This raises several questions: How can we know if security measures will be sufficient in the event of a cyberattack? Has the CISO considered all the entry points that could be used by cybercriminals?
Rather than waiting for an incident to provide the answer, there is another option: working with pentesters. Also known as ethical hackers, these experts simulate attacks and identify vulnerabilities in the IT system—before malicious actors can exploit them.
What is a pentester?
Like the CISO, the pentester is a cybersecurity expert. However, they have a different role: while the CISO's role is to protect, the pentester's role is to attack! They simulate attacks against an organization's IT systems to identify vulnerabilities before cybercriminals can exploit them.
Its action helps strengthen the organization's cybersecurity posture by uncovering vulnerabilities and proposing corrective measures. At the same time, it helps assess the effectiveness of existing security measures and improve defenses against potential threats.
To summarize, the main objectives of a pentester are as follows:
- identify vulnerabilities in systems and applications;
- assess the effectiveness of existing security measures;
- test responses to security incidents;
- propose recommendations to correct the flaws discovered;
- ensure compliance with safety regulations and standards.
To carry out these tests, pentesters rely on a variety of tools and techniques. Among the most commonly used are:
- port scanners;
- vulnerability scanners;
- network packet analysis tools;
- software used to crack passwords.
How is a penetration test conducted?
While the format of a pentest may vary, a penetration test usually consists of six stages. For each of these stages, the CISO will be able to assess the effectiveness of the cybersecurity products implemented within the company in real time.
Will the XDR platform correlate and detect port scanning and brute force authentication attempts? Will the email filtering solution uncover phishing attempts? Willthe EDR agent identify suspicious behavior or persistent access on a machine?
These are all questions that can be answered by these different steps.
#1 Planning and reconnaissance
The first stage of a pentest is called " recon," or the reconnaissance phase. This stage involves planning and gathering information about the targeted company, its business, its employees, and its information system.
During this stage, the expert attempts to identify potential entry points for future exploitation. This includes:
- the collection of IP addresses and domain names;
- port scanning;
- the list of publicly disclosed protocols.
#2 Analysis
Based on the information found during the previous step, the auditor will search for potential vulnerabilities, such as CVEs or company employee access details that have been leaked on the dark web.
#3 Obtaining access
The pentester can then launch the attack! After identifying vulnerabilities, they attempt to exploit them to gain unauthorized access to the operating system. The techniques used are (very) diverse:
- password reuse;
- brute force authentication;
- social engineering and phishing,
- the exploitation of software vulnerabilities...
#4 Maintaining access
Once access has been gained, the auditor maintains this access for an extended period. This allows for more in-depth exploration of the company's infrastructure through lateral movement, thereby discovering other potential vulnerabilities.
In some cases, this step also allows you to simulate the installation of a harmless payload on the machine in order to simulate a ransomware attack. The CISO can then assess the effectiveness of the detection and response products installed on the infected machine. This is an opportunity to take the analysis even further!
#5 Analysis of results and report writing
The pentester then writes a report in which they analyze the results obtained during the previous phases. This analysis provides insight into:
- the vulnerabilities discovered;
- the operating methods used;
- the potentialimpact of these flaws on the organization.
The report also contains specific recommendations for addressing these vulnerabilities.
#6 Report submission and recommendations
Based on these recommendations, the CISO develops an action plan to correct the identified vulnerabilities. Here are a few examples of actions among many others:
- software updates;
- implementation of corrective measures;
- configuration changes;
- improvement of security policies and risk management practices.
The format of pentests can vary according to three categories, known as White Box, Grey Box, and Black Box.
White, Gray, and Black Box Audits: Three Options for the CISO
By defining the scope to be assessed in advance, the CISO can organize the pentest in three formats.
What is a White Box pentest?
A "White Box" pentest is a penetration test in which all technical information is shared with the expert. This information includes IP addresses, network diagrams, as well as an inventory of machines and configuration information for security equipment.
What is the advantage of white box pentesting? It is less time-consuming. The auditor does not need to search for information and can therefore start testing more quickly.
What is a Grey Box pentest?
A "Grey Box" pentest is a type of penetration test in which the pentester only has access to some of the information needed to proceed. The Grey Box penetration test simulates the scenario of an attacker who already has initial access, as if they were an employee and knew part of the company, how it operates, and its premises.
The gray box penetration test therefore requires the expert to launch a reconnaissance phase to understand their environment and deduce the initial offensive actions.
For the CISO, the Grey Box pentest format provides insight into the methodologies and operating modes that attackers may use to gain deeper access to the information system from within the company.
What is a Black Box pentest?
A "black box" pentest is an intrusion test that begins from outside the company. Since the auditor has no initial access to the company and no prior information, they must plan and recognize their target.
Employee organizational chart, company activities, attack surface recognition... black box penetration testing allows the CISO to understand their company's exposure on the Internet.
Pentester and CISO: how to collaborate?
As you can see, collaboration between auditors and CISOs is essential. By regularly conducting penetration tests, CISOs can validate or invalidate their cybersecurity strategy within the company.
That is why several intrusion testing solutions are now available on the market.
- The first is the most obvious: collaborate with a cybersecurity consulting firm specializing in penetration testing. The CISO can then select the actors with whom he or she will collaborate.
- The second is to launch a bug bounty campaign on platforms such as YesWeHack or HackerOne, offering rewards to auditors based on the severity of the vulnerability. The downside of this method? The CISO cannot validate all participants, even though some campaigns may be accessible by invitation only.
- The final solution involves using an automated intrusion testing platform such as the one offered by Pentera, which has the advantage of testing intrusion scenarios throughout the year.
The synergy between pentesters and CISOs undoubtedly contributes to more secure risk management and better protection of sensitive company data.
And to take cybersecurity management and attack surface management (even) further, discover the Tenacy platform!
‍
