Posted on Oct 31, 2024
Pentesting, Threat Hunting, and SOC: An Overview - Black Hills Information Security
703
6
5
4
4
0
Posted 21 d ago
Responses: 1
I challenge this assertion in the blog (or maybe I just don't like the way it is worded):
"The question: How can we predict ways the bad guys will attack our systems, and how can we try to stop them? The answer: Penetration testing"
The intent of a pentest is to exploit vulnerabilities, not to predict them. To predict them you should use cyber intelligence, focused on the organization in question and a determination of the TTPs likely to be used against them. Pentesting can be used in two scenarios once these TTPs are determined.
1. A full scope assessment of the envrionment in question using the reported TTPs with the blue team standing by to observe the attacks, validate controls, and monitor which of the infrastructure/servers/endpoints are not hardened against the attacks (or wait for the report).
2. A red team assessment conducted at an unknown time and date to the orgnaization. These are meant to prove a point, that the attacker can get in, exploit the crown jewels (i.e. confirm access required to modify or exfill). These are not meant to be full scope across the entire network/enterprise, only enough to drive the point.
There are other reasons for pentest of course (like testing IoT for example), but again, this is not an exercise in prediction, but proof of concept. Cyber intelligence provide a means of prioritization to an organization. To be more specific, today's zero day might be a pretty critical one in the grand scheme, but based on the intelligence out there, what threat actors (TA) are capable of doing it? Does the org even have the systems vulnerable to it? Are the vulnerable systems even exposed in a way the TA can get to them? Does exposing the vulnerable system expose the orgs mission/business operation and/or provide a path to other systems that have that exposure?
Just my two cents worth from a cyber guy.
"The question: How can we predict ways the bad guys will attack our systems, and how can we try to stop them? The answer: Penetration testing"
The intent of a pentest is to exploit vulnerabilities, not to predict them. To predict them you should use cyber intelligence, focused on the organization in question and a determination of the TTPs likely to be used against them. Pentesting can be used in two scenarios once these TTPs are determined.
1. A full scope assessment of the envrionment in question using the reported TTPs with the blue team standing by to observe the attacks, validate controls, and monitor which of the infrastructure/servers/endpoints are not hardened against the attacks (or wait for the report).
2. A red team assessment conducted at an unknown time and date to the orgnaization. These are meant to prove a point, that the attacker can get in, exploit the crown jewels (i.e. confirm access required to modify or exfill). These are not meant to be full scope across the entire network/enterprise, only enough to drive the point.
There are other reasons for pentest of course (like testing IoT for example), but again, this is not an exercise in prediction, but proof of concept. Cyber intelligence provide a means of prioritization to an organization. To be more specific, today's zero day might be a pretty critical one in the grand scheme, but based on the intelligence out there, what threat actors (TA) are capable of doing it? Does the org even have the systems vulnerable to it? Are the vulnerable systems even exposed in a way the TA can get to them? Does exposing the vulnerable system expose the orgs mission/business operation and/or provide a path to other systems that have that exposure?
Just my two cents worth from a cyber guy.
(1)
(0)
(0)
(0)
Maj Kevin "Mac" McLaughlin
SGT James Murphy I’ve actually never heard of them. Not saying they aren’t a great cybersecurity provider or even a well known one, I’ve just personally never heard of them. I spent most of my time in DOD before Mandiant picked me up though. Our competitors are typically the likes of Delloitte, Crowdstrike, Unit42, etc.
(1)
(0)
SGT James Murphy
Maj Kevin "Mac" McLaughlin - I kind of was invited back in on the Civilian side of it. Friend of mine actually I when to High School with him. Showed up at my door one day and invited me to go shoot with him at the police range. He's a Fed.
(0)
(0)
Maj Kevin "Mac" McLaughlin
SGT James Murphy I was a civil service Cyber Defense manager as well. I got tired of the unit level politics and inability to trust people who had be doing cyber for ~17 years in the Air Force prior to joining civil service to help stand up two new squadrons. Too much CYA and toxic leadership drove me away. But now I work for the best cybersecurity company in the world so… bright side.
(0)
(0)
Read This Next