Penetration testing, adversary simulation, red teaming, purple teaming, rainbow teaming, call if what you like, the security outcome we are working towards is:
- Improved Security Posture
- Assurance of security investments and controls
- Enablement of information sharing
- Collaboration and Understanding
- Identification of strengths and weaknesses
- Optimization and Improvement Opportunities
This is to support the organisations mission, vision, goals, and objectives. Cyber security is to support and enable the organisation’s capability to execute digital services in a safe manner.
How do we do this?
- Communication
- Learning
- Education
- Offensive and Defensive Security Practises
- Technology Engineering
- Knowledge Sharing
- Intelligence based activity
- Threat knowledge sharing
Full Spectrums Security Testing
Scenario Based Testing
These include assume breach and fast forward options to enable efficient testing from multiple positions and perspectives. Focus should be on:
- Identification of Targets
- Target Exploitation
- Detection & Alerting
- Response Actions can also be assessed however this should be considered with regard to constraints.
Scenarios
- External unauthenticated Threat Actor
- External vpn auth/vpn compromise
- External Standard compromised (Mailbox)
- External Standard User Identity, Mailbox and VPN Access
- External VIP Compromised
- Leadership team member
- HR Team member
- Finance Team member
- External IT Team Compromised
- Internal Rogue Device
- Internal Malicious USB Devices
- HID
- Removable Media
- Internal Compromised managed device
- PC Device
- Smart Phone
- IoT Device
- Internal Server Compromised
Specific Targeted Testing
- Wireless Network
- Firewall
- IPS/IDS
- External Web Application Testing
- External API Test
- Active Directory
Security Assurance
A penetration test is NOT security assurance, a single exercise is not assurance. Assurance is also not just about practical capabilities and testing. Security assurance should be a holistic set of activities covering:
- Policy, Processes and Procedures
- People, Skills, and Capabilities
- Supply Chain Security
- Risk management
- Security Operations
- Security Monitoring
- Personnel Security
- Incident Response
- Vulnerability Management
- Patch Management
- Backup and Recovery
- Continual Improvement
- Security Testing
Security testing plays a part in demonstrating assurance, it’s also (if deployed sensibly) a really good tool for improving knowledge, understanding, communications and helping surface risks and enabling targeted remediation, detection, and response.