The Importance of Cybersecurity Testing in the Face of Increasingly Volatile Threat Landscape
The Need for Adversary-centric Approach
In today’s world, it is critical for organizations to understand who their adversaries are and how they operate against their enterprise environments. Organizations’ approach to cybersecurity testing and resilience improvements in the face of an increasingly volatile threat landscape must be underpinned around this perspective. The core elements of a well-designed cybersecurity testing program should help the organization identify and remediate vulnerabilities, continuously challenge detection and response capability, refine threat intelligence gathering priorities, and enhance overall incident preparedness through continuous stress-testing of response plans.
The Benefits of Cybersecurity Testing
The Cost of a Data Breach 2022 report from IBM shows the average breach cost savings for organizations that regularly test incident response plans is $2.66 million (circa £2 million). Though there is no one-size-fits-all solution, Here are five key considerations that organizations can focus on while developing an overarching strategy to build and maintain a cybersecurity testing program.
Five Key Considerations for a Strong Cybersecurity Testing Program
Collaborate Across Teams
Collaboration is where the organization’s strength lies, so security teams should focus on building out internal relationships with different groups. Security teams should define a clear process to effectively allow representatives from the security operations center (SOC), risk / compliance, vulnerability management (VM), cyber threat intelligence (CTI), and security testing functions to drive collaboration. Creating a governance framework that defines clear responsibilities and promotes transparent communications between these teams to share findings quickly will allow for better decision-making, faster incident response, and a well-rounded appreciation of the organization’s cyber capabilities.
Follow an Intelligence-Led and Risk-Based Approach to Scope Definition
Organizations should continuously curate threat intelligence to build and maintain a comprehensive and up-to-date library of baseline attack scenarios. First, determine which threat actor groups are likely motivated to target the organization. Overlaying this with established baseline scenarios will help define a comprehensive list of tactics, techniques, and procedures (TTPs). A more risk-based approach is to carve out a plausible subset of TTP sequences and creatively mix-and-match infrastructure and software details, without being bound to an extensive checklist. This creates targeted sub-scenarios for the attack simulation team to initially focus on.
Perform Continuous Stress-Testing of Cyber Defense Controls
Organizations should leverage the scenarios and prioritized list of TTPs defined to constantly exercise the organization’s technical and business response. The scenarios should increase in complexity as the incident response program matures. Where the security team failed before, these scenarios must be repeated so the organization can improve process in the event of a real attack. Carefully selecting TTPs that are harder for the SOC to defend against encourages these teams to constantly sharpen their technique, as well as push the organization to update response strategies.
Set Metrics for Shared Understanding and Improvement Tracking
Success criteria need to be defined and tracked to demonstrate overall risk reduction to organizational assets. Metrics such as reduced detection and/or response times, a decrease in successful attacks, and so on are useful to effectively articulate improvements to the board. It is useful to compare results of previous and subsequent penetration tests, red team exercises, and/or targeted attack simulations, focusing on the number of high-risk vulnerabilities identified and exploited, as well as the overall success rate for the testers.
Establish Feedback Channels to Drive Process Improvements
Organizations should get test observations against executed TTPs along with actionable mitigations identified along the attack chain. Sharing these results in real time to the CTI team allows them to monitor for potential threats that may exploit vulnerabilities and improve the theoretical understanding of documented threats. A centralized dashboard to aggregate test outputs in real time from the field, which can provide the relevant SOC team stakeholders with gaps identified in security monitoring tools and alerting systems, is extremely useful.
The End Goal
According to the WEF Global Cybersecurity Outlook 2023, 43% of business leaders believe that their organization is likely to be hit by a major attack within the next two years. An all-encompassing change to cybersecurity testing, through increased collaboration and improved risk management processes, enhances resilience to cyberattacks. Therefore, it is crucial for organizations to take security testing seriously and prioritize measures that improve their security posture.
Editorial and Recommendations
Organizations are facing a constantly evolving threat landscape. A proactive cybersecurity testing program is essential to maintain an organization’s security posture and detect potential vulnerabilities before they can be exploited. The key takeaway from the above five considerations is that organizations must take a risk-based approach to cybersecurity testing that integrates intelligence-led practices with continuous stress-testing. While standard penetration testing is a vital component of a cybersecurity testing program, it is essential to move beyond traditional testing methods that focus solely on security vulnerabilities and practice real-world scenarios that simulate a cyberattack.
Moreover, organizations must embrace a culture of collaboration throughout their cybersecurity testing program. It is essential to break down internal silos between security, risk, and compliance teams to enhance communication and share findings quickly. Organizations must also look beyond compliance and regulatory requirements and prioritize continuous testing to protect against emerging risks and threats.
Finally, organizations must establish feedback channels and set metrics to track improvements continuously. Measuring and analyzing the organizations’ performance in real-time allows stakeholders to act quickly to respond to vulnerabilities effectively and improve incident response plans continually. Ultimately, a well-designed and executed cybersecurity testing program is a crucial element in maintaining the security and resilience of organizational assets.
<< photo by Ron Lach >>
