Continuous Penetration Testing: Shattering the Hourglass
Every legacy penetration test report contains language something like this: “These results represent a moment in time and may not be indicative of the current state of the environment.”
But what if penetration testing never had to stop? What if a pen test could uncover vulnerabilities as they appear on the network?
In the past, the tradeoff between automated, continuous scanning versus true pen testing meant swapping convenience and coverage for the human element of testing.
Now, they can coexist.
Thanks to unique partnerships between Echelon, Plextrac, and Horizon3, companies can now combine automated, continuous pen testing with manual interpretation, recommendation, and further exploitation. This means security teams can benefit from a combination of the enhanced coverage of long-term scanning and the insight of human-led testing.
The recent talk between Echelon and PlexTrac provides a clear view about the future of continuous penetration testing. In an open discussion, cybersecurity experts discuss penetration testing’s evolution, the fact that penetration testing is an investment, and how this new paradigm of continuous testing can be implemented.
Here’s a summary of what was covered.
Evolution of Penetration Testing
Penetration testing has evolved past its exploit-centric days to incorporate more human-centric attack elements. Because penetration testing ultimately emulates adversaries, these changes are brought mostly by the advancement of cybercrime.
Due to the development of cybercrime, including both its methods and its increased profitability, pen testing has continued to take a larger role in the security program.
What these changes look like is an increased emphasis on social engineering and intelligence-led testing. Companies need to see a test that accurately emulates the threats that they face. The key to this is understanding who the threats are and understanding the different kinds of threats you can be up against.
In support of this, penetration testing is moving from one-off, expensive tests, to a more progressive approach.
Penetration Testing as an Investment
According to the webinar presenters, pen testing has been a “line item that’s not making you any revenue…a tough sell,” and it has been “difficult to demonstrate the value of a negative.”
However, it is possible to quantify the value of a penetration test by multiplying the likelihood of a breach by its estimated cost and comparing that value to the price of a penetration test (which will reduce the likelihood).
Additionally, the cost of data breaches is increasingly direct due to the explosion of ransomware attacks; not only is there an expense in remediation and rebuilding trust, but there is also the direct expense of paying a ransom. As Dan Desko said in the webinar, “The threat landscape has changed so much… with ransomware, now everybody is a juicy target.”
Implementing Continuous Testing
How should continuous testing be implemented to counter modern threats and evolve the penetration testing process as a whole?
According to the webinar presenters, automation is often seen as a dirty word, but it should be treated like a valuable tool. Thoughtfully constructed continuous pen testing will incorporate automation to increase the efficiency of testing.
Automation’s role is to save time – you’re paying to do effective work and then using manual testers to provide human insight based on organizational and threat intelligence.
Overall, the approach will be to perform periodic full pen tests informed by the progressive results, which will include social engineering, enhanced OSINT, and further exploitation.
Using automation as a point of leverage allows organizations to experience a more holistic and consistent picture of their attack surface at more than just a single point in time.
The Bottom Line
Attackers constantly find new vulnerabilities to exploit while IT departments regularly make environmental changes.
A continuous pen testing approach combines the knowledge of adversarial emulation engineers with best-in-class continuous and autonomous penetration testing tooling. This combination allows organizations to persistently emulate threat actor activity within a company’s unique environment at machine speed.
A continuous pen testing model will not only help your organization become more secure, but it will also ensure it stays that way.