Why You Need a Cybersecurity Analyst on Your Pentesting Team

Enterprises and government agencies conduct penetration testing (or pentesting) to simulate various attacks and discover how real cybercriminals can access their infrastructure.  While the pentesters search for vulnerabilities and demonstrate possible attack vectors, there is one more project member whose role may be unclear to the customer: A cybersecurity analyst. Cybersecurity analysts provide vital, unbiased expertise on the company’s protection, as well as insights into every stage of work and explain how they increase the efficiency of the project.

No two IT infrastructures are alike, and the most powerful cybersecurity threats are tailor-made to exploit the specific vulnerabilities of individual organizations. Security assessment projects are conducted to test IT infrastructure and ensure it is secured against such cyberattacks. Pentesting, an adversary attack simulation conducted by cybersecurity experts, can be part of a security assessment project. It is relevant for companies from any field from financial to industrial, from telecoms to government. However, it is crucial to also have an expert who is able to estimate how efficient a pentester’s work is. This is where a cybersecurity analyst on the pentesting team comes to the rescue, and their role can be summarized in eight stages.

Stage 1: Assessing a company’s digital footprint before pentester starts their work.

Analysts start their work before pentesters, gathering information about business systems and external resources, including open source resources. They also check for data leaks available in public web resources that may involve customer and employee personal data as well as domain credentials. This information can be used, for instance, in social engineering attacks. Often, this data is sold on the dark web and the task of the analyst is to detect these references and warn the customer.  All this information is collected to create potential attack vectors which will then be tested by pentesters.

Stage 2: Highlighting network perimeter security problems while the pentester focuses on infrastructure.

In most organizations, the cybersecurity state of the network perimeter is far from perfect. At the next stage of their work, analysts examine instrumental network scan outputs and highlight key problems.

For example, an analyst detects one hundred active hosts with remote management interfaces (like SSH, RDP, etc.) available from the internet without limitations, but the pentester only needs one to break into the company’s infrastructure. Analysts will still report that there are one hundred security network flaws. This specialist highlights all problems requiring attention and plays the role of a liaison between a pentester, a project manager and a company.

Stage 3: Turning the pentester’s report into a comprehensive picture of vulnerabilities and security flaws.

An analyst obtains data from pentesters about all successful attack vectors and puts those into the report. They include descriptions of vulnerabilities and security flaws, proofs and screenshots of a certain incident. This helps in-house security specialists and top managers answer such questions as, “What are the conditions for exploitation?” “Which component is vulnerable?” “What are the consequences of an attack – credentials theft, sensitive data disclosure, unauthorized access, etc.?”

Stages 4 and 5: Transfiguring vulnerabilities into threats, creating a visualization.

In the fourth stage, threat modeling, all vulnerabilities are grouped into categories and then transfigured into threats. With information about the customer’s business systems, an analyst can assess which critical resources a cybercriminal will have access to in the event of an attack.

Then, at the fifth stage, the analyst visualizes all pentester actions on the scheme so that the customer can clearly see what happened during an attack simulation. In some cases, pentesters can also make use of the visualization to find additional attack vectors.

Stage 6: Prioritizing which vulnerabilities should be fixed first.

When all vulnerabilities and threats have been identified, analysts move on to the prioritization stage to advise which vulnerabilities must be fixed first. The vulnerabilities with the highest severity level do not necessarily get priority. Analysts assess the overall impact of the attack vector, which employs a specific vulnerability and the damage from its implementation. Then they check which vulnerabilities are easiest and fastest to fix and which ones require major changes in business processes.

cybersecurity analysts pentesters vulnerabilities

Vulnerabilities prioritization scheme

Stages 7 and 8: Recommendations and three reports for SOCs and C-levels

At the penultimate stage of a pentesting project, an analyst makes a list of recommendations sorted by implementation timeframe. They are customized for specific customer systems and business processes and are based on industry best practices and cybersecurity frameworks.

During the final stage, three reports are provided: An executive view, a technical description and a machine-readable report. Security operations centers (SOCs), IT and security specialists would use the detailed technical report to learn more about possible attacks, reproduce pentesters’ actions and subsequently eliminate the identified vulnerabilities. Furthermore, technical specialists will use machine-readable results for the enrichment of customers’ cybersecurity products. C-level executives will use the executive summary report that includes key security problems to estimate the cost of securing the company.

In closing, to better prepare against potential attacks, I recommend organizations:

  • Conduct a security assessment to help evaluate a company’s cybersecurity risks, strengthen cybersecurity and mitigate against future threats. This assessment includes penetration testing, red teaming, an application security assessment and ATM/POS security assessment.
  • Use the latest threat intelligence information to remain aware of actual TTPs used by threat actors.
  • Continuous monitoring of dark web resources to significantly improve the coverage of various sources of potential threats and allow customers to track threat actors’ plans and trends in their activities.
  • Always keep software updated on all devices to prevent attackers from infiltrating your network by exploiting vulnerabilities. Install patches for new vulnerabilities as soon as possible. Once they are downloaded, threat actors can no longer exploit the vulnerabilities.
Avatar photo

Olga Zinenko

Olga Zinenko is a Senior Security Services Expert at Kaspersky.

olga-zinenko has 1 posts and counting.See all posts by olga-zinenko