The no. 1 barrier to better security testing
A recent poll by the SANS Institute found that the top barrier cited by security practitioners to improving their security testing is a “Lack of a systematic approach to defining testing (e.g. lack of testing plan).” In fact, this echoes questions we get from security professionals we meet at conferences, as well as organizations getting started with their own automated security testing.
Building a security risk assessment plan
So, how do you establish an effective security risk assessment plan to verify that your security controls are effective? Here are a few guidelines to help you get started:
#1 Choose your approach
Every organization is different. Depending on your vertical, location(s) and threats you have encountered in the past, you likely already know what your top concerns are.
Generally speaking, there are five approaches you can take:
- Leverage the 290+ MITRE ATT&CKTM framework techniques. By methodically testing against all of them, you’ll know that you’ve covered the basics.
- Challenge your defense controls across the kill chain. By testing systematically across the attack kill chain, you can measure and optimize all the security controls deployed in your infrastructure.
- Mimic APT groups that concern you. By simulating specific APT groups’ modus operandi, you can address geopolitical concerns and continually tweak controls to stay prepared.
- Simulate specific types of threats. Challenging your controls with different payloads, and methods of compromise helps you get the answers to your most pressing questions.
- Ensure defensibility against the latest threats. As new malware strains emerge daily, sporting new indicators of compromise (IoCs) it stands to reason to test against them as frequently as possible.
Figure 1: Approaches to establishing a security testing plan
#2 Automate as much as possible
Once you’ve selected your approach or know which one you want to start out with, it’s time to automate as much as possible. For example:
- Create attack simulation templates to test security controls against certain sets of threat techniques.
- Schedule simulations in advance to run hourly, daily, weekly etc.
- Automate reporting to get notified of identified gaps, along with how they can be remediated by the security team. Management can also automatically receive executive-level briefs on the latest assessments.
- Set up automated alerts that notify you each time you’ve deviated from your baseline exposure score.
#3 Consider your team’s skill level
With the shortage in skilled cyber security practitioners well established, it becomes important to enable different individuals on your team to run attack simulations and follow up on their results. The simpler testing is to perform, the more you will test, the more gaps you will identify, and—ultimately the safer your organization will be.
#4 Select the right testing tool(s)
There are a wealth of pen testing and red teaming tools out there, both proprietary and open source, to help you test your infrastructure, including MITRE Caldera, Red Canary Atomic Red Team and the Metasploit Framework, among others. However, they require some technical expertise to use, provide few remediation guidelines and cannot be used to prioritize remediation.
This is where Breach and Attack Simulation (BAS) platforms come into play, taking the complexity out of attack simulations so that anyone on the team can perform tests and address identified gaps with the help of comprehensive mitigation guidelines.
As security teams are already pressed for time, the automation in testing, alerting and reporting offered by BAS platforms ensures you can continually improve your security posture without incurring additional overhead.
The Latest Testing Insights and Strategies – from SANS
Looking to explore the latest insights and strategies for performing security threat assessments, to ensure your security controls are effective? Cymulate has recently partnered with the SANS Institute to bring you the latest statistics and best practices.
In the first white paper, “Are Your Security Controls Yesterday’s News?” SANS sets out the “infosec juxtaposition” on how security testing has been performed to date and suggests what could be improved.
Summarizing the SANS poll on how testing is actually performed, the second paper, “What Security Practitioners Really Do When It Comes to Security Testing?” provides the latest statistical insights, as well as takeaways on what could be done better.
You can also watch the joint SANS-Cymulate webcast here.