir=\"auto\"><strong>An IOD alumni who pivoted into cyber security, Ez now helps organisations assess and strengthen holistic cyber security. Ez is passionate about contributing and coaching in the cyber security community. Connect with him on <a href=\"http:\/\/www.linkedin.com\/in\/ez-yiap\/\" target=\"_blank\" rel=\"noopener\">LinkedIn<\/a>!<\/strong><\/div>\n<div dir=\"auto\">\n<hr \/>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><span style=\"font-weight: 300;\">Circling beyond the cyber security practice of penetration testing (pen testing) are a number of supporting, complementing, extrapolated and evolved engagements. With so many varying controls to implement for assessing and improving cyber security, it can get confusing as to what purpose each control serves. There are lots of types of tests, teams and tactics that each have a place.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Pen testing is an essential part of a mature cyber security program, with several types of tests that can be conducted, as detailed in our part one, \u2018<\/span><i><span style=\"font-weight: 300;\">Understanding Penetration Testing\u2019<\/span><\/i><span style=\"font-weight: 300;\">. <\/span><\/p>\n<p><span style=\"font-weight: 300;\">In this part two, we\u2019ll explore some of the ways traditional pen testing has evolved and the ways pen testing complements holistic cyber security functions.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Vulnerability Scanning vs Penetration Testing<\/span><\/h2>\n<p><span style=\"font-weight: 300;\">Vulnerability scanning and pen testing are sometimes confused or mixed up with vulnerability testing. It is true that different organisations may use terminology in their own ways. Typically, the industry understanding should separate these two as follows:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Vulnerability Scanning<\/span><span style=\"font-weight: 300;\">: The practice of using tools to scan networks and applications for known security weaknesses, such as in the operating system, software version, ports and protocols available. The tool provides ratings and rankings of the identified findings to allow prioritisation of the remediation (patching). This is a fairly non-invasive means of security health-checking.<\/span><\/li>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Penetration Testing<\/span><span style=\"font-weight: 300;\">: The practice of attacking and exploiting an environment, application or even location, through a structured methodology to identify security risks and vulnerabilities. These could be in hardware, software, people, processes, configurations etc. Pen testing involves both manual and automatic tools and processes and takes on the view of a possible threat actor to provide context.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 300;\">Vulnerability scanning is vital to the upkeep of security across infrastructure and applications due to new security flaws and vulnerabilities being constantly discovered and the fast-paced development that occurs. Regular scanning and rating allow an organisation to ensure the latest patches are installed to prevent known exploits from being conducted against them.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Pen testing may involve some vulnerability scanning during the reconnaissance phase of the attack. This is what a threat actor would most likely do to discover what applications, devices, ports, services etc., are available and where the versioning may permit exploits to be run. However, this is just one initial part of a pen test, as the ultimate objective of pen testing is to go beyond just identifying the vulnerabilities to actually exploiting them to see what may be gained in doing so.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Both vulnerability scanning and pen testing are common security compliance requirements and have various ways of being engaged and implemented. For instance, the PCI DSS standard requires vulnerability scanning to be undertaken quarterly and critical risks identified to be remediated within thirty (30) days of patch release.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">What about social engineering?<\/span><\/h2>\n<p><span style=\"font-weight: 300;\">Social engineering is a technique that may be paired with a pen testing engagement as it complements the view of an attacker in understanding how people work as a security control. Social engineering aims to have a person take action or divulge something using manipulation through any possible means. Commonly, social engineering leverages human emotions, goodwill, lack of knowledge or awareness, poorly defined behavioural practices, or straight-up deception.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Several forms of social engineering exist.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Phishing<\/span><span style=\"font-weight: 300;\">: One of the most lucrative and age-old techniques used is via emails to phish user information and credentials and engage a person into performing actions that benefit the threat actor. The evolution of phishing now includes SMS (smishing), voice call (vishing), as well as any other messaging platform or service like WhatsApp or Instagram.<\/span><\/li>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Phone call<\/span><span style=\"font-weight: 300;\">: Whilst this may be categorised by some as vishing, over-the-phone social engineering does tend to differ in sophistication and complexity. Phishing in any form is often not so focused and targeted. When it is, that is called spear-phishing. Phone call social engineering usually requires a high level of reconnaissance and background work, maybe through open-source intelligence (OSINT), to manipulate a phone operator in a specific way. Where typical phishing is a bit more passive, social engineering is very active with a high degree of persuasion involved.\u00a0<\/span><\/li>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Physical<\/span><span style=\"font-weight: 300;\">: Physical social engineering involves testing human interactions, responses and actions through real-life scenarios. This may be through posing as a legitimate identity to see how well other people identify and authenticate others. It may be through navigating physical security controls dependent on human behaviour. An example of this may be wearing an identifiable uniform and approaching the reception of a building to request access that requires specific authorisation.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 300;\">Social engineering is related to or complements pen testing in that many attacks rely on some form of social engineering in order to glean access credentials that can be used to compromise an initial boundary to the environment or application.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Which team to pick?<\/span><\/h2>\n<p><span style=\"font-weight: 300;\">The cyber security world loves its different teams and roles, and there are some common terms that are important to understand and distinguish in order to appreciate their respective value. The team names come from cyber security exercises. During a simulated cyber security incident, one team performs the duties of the attacker whilst another team performs the duties of the defender. Assessment and insights are established based on the interaction and results of both respective teams. Through this, a better level of incident response preparedness can be determined and improved.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Blue Team<\/span><span style=\"font-weight: 300;\">: The defending team during an attack exercise. Usually, this team is represented by members of the security operations centre (SOC). These are analysts that use tools to monitor infrastructure, network and end-user devices for indicators of compromise, threats and unusual activities. In addition to the ability to identify, they may also be able to prevent and stop attacks in real-time.<\/span><\/li>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Red Team<\/span><span style=\"font-weight: 300;\">: The offensive team during an attack exercise. Usually, this team is represented by offensive security experts, like pen testers. Within the rules of engagement for the exercise, the Red Team seeks to attack and exploit the environment whilst evading the detection of the Blue Team. The Red Team may have objectives like exfiltrating data, gaining specific control of a system or gaining access up to a certain point of the environment.<\/span><\/li>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Purple Team<\/span><span style=\"font-weight: 300;\">: By combining the efforts of a Blue Team and Red Team, it is possible to create a dialogue that results in greater communication. Learning and evolving cyber security defences and strategies to respond and further protect the organisation are what a Purple Team are all about. Rather than simply looking at offensive vs defensive, a Purple Team exercise adds a strategic layer that can be leveraged as more than just a point-in-time effort to set a roadmap for greater security controls.<\/span><\/li>\n<li style=\"font-weight: 300;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Gold Team<\/span><span style=\"font-weight: 300;\">: Sometimes heard of in the cyber security industry, this is a non-technical team and exercise. The aim of a Gold Team is to respond during a cyber security incident crisis. It tackles senior management\u2019s response and the use of the organisation\u2019s incident response and business continuity controls for a tailored scenario.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 300;\">No one team is better than the other in cyber security. Each serves its own function and is important. Depending on the organisation, its maturity and the business requirements, one, some or all of the teams may be called upon to assess and grow the cyber security posture.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Is adversary simulation better?<\/span><\/h2>\n<p><span style=\"font-weight: 300;\">Depending on who you talk to, adversary simulation may be called Red Teaming or even something else. Regardless of the branding, what makes adversary simulation a next-level exercise is the sophistication that goes into the scenario and preparation work. Adversary simulation includes a detailed amount of threat intelligence groundwork and adversarial technique mapping that is specific to the client\u2019s vertical or business.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">A pen tester may have duties of creating a threat actor profile to give insights into motive, skills, and resources and could also work with a cyber threat intelligence specialist. A cyber threat intelligence specialist researches and stays apprised of the cyber threat landscape, as well as the top active threat actors and groups. They develop cases for who is targeted and why, trends the industry is seeing as well as what techniques and tools are popular.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">By determining the most likely adversaries and their tactics, techniques and tools, the red team can emulate a likely, real-life scenario to test the security controls and defences the organisation has implemented. Providing the threat landscape context empowers the organisation to accelerate key resilience controls, rather than just hoping for the best or slogging away at industry best practices.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Adversary simulation often includes crafting social engineering using human intelligence (HUMINT) combined with OSINT. Combining physical and digital means of gleaning intelligence gives a holistic insight into security awareness gaps as well as the digital fingerprints an organisation\u2019s staff have.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Adversary simulation may have a broader scope and timeframe with the client permitting the testing team to leverage more than traditional pen testing or red team exercises in order to best emulate the no-holds-barred approach that a motivated threat actor would take. Adversary simulation is often performed with only extremely limited stakeholders and staff who are aware in order to best capture the impact at every stage of the attack.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">How long, how often and how to decide?<\/span><\/h2>\n<p><span style=\"font-weight: 300;\">The duration of a pen test really comes down to the budget of the client, the available resources of the testing entity, and the goal of the engagement. The longer the testing is conducted, the more comprehensive the results are likely to be, but also the greater investment required. A key factor is the size of the test to be undertaken as well. The greater the infrastructure, for example, a large range of IP addresses or web application URLs, the longer and more involved the testing will be. Similarly, a large enterprise organisation undertaking an adversary simulation could see an engagement that requires months instead of weeks to be truly valuable in testing the large attack surface it faces.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Commonly, external infrastructure pen testing sees a duration of about 5 to 7 days for mid-sized organisations. Internal testing may be shorter at 3 to 5 days. Web applications could range from 4 to 10, and it really does depend. Red team and adversary simulation exercises are rarely less than 10 days to 2 weeks in duration because of the preparation and reconnaissance work involved, along with the detailed reporting that follows. Some engagements could be upwards of 22 weeks, like the Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework programme for Australian financial institutions.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">How often an organisation should conduct pen testing depends on several factors. A good practice is for pen testing to be conducted on infrastructure and applications after any significant changes and at least annually or more frequently as required by regulation or compliance with security standards and frameworks.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">What to test should be driven by a risk-based approach in addition to meeting any compliance requirements. Assessing where the organisation\u2019s crown jewels are and knowing what types of valuable data sit where in the environment, as well as the impact of comprise to confidentiality, integrity, and availability, will help guide what should be pen tested.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Pen testing opens the doors to many aspects of cyber security with varying flavours of engagements that can be undertaken. It is a career path that many choose because the room to grow and diversify in skillsets is large, with new and evolving challenges and work arising constantly.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Having a foundation in cyber security and working as a pen tester could see you leading secretive, sophisticated adversary simulations. You could find yourself working on the cutting edge of threat intelligence cyber know-how. Or perhaps pen testing becomes steppingstones to leading organisations to bring together various teams for greater cyber resilience and incident response.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">Being a pen tester requires keen perception and a high level of attention to detail. The cyber industry also needs more candidates with vision and leadership qualities that can bring a range of diverse skills to pen testing engagements and beyond.<\/span><\/p>\n<p><span style=\"font-weight: 300;\">If pen testing could be the cyber pathway for you, <a href=\"https:\/\/www.institutedata.com\/sg\/consultation\/\">book a career consult<\/a> with a course advisor today to learn more about how you can get the job-ready skills to step up and into the industry.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Ez Yiap \u2013 Cyber Security Consultant (GRC) and Assistant Trainer for the Institute of Data\u2019s Cyber Security Program. An IOD alumni who pivoted into cyber security, Ez now helps organisations assess and strengthen holistic cyber security. Ez is passionate about contributing and coaching in the cyber security community. Connect with him on LinkedIn! Circling&hellip;<\/p>\n","protected":false},"author":1,"featured_media":38136,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[495,137],"tags":[],"class_list":["post-38143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security-technology","category-industry"],"_links":{"self":[{"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/posts\/38143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/comments?post=38143"}],"version-history":[{"count":0,"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/posts\/38143\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/media\/38136"}],"wp:attachment":[{"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/media?parent=38143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/categories?post=38143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.institutedata.com\/sg\/wp-json\/wp\/v2\/tags?post=38143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}