What's Continuous Penetration Testing?

The goal is to keep your organization secure by devoting monthly effort to testing new techniques and identifying unknown risks. Continuous penetration testing is triggered when change is identified in your network or when the threat landscape changes.

Latest techniques are tested on a monthly basis while testing styles (overt, purple team, red team) adapt as your organization's security posture matures.

A better testing methodology + a different mindset = more actionable value

The testing methodology eliminates surprises while guiding your organization to improved security posture.

Key Differences

In order to properly focus testing efforts, the following actions are performed:

  • Reoccurring asset discovery - Automated OSINT to identify new attack surface or new threat models.
  • Change detection - if your asset has changed, a pentester reviews the change to see if it warrants human-driven security testing. Example: marketing department added a new WordPress plugin, this would trigger human-driven security testing
  • Testing like assets/tasks at once - Testing all email servers across all clients at once reduces repeated tasks. This makes the service affordable and allows for testing to focus on the unique and custom aspects of your environment.

This graphic provides a good visual difference:

What it's not

A consulting firm dedicating X number of hours for Y intervals a year. It's not automated scanners generating rebranded vulnerability reports.

Micro Case Study

This is a real example from one of our clients. Name changed obviously ;-)

Client Acme Corp has had service for 7 months when we discovered a new set of credentials from a Twitter dump leading us to a breach of their network.

Sprocket Security performed the following actions:

  1. Obtained a copy of the Twitter password dump.
  2. Identified a new password associated to an employee's email address.
  3. Tested the new credentials against all known single factor authentication points.
  4. Discovered password reuse between the employee's Twitter account and corporate domain account.
  5. Successfully logged into VPN as an employee and gained internal access.
  6. Finding created within portal and Acme Corp security contacts notified

In this example Acme Corp already knew about some single factor authentication on the VPN and was working towards remediating it. However, Sprocket Security was able identify a credential stuffing attack before it was used maliciously against Acme Corp.

12 Benefits of Continuous Penetration Testing

1. Accurate representation of the real world

Removing artificial time constraints allows for a larger variety of attacks to be performed.

2. Keeps up with fast paced techniques

Abuse of builtin tools to execute code are released every day (AKA living off the land). You're team is swamped with tasks that require deep working knowledge of your environment. Free them up by having pentesters that perform these attacks daily help determine if you're vulnerable to these new techniques.

3. Prevents unexpected breaches

Waiting until next year's pentest to uncover new vulnerabilities is a flawed approach.

Reduce gaps and missed vulnerabilities that usually surface when it's too late. Continuous testing reduces exposure times.

4. Fulfills multi-test compliance/requirements

PCI is the most common. Requirements such as testing on major changes and multiple tests per year are achieved with continuous testing.

At any point you can generate a report or an attestation for auditors, directors, board members, etc.

5. Cost effective to IT operations

Since vulnerabilities are discovered closer to their inception, the mitigation work can be planned. A steadier and smaller amount of work, helps you budget time towards security improvements.

Reducing the time spent on unplanned work means your IT operations will run more efficient and cheaper.

6. Addresses challenges with devops and shadow IT

Frequent change is happening due to the cloud and devops movements. Security impact of these changes are identified and reported.

7. Augments and extends your staff's knowledge

Your IT staff can access pentesters for advice and knowledge transfer. Pentesters will have a deep understanding of your environment through their continuous testing.

Closer relationships with your security testers will also bring more valuable insight into mitigation palnning and solutions.

8. Forces better communication

Mitigation techniques that are difficult and time consuming to implement often require more communication. Consultants assist with mitigation strategies and all progress is tracked through an interactive web portal.

Testing status and activities are logged for real-time and historical views. Visibility into all testing actions are always available.

9. Unlimited retesting

Because you're not expected to get it right on the first pass. Once you fix a vulnerability, toggle its status in the portal and that automatically assigns the retest work.

10. Your report never goes out of date

Priorities shift whether it's related to business, technology, or threats. Your test results are interactive and their priorities can be adjusted.

11. Maturity Model

Testing adapts as your company matures it's security posture. Start with basic external testing and work towards full scope red team tests.

12. Better ROI

It's hard to showcase ROI with pentesting, but continuous gives you the best insight. Continuous testing provides unique metrics in the following categories: average time to remediate, cost-benefit analysis vs traditional pentesting, IT staff improvements, maturity of defenses, trends, historical data, and many more.

Conclusion

I've witnessed improvements from many organizations adopting this methodology of testing. If you're serious about securing your company, move to a continuous testing model. There is no reason to wait until your next allotted budget.

Times have changed, and you cannot afford to take security seriously once a year, or even twice a year. If you are not able to move quickly, you can be sure you'll be impacted by a breach.

Finding vulnerabilities and remediating them needs to be part of your IT security competency.

Remember, it's not do you pentest, it's how you pentest.

Contact Sprocket Security if you'd like to discuss what continuous penetration testing looks like for your company.

- @caseycammilleri