By Simon Saunders, Managing Consultant, Portcullis Computer Security
With the June launch of the CBEST scheme, the term ‘intelligence-led testing’ arrived into the consciousness of the information security community. As a relatively new concept for many people, it is worth taking the time to understand what it is, where it works well and conversely, the situations where it is unlikely to yield much value.
The more professional attackers, state-sponsored, criminal gangs and the like, thrive on exploiting organisations’ blind spots. They will exploit weaknesses that are under-estimated or ineffectively controlled. Most (but not all) of these weaknesses will be unknown to the organisation under attack, simply because if these issues were known about, then they would have been better controlled ahead of the incident.
One option is to wait for an incident to happen, understand what occurred, address the underlying issue and take steps to prevent similar occurrences. This works well for many smaller incidents, but what happens when the original incident is a big one with serious business consequences; isn’t all retrospective action a little too late?
This is where intelligence-led testing can help. Intelligence-led testing is a family of consultative services designed to identify real-world weaknesses in an organisation’s information security posture. By identifying new issues, or revisiting and reclassifying known issues, it is possible for an organisation to interject and to provide an uplift to security before an incident actually occurs.
In its most basic form, the traditional annual penetration test is one such technique. It will pick up where systems have been poorly managed and are at risk of compromise. However, just testing the obvious channels is hardly the most sophisticated option. A better option is to engage a consultancy to work with you to identify what may have been missed. It will bring with it experience of a wide range of clients, their respective challenges and will not be afraid to ask those questions that often go unasked. This type of risk analysis, often conducted as a workshop, is almost certain to identify areas that are poorly managed or overlooked.
Some organisations want more proof, which is where red-teaming becomes an option. The term ‘red-teaming’ is lifted from military parlance, whereby a blue team would defend a position against a red team who would launch an attack. In this context it is an exercise and both sides are friendly, but the blue team in particular get to better understand their strengths and weaknesses ahead of a real battle. The military carried this terminology over into the computing world and from this we get the modern meaning of red-teaming, whereby a trusted partner launches attacks and reports back on progress. The value this adds is that the proof of a successful attack is irrefutable and there is often scope to exploit technical and human controls across the estate. Where these attacks prove successful, the defensive provisions can be increased.
Full intelligence-led testing, executed under CBEST or otherwise, builds on both of the above approaches to deliver a very sophisticated solution. Real-time intelligence is used to identify current threats to an organisation, both in terms of what data is at risk and how it is likely to be compromised. This intelligence is current, accurate and detailed. A penetration testing company will be engaged to realistically replicate these specific threats and the end-client will truly get to understand whether its existing security measures are capable of safely handling the current threats to its business.
Whether these types of approaches are right for an organisation depends very much on its risk profile and maturity with respect to information security management. If an organisation is just starting its information security journey, then work of this nature is likely to be too sophisticated and a poor use of resources. In such an organisation, the weaknesses will be obvious and rather than finding more, it might be better to address those that stand out currently. For organisations with a more established and robust approach to information security management, these advanced techniques come to the fore. Such organisations are likely to benefit from better understanding their security posture and bringing new weaknesses into risk management. The order in which these services are described above (risk analysis workshop, red teaming and full intelligence led testing) represent a progression from less to more sophisticated, and consequently less to more expensive. Which option is right for a company will depend on how they view themselves; those that consider themselves to be at greater risk and / or have better security than the norm, will require a more sophisticated project.
This type of testing isn’t for all organisations. However, it can deliver real value to those that want to get ahead of the attacker and to stop potential incidents before they have even occurred.