In this three-part blog series, the security operations experts at Arctic Wolf will walk you through everything you need to know about penetration testing (“pen tests”) and the security benefits they can provide your business.
For our first blog post (this one!) we explain why you need a pen test. To kick it off, let’s answer an even more fundamental question…
What Is a Pen Test?
A penetration test is an authorized and simulated cyberattack performed on an IT system (or systems) to evaluate existing security controls. In a pen test, an organization’s IT team—the defenders—authorize an expert group of ethical “attackers” to attempt to compromise the organization’s security and, for example:
- Access or escalate accounts or permissions through unauthorized means
- Install simulated malicious code
- Modify system configurations
- Demonstrate the ability to exfiltrate data or disrupt business operations
- Or perform any other type of attack that malicious actors might undertake.
This means that a pen test goes much further than a vulnerability assessment, a related exercise. In a vulnerability assessment, security experts evaluate an organization’s IT systems for known vulnerabilities, which might include insecure policies, unpatched software vulnerabilities, misconfigurations, and more.
A vulnerability assessment is a valuable tool for IT, identifying areas of concern for remediation, but it’s entirely theoretical. A vulnerability assessment does not include an actual attempt to exploit these vulnerabilities, and does not consider the security context. A pen test closes the loop and not only verifies that vulnerabilities exist, but also demonstrates how they can be exploited by a real attacker—and if such an attack could be blocked, detected, and responded to appropriately.
A pen test is also differentiated from a tabletop security exercise. In a tabletop exercise, stakeholders—sometimes from within IT and sometimes from across an organization—review and role-play the organization’s response to a hypothetical attack scenario. Tabletop exercises are extremely valuable in setting shared understandings and expectations, especially across functional roles, but they deal with a hypothetical scenario. That means that tabletop exercises do not demonstrate an attacker’s actual capabilities and do not impact actual business operations. A pen test can accomplish both.
Another term you may have heard is red team exercise, which is closely related to penetration testing. Here’s the distinction: a pen test broadly tests security infrastructure and its configuration, while a red team exercise tests the capabilities of the blue team’s usage of the fully implemented and configured security stack.
At the end of the day, don’t sweat that distinction too much. Any serious pen tester—high-end pen testers call themselves “operators,” “security researchers,” or “offensive security operators”—will help clients understand the penetration techniques in scope, and offer both targeted and broad penetration methodologies aligned with the needs of the security operations team. If you work with a pen test provider that can’t offer advanced, targeted penetration testing, then you may need to look for another provider with greater expertise and experience. (Our upcoming article in the series will address this.)
Typically, a pen test will be a surprise to the security team. This limits the ability of the security team to actively participate and improve their tuning of technologies and processes at the last minute. A well-designed red team exercise will often have the security team, or blue team, participate. This is often called a purple team exercise.
Now that we understand what a pen test is and isn’t, we’ll move on to the crux of this post:
Why Your Organizations Needs a Pen Test
Earlier, we described a pen test as “an authorized and simulated cyberattack performed on an IT system (or systems).”
That sounds horrifying! We all face enough threats every day without going out and hiring attackers of our own. Pen tests are high-effort exercises that may (depending on scoping) even impact actual business operations. Why have a pen test at all?
Well, because a pen test provides vital security benefits we simply can’t get any other way.
Four key interlocking pen test benefits
1. A pen test is the most accurate method of fully verifying an organization’s security posture.
We can think of security validation exercises as falling into three levels: “tell me,” “show me,” and “prove it.”
Interview-based vulnerability assessments focus on “tell me”—the security team’s understanding of their own capabilities and processes. Tabletop exercises reach the level of “show me”—an actual demonstration of the capabilities in play. But in order to “prove it,” a pen test (or red or purple team exercise) is required.
No matter how cutting-edge or best-in-breed our security tools, no matter how expert our security operations team, no matter how resilient our security architecture, no matter how rare actual security incidents occur—we can’t know how good our cybersecurity defense is until we bring in experienced attackers to test it. We simply don’t know. And when it comes to an area of business risk as serious as cybersecurity, ignorance is unacceptable. Only a pen test can provide the security testing and verification the organization requires.
2. Planning a pen test transforms our understanding of our cybersecurity.
As IT professionals and security operations experts, we look at the world through the eyes of a defender. That’s a powerful lens to view cybersecurity, but it’s only half the picture. Planning a pen test, both internally and in a scoping exercise with our pen testers, gives us the attacker perspective to increase understanding of our security and its potential weaknesses, informing all our security efforts to come.
3. Pen test results discover areas of real exposure.
Every system has countless points of vulnerability. It’s unavoidable: for a system to be effective for users, it must be exposed to attackers. That makes it very difficult for defenders to prioritize protection—there’s always another vulnerability, and every layer of defense imposes costs in money, time, and usability. Because a pen test demonstrates how an attacker could actually compromise a business’s system, it can set a realistic and effective defense agenda.
4. Pen test outcomes can validate security and strategy to stakeholders.
The value of cybersecurity can be hard to demonstrate to non-practitioners. After all, when security works effectively. . . nothing happens. That makes it a challenge to allocate proper resources and attention to ongoing security needs. But a pen test breaks this logjam.
A pen test “success”—when the defenders hold off the attackers—demonstrates the value of existing security attention and investment. And a pen test “failure”—where testers prove they can compromise key systems—clearly shows the dangerous outcomes the business faces. And because a pen test relies on actual attacks, the results—whatever they may be—can be demonstrated and explained to senior stakeholders regardless of their cybersecurity expertise.
For those four reasons, and more, a pen test can be a vital and even revolutionary security investment. And, after reading this, maybe you’re now ready to start a pen test tomorrow!
But not so fast.
Once you decide that a pen test would be a valuable exercise for your organization, be sure to have a look at the next blog in this series: Planning Your Pen Test. And if you’d like to learn more about how Arctic Wolf security operations helps defenders like you protect your organization, read our Security Operations Annual Report.