There is more than one way to perform security validation, with various degrees of efficacy both in
the short and long term.
All security validation is based on the same underlying logic: simulate attacks on the target
infrastructure to evaluate its ability to detect and deflect
• Unwanted intrusions
• Attempted infiltration (Spyware)
• Attempted unauthorized encryption (Ransomware)
• Attempted Data exfiltration (Data theft)
• Attempted interference with operability (Hostile takeover, service disruption)
• Any unwanted and potentially hostile unauthorized interaction with the infrastructure
Malicious offensive tools performing these tasks are widely available on the Darknet but, aside from the moral considerations, using those tools to test your organization’s security posture is risky. These tools originate from criminal minds and might contain stealth backdoors or executable malware not included in the product description.
The Current Options to Perform Security Validation are:
Pen Testing
The original security validation technique, pen testing, was initially performed by skilled white hat hackers
working on their own or with an intimate team. Though these might be great as a source of inspiration for
Hollywood blockbusters, unfortunately, the rapid evolution of the offensive hacker toolset is dwarfing the
ability of even the most gifted pen tester to provide extensive testing of all known threats, test every single
endpoint, evaluate employees' phishing awareness level and cover the entire infrastructure.
Moreover, a pen test full report typically takes a few weeks to be produced. By the time the report is ready,
the threat landscape has moved forward, making the report is obsolete.
Red Teaming
A red team is a fancy term to describe an enhanced penetration testing team. Red teams can be
outsourced or in-house and will attempt to expose vulnerabilities in the overall security infrastructure.
Their responsibilities range and include testing the on-premises and cloud environments to the endpoints
and testing people's susceptibility to social engineering tactics, as well as location-based weaknesses,
such as the ability to wander unnoticed in an office, which could lead to data or endpoint thefts.
Red teams' security validation tests are typically wider-reaching than pen testing but suffer from similar flaws.
The report generation is time-consuming in a time of rapid obsolescence.
Furthermore, red teams, though sometimes using advanced offensive tools to simulate attacks, still work
manually and perform pinpoint tests that give a security posture estimate valid at a specific time, but not
updated in real-time. As running a red team exercise is time, effort, and resource-intensive, it can only
be run limited times per year, leaving large swathes of time with out-of-date security validation data.
Continuous Automated Red Teaming (CART)
Typically available as a SaaS, continuous automated red teaming solutions cover the entire pen testing and red teaming techniques but leverage advanced technology to automate the process. A comprehensive CART solution will include three modules:
• An Attack Surface Management (ASM) module – an advanced and automated version of the recon typically performed manually by pen testers, the ASM module will scour the Internet and Darknet for exposed digital assets that might enable malicious actors to find an entry point into the environment.
• A Phishing Awareness Module – Regardless of the progress of technology, people remain a prime target for phishing and socially engineered illicit access. Sending simulated phishing emails of various quality increases the employees’ level of awareness. Loading these phishing emails with production-safe malware provides metrics to measure the depth of penetration achieved by these tests and provides actionable information about the breadth of feasible lateral movement from email intrusion.
• A Lateral Movement Module – whether the entry point is a phishing email or another vulnerability, the lateral movement module tries to leverage the initial foothold to spread across the system, propagate within the network, hop from one point to another, and try to perform its mission, whatever that may be. The lateral movement module identifies vulnerabilities that facilitate the attacker’s deeper and/or wider invasion of the targeted system.
The weaknesses and vulnerabilities uncovered by these three modules are then automatically compiled into a report that lists the identified vulnerabilities, using an attack-based vulnerability management tool to prioritize the patching schedule and provide remediation and mitigation recommendations to facilitate the patching process.
As the entire system is automated, it can be run as often as needed, avoiding the obsolescence issues of the pen testing and manual red teaming and at a lower cost.
Extended Security Posture Management (XSPM)
The three methods above provide invaluable information about attackers’ ability to use known offensive methods. At a time when the offensive tooling available to hackers of all skill levels is growing exponentially, a comprehensive security validation process should also include an overall and custom-made security validation process.
Extended security posture management is an approach that encompasses both the CART process and the security control aspects with three main modules
• Continuous Automated Red Teaming (CART) – as explained above.
• Breach and Attack Simulation (BAS) – an operationalization of the MITRE ATT&CK Framework that enables running all the listed scenarios to identify the weaknesses in the security controls.
• Advanced Purple Team Framework – a framework enabling the easy customization of a large array of scenario templates. The purple team framework expands the BAS original gamut.
The XSPM approach also includes the automated generation of technical and executive reports and, as a bonus, can be used to rationalize and optimize the defensive tools set.
Though still accepted by many compliance regulations, pen testing and red teaming are both manual processes increasingly ill-suited to face the offensive expanding landscape, as they are based on static images of a security posture at a defined point in time. CART and XSPM both rely on an automated process and offer the double advantage of being repeatable at any time while requiring fewer resources.
As continuous security validation is likely to become a compliance requirement, considering migrating the security validation process from a manual to an automated one is highly recommended.
As the offensive capacities continue to evolve, so will the field of security validation, and this space will be updated when new security validation technologies emerge.