One of the primary goals of cyberdefense programs is identifying, preventing, and mitigating attacks. The best way to do this is with targeted programs, such as penetration and intrusion testing, where attackers’ offensive tactics become your company’s defensive training.
Is your organization prepared to fend off an intrusion? Schedule a consultation to find out!
Get The Most Out of Intrusion Testing
Cybersecurity programming exists, in part, to prevent intrusions. Many costly breaches happen because attackers are able to penetrate into an organization’s networks and compromise protected information. Intrusion testing exists to make these attacks less likely to succeed.
An effective, impactful intrusion prevention program starts and ends with:
- Identifying critical vulnerabilities and threats, including from third-party sources
- Conducting targeted training practices such as incident response tabletop exercises
- Implementing an external penetration testing program to identify potential entry points
- Implementing internal penetration testing to minimize attackers’ mobility post-intrusion
- Accounting for auxiliary post-intrusion requirements, like breach notice and continuity
One of the best ways to ensure you’re getting the most out of all these practices is to work closely with a security program advisor to plan, execute, and follow up on your findings.
Identify Vulnerabilities and Threats
To prevent intrusions, you first need to understand their underlying causes—namely, security vulnerabilities and threats. Vulnerabilities are weaknesses, gaps, and oversights in defenses that can be seized upon by cybercriminals. Common vulnerabilities include but are not limited to missing updates, lacking IT awareness, poor network visibility, and identity management issues.
Threats are what exploit vulnerabilities, leading to breaches and other cybersecurity incidents.
Threat vectors are attacks and other phenomena that victimize systems. Social engineering and DDoS are common examples. But threat vectors such as natural disasters can also damage your systems. With respect to attacks, threat actors are individuals or groups who perpetrate them—these are often external to an organization, but insider threats are just as dangerous.
Understanding vulnerabilities and threats allows for impactful Root Cause Analysis (RCA).
Intrusion detection and vulnerability testing are just two parts of broader threat and vulnerability management, and they’re some of the most critical. But you need to understand both the kinds of weaknesses you’re subject to and how they’d be exploited to identify and prevent attacks.
Consider Third-Party Risks and Vulnerabilities
Many of the most obvious and immediately addressable weaknesses in an organization’s cyberdefenses concern its own infrastructure. But in an increasingly enmeshed landscape, systems belonging to or managed by third parties often come into contact with internal ones.
In this way, the IT assets that vendors, suppliers, and other strategic partners are responsible for are often seen by cybercriminals as an extension of an organization’s attack surface.
As such, organizations need to engage in third-party risk management to identify and address these vulnerabilities and protect both their partners and themselves. Common third-party risk factors include connections to unknown or unsecured networks and devices, lapses in visibility and communication infrastructure, and little to no oversight over third-party staff’s IT training.
Cybersecurity governance from the Chief Information Security Officer (CISO) or virtual CISO (vCISO) needs to ensure uniform control and reporting across all parties, internal and external.
Conduct Tabletop Incident Response Exercises
As noted above, employee cybersecurity awareness is often a vulnerability. Impactful IT and security awareness training, both during onboarding and afterward, is essential to intrusion prevention. One of the best ways to supercharge your training is to include real-time exercises.
Incident response tabletop exercises are relatively low-stakes but high-impact practices that assess staff awareness while fostering wherewithal and a sense of vigilance. They are typically repeatable simulations of cybersecurity incidents, such as breaches, that require employees to execute the proper response(s) given their specific positioning. Individually or in group settings, staff are tasked with identifying, reporting on, and mitigating harm to the best of their abilities.
For example, targeted network intrusion testing might require IT operators to revoke access or seize operations to prevent attackers from compromising critical networks. In this way, these exercises function as a more granular and focused (if piecemeal) form of penetration testing.
Implement External Penetration Testing
The golden standard in intrusion testing is the practice of penetration testing, which is also known as “ethical hacking.” Pen testing is the practice of simulating real-time, full-scale attacks on an organization to determine whether its defenses would be able to stop the cybercriminals.
All penetration tests turn defense into offense, allowing organizations to study specific tactics and behaviors attackers are likely to employ. In external pen testing, the attackers in question are generally outside of and unknown by the organization, which is true of much real-world cybercrime. But, critically, external penetration testing is also focused on the ways in which these attackers would initially enter into systems rather than what they would do after entering.
These kinds of tests often end when testers successfully breach through and establish their position within a network. At that point, analysts study the specific ways in which the testers did it and suggest methods for preventing actual attackers from enjoying the same kind of success.
Sample External Penetration Test Scenario
External penetration tests vary depending on the host organization’s infrastructure, the kinds of data present, and the specific threats most prevalent for comparable organizations. However, they all follow a similar process of reconnaissance, analysis, simulation, and reporting.
Consider the following sequence of events, typical of external penetration tests:
- Internal teams establish scope and boundaries with simulated attackers (testers).
- (Optional) Internal teams may opt for more open communication before and during the attack for greater visibility at the expense of realistic (telling) results.
- Testers (covertly) gather information about vulnerabilities and plan the attack.
- Testers initiate attacks, attempting tactics until one or more vectors succeed.
- Testers report on findings and work with internal teams to remediate weaknesses.
External penetration tests can be thought of as all-purpose intrusion tests. Many of the most damaging cyberattacks come from unknown or unsuspected sources. That’s why, even in cases where the initial negotiation is relatively vague or unspecified, results can be extremely helpful.
Critically, the final stages of additional testing and analysis can be indefinite in length. Once analysts have determined the critical points of entry or flaws in a system, further RCA can be conducted to remediate the issue, and the same weak points can be re-tested ad infinitum.
Implement Internal Penetration Testing
Intrusions are not the only threat cyberdefenses need to be trained against. Once inside your systems, attackers may spring into action right away, or they may lay dormant for an indefinite amount of time before compromising your assets further. Internal penetration testing focuses on these cases, assessing your ability to detect and prevent attackers’ movements within your systems after they have already been breached—an essential complement to external tests.
These tests are designed to emulate attacks originating from within. In real-world insider attacks, the culprit is often a disgruntled current or former employee. To simulate this, internal pen testers typically begin with foreknowledge of your systems or even preliminary access to them. The goal is to locate them as quickly as possible and prevent them from navigating toward central targets to seize operations or compromise protected forms of information.
Ultimately, internal penetration tests are not a form of intrusion testing proper. However, they are a complement to external tests—and are often combined with them in hybrid tests (see below).
Sample Internal Penetration Test Scenario
Internal penetration tests involve a higher degree of customization and pre-design to optimize the specific kinds of insights they create. Internal teams begin from a particular understanding of the kind of internal threat actor they hope to address, rather than the all-purpose functionality of an external test. As such, the more specific information they can provide upfront, the better.
The following flow is typical for an internal penetration testing exercise:
- Testers and internal teams negotiate starting positions, targets, and overall focal points.
- Testers covertly launch attack patterns, moving from starting positions to central control.
- Testers attempt to compromise as much data as possible and as quickly as possible.
- (Optional) Testers may attempt intricate strategies, like concealing movement even after achieving objectives or leaving open pathways for repeat attacks.
- Upon discovery or seizure, testers recap actions and strategize potential remediation.
As with external testing, the final stages of escalation, analysis, and mitigation may be open-ended. In repeated tests, results are compared against later rounds to mark progress.
Effective incident management means more than just preventing attacks. Even the most well-protected systems will be tested eventually. True cybersecurity is the ability to weather attacks, preventing cybercriminals from gaining complete access and minimizing harm.
Additional Consideration: Hybrid Testing
While external and internal are the two main poles within the pen testing spectrum, many tests incorporate elements of both. In hybrid penetration tests, simulated attacks typically begin externally. Then, if testers succeed at breaching systems, they continue on internally.
These tests provide the most holistic view of your overall cybersecurity deployment. Rather than testing for a specific kind of attacker, they determine if you’re equipped to handle any attack.
When an organization wants to test intrusion detection systems and mitigation capabilities, a hybrid test is often the best way to go about it. These robust assessments provide insight into both how easy it is for attackers to penetrate into your systems and what they can do once inside. The best pen-testing partners will work with your organization to address all issues uncovered while minimizing overlap and maximizing protection and cyberdefense ROI.
Account for Auxiliary Intrusion Needs
Penetration testing and tabletop exercises are ways to test, in real-time, how ready an organization is for an attack. However, while these methods optimize incident response as events emerge, they often do not concern longer-term requirements of incident management.
Organizations also need to account for business continuity during and after an attack, along with longer-term availability of resources and platforms. When an incident occurs, organizations may need to shut down all staff- and client-facing interfaces immediately. If that happens, they should have contingency plans in place to minimize downtime in service provision. Alternative offerings and functionalities should be maintained, and customer service needs to be ready to handle the influx of frenzied communications—and provide any required notice, if applicable (see below).
Additionally, organizations should maintain multiple secure backups of all critical information in the event that primary data stores are deleted or otherwise rendered permanently inaccessible.
Sample External Penetration Test Scenario
Another area to consider is whether a successful intrusion requires reporting per applicable regulations. For organizations that process sensitive data classes, such as personal and health information, there may be mandated forms of notification and remediation that need to happen.
For example, consider the aftermath of a breach in a SaaS organization that services clients in the healthcare industry. Even if the organization in question is not a healthcare provider, it may be a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). Part of HIPAA compliance is following the Breach Notification Rule, which requires covered entities (and/or their business associates) to notify impacted parties and the Department of Health and Human Services (HHS)—and potentially local media outlets—if a data breach impacts them.
Intrusion testing should account for both the immediate effects of an attack and the longer-term and indirect consequences thereof. Effective prevention means ensuring seamless compliance.
Optimize Your Intrusion Prevention Today
Cybercriminals seeking to steal IP, grind operations to a halt, or seize sensitive information for ransom all need to find a way into organizational systems before they can do that. And, once inside, they need to navigate to central control positions undetected. Intrusion prevention techniques like tabletop exercises and penetration testing are the best ways to stop them.
RSI Security has helped countless organizations prepare for, prevent, and mitigate intrusions with robust and flexible management solutions. We believe that discipline now unlocks greater freedom in the future; we’ll help you rethink your intrusion prevention to promote secure growth.
To learn more about our penetration and intrusion testing suites, contact RSI Security today!