As companies expand and adopt new software systems, the number of potential vulnerabilities they’re exposed to grows exponentially. A quick glance at the National Vulnerability Database shows a sharp increase in the number of open source vulnerabilities over the last few years and that's just the low-hanging fruit for hackers. Mapping and patching vulnerabilities for a large organization can be a gargantuan task. A security-savvy company will likely have a dedicated team working hard to patch those vulnerabilities, but there’s a good chance they’re struggling to cover everything. The patching process is like triage, with most organizations focusing only on the most critical issues.
Even if you are managing to patch ‘critical’ and ‘high’ severities, you’re likely working off of the Common Vulnerability Scoring System (CVSS) statistical scale. This “one size fits all” score often lacks the context of your network, applications and data assets.
There’s no doubt that the scanning and patching processes are a vital way of reducing your potential attack surface, but even if you perfect these, you can still be hacked.
The Trouble with Vulnerability Management
There are numerous things that vulnerability management tools fail to consider. Namely the human factor, security control configuration policies, password credential strength, and privileged access management. Attacks usually start with an endpoint where the attacker successfully leverages, for example, social engineering, often through targeted phishing. Once in, attackers will study and assess your network and laterally move to exploit what they can and gain access to sensitive data.
In the face of ever more sophisticated attacks, and the increasingly advanced capabilities and file-less exploitation techniques, it’s crucial to approach the issue from the attacker’s perspective. It’s not necessarily the critical vulnerabilities flagged by scanners that are being leveraged during attacks: by patiently examining and building a real understanding of your network resilience, attackers can deploy tactics specifically designed to exploit ‘medium’ or even ‘low’ CVSS severity vulnerabilities.
The possibilities are endless, from simple relay techniques to advanced Group Policy Object (GPO) hijacking schemes. They may employ man-in-the-middle techniques (MitM) to sniff out credentials, or conduct DHCP spoofing attacks, password cracking, end-point exploitation, and post-exploitation, to progress their hack further. With a foothold in your network, attackers can then search for critical data like personal financial information or find ways to gain critical application access.
Attackers are constantly improving and enhancing their skills and they have more and more tools at their disposal. When new techniques are found effective, they are quickly disseminated through the Dark Web and various forums, so there’s no need for cyber-criminals to have in-depth technical knowledge. This is an arms race without a finish line. You must adopt the right mindset and commit to continuous improvement and vigilance to pull ahead.
Automated Penetration Testing to Balance the Scales
Trying to defend yourself without an understanding of the attacker’s perspective is incredibly challenging. The traditional approach to penetration testing gives you a snapshot view of how an attacker may breach your network. All too often it’s an infrequent exercise conducted annually by a third-party or perhaps by an in-house red team.
Relying on people to aggregate all the data and progress an attack in a limited time-frame is asking a lot. Attackers don’t limit themselves to office hours or weekdays. Stepping up to the challenge, machine-based penetration testing eliminates these shortcomings by giving you an around-the-clock, view of your security posture and serving up actionable insights that are contextual to your specific systems.
Making penetration testing an affordable daily exercise allows the defender to be the first to recognize exploitable-vulnerabilities and fix them before bad actors can find and exploit them. Automated penetration testing also provides a superior way to focus and prioritize your vulnerability patching based on where the greatest risk to your business lies de facto.
Outsmarting the Best of the Worst
Maintaining a strong security posture requires you to keep track of a lot of different elements. By focusing just on vulnerability management, you may imagine you’re slamming that front door securely shut, but there’s a risk you’ve left a window open around back. To gain stronger insight into how attackers will approach your network, pen testing is crucial, and automation can give you the continuous 24/7 real-time picture you need.
The beauty is that a stronger contextual understanding of the weak spots and vulnerabilities in your network also helps to strengthen your patching process. Instead of a one-size-fits-all CVSS approach, you can patch based on what represents the biggest risk to your specific business. You can then fix the issues of greatest concern and re-run your test scenarios immediately to validate the effectiveness of your actions to stay one step ahead of the attackers.
**This article was originally posted in infosecurity-magazine.com**