Home » Security Bloggers Network » Evolution of Cybersecurity Testing

Evolution of Cybersecurity Testing

by Felipe Ruiz on March 16, 2020

The activity of cybersecurity testing
at present,
according to the information given to us
by Sylvester
and Cuervo,
can prompt us to remember its beginnings.
Among them,
for example,
is the procedure carried out by the U.S. Navy
in the eighties.
On that occasion,
it was a pentesting procedure
intended to reveal how simple it might be to breach
on one of its own bases.
This type of process,
framed in the ethical hacking activity,
has achieved remarkable improvements.
It can be considered a ‘traditional’ security testing
together with the vulnerability assessment process.
This testing continues to be enormously important
in a variety of industries and organizations
within our current society.

Nevertheless,
according to the authors,
something is happening with this traditional procedure.
It seems that
the breaches in companies continue to grow exponentially
and are accumulating.
This happens despite the effort that is being made in their security
with the tools and programs available.
Many of the companies have taken months
or even years
to detect those ‘compromises’ or risks.
The problem seems to stem from handling the same processes.
Those that years ago,
and today are often seen as sufficient in cybersecurity assessment.
It is required then,
as suggested,
an evolution in cybersecurity testing.

Citrix,
for example,
is one of those companies.
Possibly by doing two cybersecurity tests a year
(for 10 years),
with the traditional vulnerability scanning,
they had not realized that
the adversaries were already inside their network.
They had not noticed that
their security had been breached.
Traditional tests are leaving aside the fact
that networks may already have been compromised.

The requested evolution in cybersecurity,
following the reports of the authors,
can take as examples the advances in some methodologies.
Specifically those in the medical and aviation industries.
They have really sought to learn from their mistakes.
Both industries have followed a long process of improvement.
This has been done through detailed research,
with the aim of immediate remediation of any inconvenience.
These industries have tried to be open communities
and to share information between entities,
in addition to establishing standardized processes.
Their testing exercises continually aim for an approach to ‘perfection.’
At least assuming the alteration of some controllable variables.
And hoping that some methods result even more predictable and successful,
always to the benefit of the user.

Therefore,
it is established that
we cannot conclude that
a network is secure only with pentesting and vulnerability scanning.
These processes focus on testing risks
outside the corporate network.
And they are established as preventive techniques
and assessment of defenses.
Accordingly,
they deliver information on potential attacks.
They don’t do it on confirmed attacks.
They may constitute a work with a limited vision,
starting from a ‘false hypothesis,’
taking that the attacker is outside.
It’s not being considered that
the attacker may already be inside.
In the latter,
prevention may no longer be useful.

Cuervo
talks about a typical “misconception
that all attacks occur on servers and databases.”
When in fact most attacks start with emails
addressed to an organization’s employees,
from malicious subjects
(recall our ransomware blog post).
This is intended to affect certain devices initially,
and then “move laterally
until higher value assets are found.”

lumu

Image taken from Sylvester’s
presentation.

These experts then propose as indispensable
the analysis of network metadata
for the location of compromises.
Next,
to compare with traditional tests
and verify if there is additional information.
Afterwards,
the possible contribution of the findings
to the organization’s posture on risk
must be analyzed.
Finally,
a continuous repetition of compromise assessments is suggested.

Such assessments are expected to provide ongoing insights.
All of them about the timing,
locations, and communication procedures of the infrastructure
with adversaries and potential attackers.
We cannot forget that an organization’s metadata generation can be enormous.
But being aware of the DNS queries,
for example,
can be a significant advantage in knowing
whether the organization’s network has already been compromised.
The same goes for firewalls and proxy data.
Being attentive to this type of data,
and analyzing it,
can allow the monitoring of the activity of adversaries
already present within the network.
It is then established as fundamental
to carry out measurements
and then manage the findings.

The development of fairly advanced cybersecurity testing
is of vital importance.
Especially for the sustainability of multiple organizations
in this highly-connected world.
Based on what we have learned from the aforementioned authors:
it is advisable to maintain the position
that within our organization’s network
there may already be adversaries.
From this,
and beyond a traditional vulnerability scanning,
we can move on to analyze network metadata.
We can complement traditional methods
with an evaluation of compromises.
We can work incessantly,
with real-time data,
on proving that our system really is free of all adversaries
and possible attackers.
And if necessary,
we can work on the elimination of those compromises or present risks
and thus improve the security of our systems.
These are recommendations that we should not simply ignore.

“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is most adaptable to change.”
(Quote mistakenly attributed to Charles Darwin.)

Any questions about what Fluid Attacks can do for you
as part of the cybersecurity process in your organization?
Contact us.