4 ways automated penetration testing tools can help mitigate COVID-19 related risks

New tools map attack surface, test security controls, and behave like cyber-adversaries.

CSO > breakthrough / penetration testing / hammer breaking binary glass
Photodisc / Metamorworks / Getty Images

I recently wrote about how COVID-19 was driving rapid and dynamic changes for CISOs and a series of cybersecurity phases CISOs are now pursuing to assess and mitigate COVID-19-based cyber risks.  

In both of those blog posts, I describe the fundamental problem of corporate cybersecurity now extending to home networks filled with insecure IP-connected devices; meanwhile hackers are exploiting societal malaise with online scams, rogue websites, and phishing campaigns preying upon COVID-19 paranoia.  A recent article in the Washington Post, described research from Palo Alto Networks identifying more than 2,000 malicious COVID-19 web domains and another 40,000 it classifies as “high risk.”

So, work from home (WFH) initiatives have greatly expanded the attack surface and pivoted traffic away from corporate networks instrumented with tried-and-true security controls.  CISOs are struggling to figure out what’s out there and whether they are vulnerable to a growing barrage of COVID-19 cyber-attacks. 

What can be done?  Just like COVID-19 itself, one way to address this situation is through testing, testing, testing.  Rather than novel coronaviruses and antibodies however, WFH security vulnerabilities can be assessed through new types of continuous automated penetration and attack testing (CAPAT) tools. 

These tools are provided as a SaaS offering so there’s no onsite hardware/software to install and operate.  While CAPAT tools weren’t designed for WFH explicitly, I believe that CISOs may find them to be helpful for addressing current COVID-19 challenges by:

  • Mapping the attack surface. Cybersecurity teams aren’t sure exactly what’s on the extended network right now.  Old insecure PCs? Chatty gaming systems?  Mirai botnet infected video cameras?  Discovering what’s out there is an important step as experienced red teamers often find lots of assets that cybersecurity teams don’t know about but are still responsible for.  Some CAPAT tools address this visibility gap by discovering and mapping the attack surface – a good starting point for risk assessment and mitigation. 
  • Testing security controls. Organizations spend millions of dollars on endpoint security software, firewalls, and a potpourri of security controls sitting between the two.  Do these things work?  This basic question is worth pursuing – according to research from ESG and the information systems security association, 38% of cybersecurity pros say that one of the main implications of the global cybersecurity skills shortage is that their organization cannot fully learn or utilize their security technologies.  Thus, an overworked cybersecurity staff can lead to human error and misconfigured security controls languishing on the network.  CAPAT tools can help CISOs assess whether their defenses work and whether they would know if they failed.   
  • Pinpointing cyber risks. Armed with an attack surface map and CAPAT reports, CISOs can identify and address specific weaknesses with the right training, processes and countermeasures.  Yes, they do this already with penetration testing and red teaming exercises, but these tend to be expensive third-party services conducted once or twice per year.  CAPAT tools replace costly service engagement with automation, providing a continual closed-loop cycle for risk assessment and mitigation. 
  • Supplementing existing security programs and technologies. CAPAT tools tend to emulate cyber-adversaries by breaking attacks into kill chains over time. CAPAT automated tactics, techniques, and procedures can then be mapped into the MITRE ATT&CK framework – a popular taxonomy that aligns security programs and tools to an ‘outside-in’ hacker perspective and timeline.  I’ve also seen CAPAT tools used in conjunction with SIEM and security orchestration automation and response tools to fine-tune correlation rules and incident response runbooks.  Finally, as CAPAT tools expose system configurations issues, these vulnerabilities can be programmed into deception technologies used to fool enemies and capture valuable threat intelligence.  

To be clear, CAPAT tools aren’t a panacea but they can help expose WFH blind spots by increasing attack surface visibility – as the old management principle states, ‘you can’t manage (or in this case, secure) what you can’t measure.’  Additionally, CAPAT tools can help security professionals ‘think like the enemy,’ another fundamental tenet of cybersecurity.  Finally, CAPAT tools have the potential to democratize penetration testing and red teaming.  While most organizations can’t hire and retain experienced staff in these areas, CISOs should be able to find affordable SaaS options.

There are a host of innovative CAPAT vendors out there including AttackIQ, CyCognito, Cymulate, Randori, SafeBreach, Verodin (FireEye), and XM Cyber, among others.  Some focus on attack surface discovery, some test controls, and some automate red teaming.  I believe CAPAT tools will ultimately become a key technology in the SOC arsenal.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.