Catch the recent “Politics, Power, and Preventative Action” podcast interview with RTJ founder Mark Mateski.

A Red Teamer’s Take on Pentesting

pentestingPentesting can be an enormously valuable service, but we must be aware enough when hiring or employing a pentester to balance both the advantages and disadvantages of the practice. Yes, it can reveal holes in our security, but it can also promote an illusion of security. Further, while it can help validate our current security efforts, it can, if handled poorly, itself become a potential source of misperception and even vulnerability. Before opening our systems and operations to pentesters, we should consider the following caveats, cautions, and questions:

  1. Pentesting should be approached and handled with a sense of proportion. If I’m, say, head of the Ecuadorian army in 1939, I’m probably (and rightfully) unconcerned about the German army crossing my border in force. If I’m the head of the French army, I should be thinking very seriously about the possibility. Similarly, if I’m a small company manufacturing incidental household goods, I’m most likely not the target of major nation-state. If I spend the whole of my security budget (and more) on high-end pentesting, I’ve probably missed the mark. How, when, and to what degree I should pentest my systems and operations should be informed by my situation. Pentesting can illuminate my risk calculations, but it should also be illuminated by them.
  2. A sense of cautious awareness should also frame my approach to pentesting. I should be circumspect about giving pentesters access to both knowledge and systems. What do they need to know in order to do their job effectively? Are they asking for more than that? What do I need to guard when working with them? What do I need to know about them? Not every pentester is a saint, although I have no doubt that most of them work with admirable integrity.
  3. This awareness should extend to what I learn. Following a pentesting engagement, I’ll most likely walk away more confident in my downstream security, perhaps even overconfident. I might even walk away believing that my pentesters have uncovered every vulnerability. (If they’re good, they’ll let me know that’s unlikely.) In fact, I should be wary of anyone who promises to sweep away all uncertainty—pentester, red teamer, or security manager. I should also be aware, within a reasonable frame of proportionality, that if my likely adversaries are sophisticated, they might already have a good sense of what my pentesters will find.
  4. I need to ask up-front “what’s in and what’s out?” In other words, what does (and can) the pentesting engagement address, and what does it not (and cannot) address? To what degree, for example, does it address the human side of security? All of this is relevant when it comes time to assess my risks. If the pentesting addresses some sources of risk but not others, but I conflate that with all of my potential sources risk, I’ve likely skewed my risk perspective.
  5. I should also consider the role of threat intelligence. Running pentesting activities without a complementary threat intelligence capability can further skew my perspective. For instance, how does the pentesters’ skill- and tool-set compare to those of my likely adversaries? For that matter, who are my likely adversaries? Ideally, threat intelligence and pentesting work hand-in-hand. Not only can threat intelligence help frame my pentesting engagement, it can help me interpret and contextualize the pentesters’ findings and recommendations. All of this folds into a risk-aware security mindset.
  6. Pentesting can become part of a rolling “find it/fix it” mentality, a largely reactionary strategy. To the degree that pentesting reinforces or constrains my mindset, I might want to rethink my strategy at a higher level, using pentesting as appropriate but not allowing it to drive my overall security strategy.
  7. And, as always, I should do my homework and ask the right questions. What exactly do I want from my pentesters? What exactly can they do for me? What do I know about them? What do they want from me? While I’m talking with them, I shouldn’t hesitate to ask them tough questions about methods, scope, and risk. I should also explicitly discuss with them the “rules of engagement,” bringing in my legal team, among others, as appropriate.

      In sum, we need to view security as part of a broad risk equation. To the degree that pentesting helps us better understand the whole system, it can be a very worthwhile exercise, particularly when we go into it with our eyes open. We should never simply acquiesce to a pentester’s agenda or program. In other words, we should red team our pentesters. If they’re good, they’ll understand and appreciate our diligence.