Penetration Testing is Dead as We Now Know It.

That is a brave title! But it is true and I hope to prove it to you. Companies are wasting millions of dollars on penetration testing their environments when in fact they could be spending that money more wisely and gaining much more valuable insight. Penetration must mature and our view as management must change.

First and foremost to this premise is that penetration testing based on known vulnerabilities is almost worthless. It is safe to assume that if you have a vulnerability, a hacker will be able to exploit it. After all, it was identified as a vulnerability for a reason! Do I care if someone can exploit the hole in my systems? No, not really. I don't need proof that lateral movement can occur within my network because of the hole. What I care about is that the hole is patched. It is great fun for Penetration Testers to exploit these holes but it proves nothing and only ends up costing money.

What I care about is that the hole is patched

I'm going to borrow the SANS Institute model for a Penetration Test (PT). Here are the steps:

1. Pre-Engagement
2. Recon
3. Vulnerability Analysis
4. Password Attacks
5. Exploitation
6. Post-Exploitation
7. Reporting

Penetration Testers are some amazing people. They really are. They are curious and inquisitive. They have an understanding of systems and networks to levels I only dream about. As such, they are expensive to employ, rightly so! So, why are we using such valuable assets for the simple task of Vulnerability Assessment? What's the difference you ask? Great question.

A Vulnerability Assessment/Analysis (VA) is part of the PT process. During a VA, a tester will run various automated tools to check for known holes in your systems, networks, and firewalls. Things that your team have not updated or patched. The emphasis is on KNOWN holes that have fixes. As Equifax can tell you, you need to apply patches! The question for me becomes, "Why are you not updating and patching your systems?" Why are you sitting there with known vulnerabilities in your environment?

Why are you not updating and patching your systems?

Any cyber safety program must include vulnerability management that includes scanning, patching, and re-scanning to confirm the hole is gone. There are over 75,000 Cybersecurity Vulnerabilities and Exposures (CVE) known to us. There is no reason to pay a Penetration Tester good money to discover those in your environment. You can easily use an assessment tool or cloud provider for way less than you would pay a Penetration Tester.

Now, before Penetration Testers gang up on me to remove my appendages, let me be clear: You STILL NEED Penetration Testers. How you use them is different though. We want that 3rd step of Vulnerability Analysis to mature to human generated causes. This is where Penetration Tester excel. Their creativity cannot be matched by automated software and hence why they are worth what we pay them. Yes, they will still use tools to accomplish their tasks, but they choose what tools based on their recon of the environment. I often describe this as "the penetration test the penetration tester really wants to do." And they get excited about it. Of course, there are still rules of engagement like no DDoS or bringing production systems down.

The vision is to advance Penetration Testing and bring Vulnerability Scanning/Mitigation into the everyday actions of your organization. This strategy accomplishes a few things:

• We can update/patch vulnerabilities in near real time rather than waiting on the results of a detailed penetration test.
• Our expenditure is used more wisely as mentioned above.
• It relieves Penetration Testers of the mundane effort in gathering vulnerabilities. There really is no fun in that. You verify the results of the automated tools. Not much special knowledge is needed. Not to devalue security analysts as vulnerabilities are incredibly important to resolve.
• It frees up the highly valuable penetration tester to focus on the "fun" tests. It allows them to use their creativity in testing an environment.
• The Penetration Tester can focus on internal systems "assuming" access was gained. When we focus on the edge, often times our internal vulnerabilities are missed. It is important to test our internal systems for horizontal and vertical movement possibilities assuming someone made it through our exterior regardless of the known edge vulnerabilities.

Assume the edge was compromised and test lateral movement inside

So there you have it. Penetration Testing is dead as we know it and must mature for all of our safety. With the proper vulnerability assessment and mitigation plan in place, we actually make our Penetration Tester's job harder but trust me, they'll love it!

///Chris\\\

PS: No Penetration Testers or Security Analysts were harmed in the making of this post. ;)

PPS: This post comes with no marketing material or sales pitches. Amazing, isn't it?!? I'm not trying to sell you something. Just giving away good information. But remember, it was free so you get what you pay for. :)

Cheers!