Are you wondering whether you should do frequent penetration testing or whether it is better to invest in an Attack Path Management solution?
In our latest Expert Talk, Volker Röthel, CEO of it.sec, a member of Swiss IT Security Group, and Tobias Träbing, Technical Director EMEA of XM Cyber discuss the pros and cons of both disciplines and whether one should be preferred over the other.
Tobias Träbing: “Volker, does penetration testing react to recent changes in the threat landscape? If so, what were the trends in 2022?”
Volker Röthel: “That’s actually not only true for recent changes. Penetration testers need to keep themselves permanently up to date, with new attack techniques, public vulnerabilities and research being published all the time. And of course, our experts do just that – they invest a lot of time keeping up with current developments in the field of hacking. One thing that supports them in that is the broad expertise of our group, the Swiss IT Security. Especially one of our members, namely AV-Test with one of the world’s largest malware databases, gathers and provides huge amounts of information on cyber attacks every day. This guarantees that our penetration testers will always be the decisive step ahead.
One current trend is that more and more companies use cloud providers, like Microsoft M365/Azure, and have a so-called “hybrid” setup for their infrastructure. That makes it a challenge for those companies to assess possible risks, especially where individual configurations are in place and local fileservers are combined with different cloud providers. Such constellations increase the attack surface considerably.”
Full Penetration Testing-Video:
By pressing the play button, a YouTube video is loaded and you consent to the transmission of data to Google. Google's privacy policy applies: https://policies.google.com/privacy
Volker Röthel: “Tobi, you are probably facing similar topics. How do attack path management solutions address the fact that the threat landscape is changing rapidly? How are new attack techniques added to the picture?”
Tobias Träbing: “We have a massive team behind our product, making sure that new attack techniques are constantly added to the product. While that team is working 24×7, we can stay on top of things as new security issues arise and deploy them seamlessly for all of our customers through SaaS delivery with no operational impact whatsoever. That way, all new attack techniques, including the latest and most significant vulnerabilities you see on the news, are covered with great detail, providing operational excellence to our customers.”
Tobias Träbing: “Volker, what was the most unusual job your team was faced with?”
Volker Röthel: “One of our most spectacular projects was to physically break into a customer’s premises, which was quite an adventure. It involved obtaining equipment we don’t usually need, like rope ladders and masks, and overcoming physical barriers like security doors as well as technological access control like smartcard readers or fingerprint scanners. The ultimate goal was to reach a server and physically access it. This is particularly important for companies dealing with data where continuous availability is crucial.”
Volker Röthel:“Tobi, I often see the amazing findings our penetration testers come back with and how these help our customers improve their security posture. Where do you see the main difference to what attack path management might uncover? Are there findings that a penetration tester might miss?”
Tobias Träbing: “When we speak about penetration tests in general, we usually refer to them as a one-time activity in a specific environment (e.g., pen-test engagement in a staging environment). Comparing this with an attack path management approach, the benefits and added value of running continuous attack path analysis become obvious:
- Attack path management provides complete coverage of the entire environment in production 24×7 while not causing any downtimes to production.
- This gives continuous visibility into all security-relevant aspects, reflecting all environmental changes and risky user activity.
- Even the slightest hint (e.g., a credential hash) cached on just one machine can put an environment at risk – attack path management can cover that.”
Tobias Träbing:“Volker, having said that, what are findings that penetration testers will uncover that attack path management might miss?”
Volker Röthel: “Penetration testers are good at thinking outside the box and finding relations. There is a strong focus on creative exploration and personal experience. They will therefore uncover connections a machine will not find because the connection is unprecedented. A related topic is the “human factor”. Attack path management does not focus on human mistakes or careless user behavior to such an extend as a penetration tester can and will e. g. not include social engineering attacks like phishing. Furthermore, performing penetration tests of applications, like web or mobile applications, is not the focus of attack path management and at least more sophisticated vulnerabilities will not be detected.
Finally, in penetration tests, attacks are actually simulated on the productive systems in a “controlled way”, whereas the attack path management platform does not perform simulations on the systems themselves. Therefore, in penetration tests the visibility of conducted attacks can be tracked inside monitoring/SIEM solutions as well.”
Tobias Träbing: “Volker, in a typical customer scenario, what happens after the penetration tests? What do enterprises do to mitigate risks?”
Volker Röthel: “After a penetration test, the customer receives a detailed results report including recommendations on how to solve or mitigate each finding. The recommendations vary depending on the finding – sometimes it’s just a small change in a configuration, sometimes developers need to adapt code and sometimes a fix affects the whole infrastructure such that e. g. new hardware is required to solve the problem.
For each finding, we provide a technical vulnerability score using the CVSS standard. Customers then need to rate and prioritize the findings for themselves in the context of their company. If no technical solution is feasible, managers might decide to accept the risk of a vulnerability.
The penetration testing team can also present the results and is happy to answer questions concerning the report. If more in-depth help is required, the SITS provides several suitable services.
In a way, the approach to mitigating or accepting risks is very similar to what is done in attack path management. That is why the two disciplines are such a good match.”
Volker Röthel: “Tobi, is timing a crucial factor when it comes to identifying attack paths and analyzing threat exposure? If so, how does the continuity of attack path management analysis contribute to uncovering threats that might remain undetected by one-time penetration tests?”
Tobias Träbing: “Timing is critical in understanding attack paths and exposures within companies. Companies and responsible stakeholders often use “ad-hoc” processes or timely inefficient ways to assess the infrastructure (e.g. vulnerability scanning, penetration tests etc.). These analyses provide a snapshot of a given timeframe or even environment – this will not help companies overcome the ever-changing landscape of their environment. We now see more and more Cloud/IaaS providers being used, enabling businesses to run operations even faster than before – yet this dynamic is increasing the risk of overlooking exposures and security issues.
As the attack path management analysis runs continuously 24×7, the platform can tell organizations at any given point in time
- what their exposures are
- how changes within the environment are affecting these exposures
APM Services therefore help to
- quickly and easily understand the impact of new security issues (e.g. Log4j)
- measure and quantify the cyber risk to communicate that to other stakeholders easily
- what can be done to overcome the exposures in the most efficient way”
Volker Röthel: “Tobi, obviously there is no point in doing daily or weekly penetration tests because of the “noise” they create. They are purposefully conducted in productive environments and therefore require a lot of preparation and have possible side effects. Now I understand XM Cyber takes a different approach in that respect. What are benefits of safe and continuous attack path analysis that does not use active exploits?”
Tobias Träbing: “Running safe and continuous attack path analysis without active exploits or any malicious code has several crucial benefits:
- First, it will not create any noise/false alarms in your security organization, like a SOC. Usually, they are busy already – why would you like to overwhelm them with more alerts from tests?
- In addition, you cannot run active exploits in production environments – that is not feasible as you risk downtimes or service degradations on your critical business services.
- Yet you need to understand if those entities being part of the critical business services are secured, and you would need to know that continuously; hence, the safe and continuous attack path analysis is critical to precisely understanding that.”
Volker Röthel: “Tobi, why is 1 +1 actually more than 2 when combining pen testing with attack path management?”
Tobias Träbing: “You get the best of both worlds when combining attack path management with penetration testing. On the one hand, you get full coverage of the environment, with all attack paths towards your critical assets continuously. On the other hand, through that, you are freeing very valuable resources (i.e., penetration testing team) from tasks that can be easily automated.
And then have the penetration testing teams look into the areas requiring their in-depth knowledge and expertise.
And since you’ve come up with an equation in your question, I will add a few numbers myself. Organizations typically have 11,000 security exposures attackers could exploit, but only 2% of these exposures lie on choke points leading to critical assets. Attack path management can single out precisely these 2%, and after remediation, penetration tests can confirm the doors are firmly closed.”
Tobias Träbing: “Volker, how do penetration testing, attack path management and related services integrate with a comprehensive security architecture?”
Volker Röthel: “Penetration tests are an effective means to thoroughly evaluate the security level of a component. In particular, in case of applications, penetration tests can already be conducted during the development so that potential vulnerabilities can be detected at an early stage and design decisions can be adjusted.
Continuous attack path analysis, on the other hand, excels in performing automated work which is tedious and error-prone to perform manually. Among others, this includes finding software installed in vulnerable versions, checking configurations. Since the platform runs permanently, it also provides a permanent overview of possible changes in the network.
When combining the continuous use of attack path management with recurring penetration tests, you get the best of both worlds. Now integrate these two into your overall security architecture, connect to SOC/SOAR and continuously improve your security posture.
Our Attack Path Management Services will take even more load off your shoulders by managing continuous attack path analysis for you.”
Tobi Träbing: “Now, Volker, what’s the bottom line? What do you tell your clients?”
Volker Röthel: “Here are the most interesting takeaways from my perspective:
- Combining penetration testing and attack path management maximizes the reduction of a company’s threat exposure and should be part of an overall security strategy
- Penetration testing is particularly strong at thinking “outside the box”, finding unexpected exposures and is ideal for in-depth analysis of certain areas
- Whereas Attack Path Management Services provide continuous control and sustainable improvement of complete security posture
- To me, the sheer numbers are quite impressive – 11,000 security exposures in an average environment, but only 2% on choke points leading to critical assets. This alone is sufficient to show the value of attack path analysis combined with penetration testing in the right spots
- My bottom line is that the two disciplines actually complement each other perfectly”
Has this talk caught your interest? Feel free to contact Maik and Tobi with your questions and take a look at our data sheets for more information about our Attack Path Management Services.
