Here at ON2IT, we like to keep our eyes open. We like feedback loops, fueling improvement processes. We’re not so fond of scare tactics and deeply dislike “boy who cried wolf” numbness, aka alarm fatigue.
Catching just a single moment is asking for trouble
A one-off vulnerability assessment or penetration test may serve to raise awareness to gain focus. Still, it also bears a risk of fatigue in that it usually raises a seemingly insurmountably large heap of issues. One-off assessments produce endless, tedious lists of assets plagued by myriads of problems, catching just a single moment in time and disregarding the fabric, the process chains, in which the observed details play together.
On average, there is a hacking attempt every 39 seconds. The average cost of a data breach is 3.9 million dollars.
Testing environments against possible exploitations and exfiltrations continuously makes sense
On average, there is a hacking attempt every 39 seconds . The average cost of a data breach is 3.9 million dollars . Does this sound like scare tactics? Let’s not take it that way. There’s certainly something at stake here. We see a compelling reason to act. Given there’s a large attack intensity and a large and moving, attack surface we think fueling a practical, hands-on improvement process by testing environments against possible exploitations and exfiltrations continuously makes sense. We call this continuous security validation.
Three purposes for continuous validation
There are multiple contexts and multiple purposes for continuous validations. Let’s mention a few.
1. Measure compliance of security configurations against frameworks
One, we like to keep the operational organization sharp. So we measure compliance of security configurations, including policy, against regulatory frameworks and sets of defined best practices. Aberrations can be flagged that way, regressions dealt with, and this way of constant evaluation also fits nicely within an optimization process aimed to raise quality over time, measuring progress along the way.
2. Test and stretch operational resilience
Another one is where you seek to test and stretch operational resilience. Execute real-world attacks, in emulation, overt at first. Measure to what extent these nefarious acts were picked up and to what extent and in which timeframe they were acted upon. Use that information to improve responsiveness, raise (automated) awareness – and re-validate by making the attacks more covert, stealthier, increasing the sensitivity of the security organization and its agility in coping with attacks in progress.
3. Map out an evolving vulnerability service over time
A third one is to map out an evolving vulnerability service over time. The initial situation may be hard to act upon, but changes over time are always interesting – be it for better or for worse. Changes are incentives for further improvement.
Any next iteration will show (or disprove) the effectiveness of implemented mitigations, so you’ll witness effective improvement in your security posture over time. This means it fits a Zero Trust approach like a glove, allowing a very controlled way of sharpening the security posture over time, with pleasant feedback cycles upon work well done and subgoals attained.
Don’t fall for a one-off scan, Automate your pentesting
A yearly one-off penetration test produces a seemingly endless amount of issues. Where do you even start? By pentesting continiuously you keep your security resilient. Want to know more? Join our webinar!
So how does continuous security validation work?
Continuous security validation is a proactive approach to strengthen your organization’s security as it grows, evolves, and changes over time. It maps out the weak spots, delivers specific advice on mitigation, and delivers concrete improvement metrics.
Emulation is actually performing all the actions exactly as they are as opposed to simulation, which uses a virtual representation of actions and environments.
Simulation vs. emulation: performing all the actions exactly as they are to perform validations effectively, we use threat modeling frameworks like MITRE ATT&CK to validate realistic attack vectors. This enables you to perform attack emulations.
Notice we’re not saying ‘simulation.’ emulation is actually performing all the actions exactly as they are as opposed to simulation, which uses a virtual representation of actions and environments. This can lead to skewed results.
Really doing the work
In layman’s terms, we really leverage actual remote and local vulnerabilities, really execute code remotely, really bypass antivirus measures, really hunt down authentication- and authorization weaknesses, and really use ‘pivot’ hosts to stage complex attacks and penetrate deeply into target networks.
Now, the combination of skill sets needed to perform these security validations is somewhat rare, tough to find in-house, hard to outsource reliably — and costly to boot to hire on a structural basis. Luckily, there are emerging platforms and solutions which can automate a large chunk of it. This also makes you rely less on the unique technical capabilities and focal interests of any particular individual you’d assign to the job.
Look once, analyze, make changes, look again – and keep doing this, taking things one step at a time.
Conclusion: don’t just look once
If there’s anything to take away from this article, let it be this. If you’re seeking to take control of and improve an existing situation, don’t look once. Instead, Look once, analyze, make changes, look again – and keep doing this, taking things one step at a time.
Small changes at a time with a bit of stamina are bound to pay much more dividends than a single, exhaustive all-out effort.
Alex van Eersel and Jeroen Scheerder
Pentester & Research Lead