Role of impactful penetration testing amid rise of AI-powered threat actors
By Ed Skoudis, President SANS Technology Institute
It’s no secret that penetration testing is among the most effective methodologies for helping determine an organisation’s risk posture. While it’s true that other standard processes like gap assessments, auditing, architecture reviews and vulnerability management all offer significant value, there’s still no substitute for impactful penetration testing. When done correctly, it signifies where the rubber meets the road – serving as a situational barometer for aligning security defences with ever-evolving cyber threats and budgetary realities.
At its core, penetration testing falls under the umbrella of ethical hacking, where simulated threat actors attempt to identify and exploit key vulnerabilities within an organisation’s security environment. Gaining this visibility casts a spotlight on the link between cyber and business risk amid rapid increases in AI-powered attacks targeting enterprise networks.
The rise of ChatGPT, for example, has been well-documented as a cyber crime game-changer, democratising highly advanced tactics, techniques and procedures (TTPs) so average adversarial threat actors can increase lethality at low costs. Empowering run-of-the-mill hackers to continuously punch above their weight class will only continue to amplify the volume and velocity of attacks, heightening the importance of effective penetration testing programmes that help mitigate the severe business impact of breaches. On average, victims lost a record-high $9.4 million per breach in 2022.
Compounding the issue is a pattern of poor security posture across the public and private sectors. SANS 2022 Ethical Hacking Survey found that more than three-quarters of respondents indicated “only a few or some” organisations have effective network detection and response (NDR) capabilities in place to stop an attack in real-time. Furthermore, nearly 50% said most organisations are either moderately or highly incapable of detecting and preventing cloud- and application-specific breaches. It’s clear that more must be done to swing the balance of power away from adversaries.
Enter penetration testing, which can provide unrivalled contextual awareness for refining cyber defences, threat remediation and recovery processes within an overarching risk management architecture. For organisations implementing penetration testing programmes at scale, keep the following fundamental tenets top of mind to maximise impact.
The goal-oriented mindset
Just over a decade ago, a longtime colleague and close friend of mine, Josh “Jabra” Abraham, developed a compelling case for the increased adoption of a goal-oriented approach to penetration testing. He prefaced it with a simple question:
What drives the penetration tester? How do they know what they want or what level of access is going to demonstrate the highest risks to the organisation?
The answer was a clear set of predefined goals that didn’t revolve around the tactical processes and technical workflows most associated with penetration testing at the time. Contrary to popular opinion across cyber security circles, identifying surface-level vulnerabilities wasn’t the ethical hacker’s golden goose.
Yes. Penetration testing and vulnerability assessments are not two sides of the same coin. While the latter is static and lacking in context, the former is designed to uncover fundamental business risks by manually testing an organisation’s defensive posture to steal data or achieve a level of unauthorised access. The end-game isn’t about identifying the actual vulnerabilities themselves, but rather the doors that those vulnerabilities open – and the business consequences of allowing an adversary to walk through them undetected.
Fast forwarding to today, Abraham’s goal-oriented approach has emerged as a foundational pillar of penetration testing today. For ethical hacking to offer maximised value, there needs to be predefined goals in place structured around an organisation’s most vulnerable areas of business disruption to mirror a worse-case scenario attack. Ethical hackers target those areas to measure the organisation’s level of cyber resilience, revealing how pockets of low-risk vulnerabilities can combine to create an overarching high-risk scenario that puts their business in jeopardy.
- For a major TV provider, it could be a ransomware attack that blacks out a nationally televised sports broadcast to cause billions in lost advertising revenue.
- For a water treatment plant, it could be a nation-state attack that contaminates an entire city’s water supply to spawn a public health crisis.
- For a federal agency, it could be an insider threat attack that leaks national security intelligence to foreign adversaries for monetary gain.
Regardless of what encompasses that doomsday scenario, penetration testing must start with a firm understanding of where the attacker’s ultimate goalpost lies and how that might harm your business. That is the only real way to discover the right vulnerabilities with the right context for mitigating business risk.
Connecting the vulnerability dots
As the lines between cyber and business risk have blurred over the years, penetration testing has emerged as a critical component to proactive risk prioritisation. It enables organisations to generate detailed visibility into risk posture with probability scales and financial forecasts linked to various areas of their security environment. Armed with these high-level insights, CISOs have the foresight to make educated decisions by weighing the business risk of a potential attack against the likelihood that it will actually happen, and then allocating security resources accordingly to boost ROI and strengthen protection.
The distinct illumination and reassurance afforded by penetration testing also helps demystify the complexity of the cyber threat landscape, translating cyber risk into actionable business terms that better resonate with the C-Suite and board. Actual illustrative stories from recent penetration testing engagements make it much easier for cyber resilience leaders to articulate risk in a way that fosters collective buy-in across corporate leadership to ensure security remains a top organisational priority.
It's important to remember that regardless of a penetration testing programme’s effectiveness, grey areas and precarious judgment calls relative to risk prioritisation will always exist. Penetration testing helps ensure CISOs can come to the most informed decision possible. Otherwise, they are taking a blind shot in the dark at what their real business risks are.
Iron sharpens iron
Just as cyber security is a team sport, so too is penetration testing. Fundamentally, a penetration testing programme applies targeted offence – the same TTPs leveraged by sophisticated threat actors – to guide how organisations should construct their defences. Penetration testing can also be a precursor to red team exercises. For more mature organisations that already conduct regular penetration testing, red team exercises involve a “red” offensive team, along with threat hunters and SOC analysts as the “blue” defensive team. And just like we all learned in elementary (and cyber security) school, fusing both together creates the colour purple.
The concept of purple teaming is often mischaracterised. It isn’t a singular team of offensive experts and hunters all operating together in unison. Rather, it’s a verb in this context that describes how red and blue sides can collaborate to expand knowledge, sharpen strategy and boost operational efficiency. And while it’s less obvious at the surface level, blue can help red just like red helps blue.
Collaborative intelligence sharing, for example, provides further perspective to ethical hackers on how a particular TTP was identified. That way, the red team can adjust their approach for the next attempt to ensure it’s more lethal, which in turn makes the blue team stronger. Consider it like iron sharpening iron – ultimately everybody benefits.
The rate of AI adoption on both sides of cyber security’s dividing line won’t be slowing down anytime soon. AI-powered attackers are here to stay and what we thought we knew about AI-based attacks two weeks ago could very well be irrelevant today. This reality heightens the importance of implementing scalable penetration testing as a core component of the modern CISO’s arsenal. Between purple teaming, risk prioritisation and well-defined goals, impactful penetration testing and red teaming are the ultimate source of empowerment for combating adversarial threat actors.
Ed Skoudis, President SANS Technology Institute, is the founder of the SANS Penetration Testing Curriculum and Counter Hack.