Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

March 4, 2022

Pen Testing Is Not Enough

By: Keegan Henckel-Miller

Share on facebook
Share on twitter
Share on linkedin

As the public health threat from COVID-19 recedes, the cybercrime pandemic is soaring. Last year, the average organization experienced 50% more cyber attacks each week than they did in 2020. And if recent headlines are anything to go by, this year may be worse still. In this environment, testing and validating security programs has never been a more critical part of proactive cybersecurity. Unsurprisingly, almost three-quarters of organizations with over 3,000 employees now perform pen tests to assess their security posture and a similar number carry out pen tests as a way of preventing breaches. 

However, even though the vast majority of large organizations are performing pen tests or contracting third parties to do so on their behalf, few are testing their cybersecurity systems regularly enough. According to Core Security’s 2021 pen test report, most organizations that conduct pen tests do so less than once a quarter, and as many as 39% run pen tests only once or twice a year.

Unfortunately, pen testing a couple of times a year doesn’t cut it in today’s threat environment. The truth is that infrequent pen testing can leave real gaps in a company’s security posture, giving organizations little more than a false sense of security. More than half of hacked businesses admit they were not aware they were vulnerable before they were breached. Even so, many organizations are reluctant to conduct pen tests more regularly — often for good reasons like the drain that pen testing can place on scarce resources such as staff time and operational budgets, as well as pen tests’ constrained testing scope. But what if there was another way?

Testing Has Never Been More Vital

Although digitization has been one of the key trends of the last 24 months, the average organizational attack surface has always been dynamic and ever-changing. Even before the COVID-19 pandemic, rapid technological advances, like the rise of IoT devices, evolving network infrastructures, increasing variety of interfaces, and complex proprietary software stacks, meant that security teams were already struggling to cover more ground than ever. In 2017, for example, 77% of companies admitted that IoT projects have resulted in serious security gaps, with 82% of organizations at the time finding it difficult to identify all of their network-connected devices. 

Since then, IT suites have only gotten more complex, often drastically so. Many employees today are working some or all of the time from their own networks while their employers have expanded software supply chains and migrated business-critical workloads to the cloud. As a result, new areas of exposure have been created, and more than 7 in 10 security decision-makers now find themselves dealing with an increasing volume of security threats. The threats facing them are also becoming more evasive, with many now capable of avoiding security controls and leaping from low-value endpoints to business-critical servers. In Q4 2021, for instance, 82% of ransomware attacks exhibited lateral movement.

In response, and faced with a shortage of skilled security staff, organizations are spending more on cybersecurity. Unfortunately, extra investment still too often translates into overly complex security stacks, even though research has shown that the more cybersecurity tools an organization has, the less effective its defensive capabilities actually are. Meanwhile, even in organizations with “well funded” security teams, straightforward vulnerabilities in areas like access management are still going unaddressed. For example, more than half of organizations continue to use shared logins despite the fact that 61% of breaches last year were linked to hackers using weak or compromised credentials. 

By helping organizations cut through security noise and see where vulnerabilities really are, pen testing has never had a clearer role in enterprise cybersecurity. Nevertheless, while more enterprises are beginning to place greater emphasis on security tests, pen testing inefficiencies mean that many organizations tend to minimize rather than maximize testing opportunities. Almost three-quarters of security professionals say they would test their systems more often if the traditional approach to pen testing was more efficient and did not require extensive management. 

Point In Time Isn’t Enough

Even for large organizations with unlimited budgets, there is often a significant lag between pen tests and results. Consequently, attack surfaces are expanding faster than anyone can reliably test them.

In a recent survey of IT professionals, 71% of respondents reported that it takes them between one week and one month to conduct a pen test. About one in four then have to wait between one and two weeks to get results, with 13% waiting more than two weeks. The same survey also found that while the average enterprise might have over 10,000 connected assets, pen tests rarely cover more than 1,000 and often involve less than 100. What’s more, whereas pen testing can detect known assets without great difficulty, new and unknown assets often slip through the cracks. Unsurprisingly, 6 in 10 organizations are worried that pen tests leave them wide open to attacks.

A typical pen test report, which is likely to feature the disclaimer “These results represent a moment in time and may not be indicative of the current state of the environment,” highlights the issues these deficiencies create. Pen tests give security teams only part of the picture when it comes to finding vulnerabilities and attack vectors. For a business whose security posture changes multiple times a day, knowing that their defenses were impenetrable/weak last week does not make them any more secure today. 

Continuous Automated Red Teaming 

Instead of a snapshot of vulnerabilities last week or last month, what organizations need is a continuous image of where attack vectors are appearing in real-time. As we have already outlined, penetration testing can never provide this real-time vulnerability view. But Continuous Automated Red Teaming, or CART for short, can. Automated, continuous, persistent, and using authentic techniques that cybercriminals are known to be using in the wild, CART helps organizations prepare and fight back without taking security professionals away from their jobs.

Because Randori Attack, an industry leader in CART solutions, uses black box reconnaissance, it can mimic a hacker’s path in finding an organization’s attack surface through just a corporate email address. Monitoring this surface constantly, Randori lets security teams know when anything important happens while at the same time attempting to access critical systems pre-approved by the organization to ensure minimal disruption. Critically, attacks are launched persistently using new techniques, continuously testing an organization’s detection and response and providing remediation advice based on risk. 

Click here for a free assessment of Log4j on your Attack Surface.

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.