Chinese military strategist Sun Tzu is quoted as saying, “if you know the enemy and you know yourself, you need not fear the results of a hundred battles.” In cybersecurity terms, that means knowing the cyber-adversaries and associated tactics, techniques, and procedures (TTPs) they use to attack your organization.
Additionally, Sun Tzu’s quote extends to an organizational reflection where you must know everything about your technical, human, and even physical vulnerabilities in order to apply the best protection for critical assets.
How can organizations gain this knowledge? By attacking themselves through penetration testing and red teaming exercises. According to ESG research, organizations pursue penetration testing and/or red teaming at least once a year for the following reasons (note: I am an ESG employee):
26% conduct penetration testing/red teaming as a best practice for risk assessment
17% conduct penetration testing/red teaming because they are required to do so for regulatory compliance
14% conduct penetration testing/red teaming because it is mandated from executive management or the board of directors
13% conduct penetration testing/red teaming because it is mandated as part of third-party contracts
Penetration testing and red teaming are finite projects – 75% of organizations say they have a duration of two weeks or less. Despite this short timeframe, however, penetration testing and red teaming produces useful results and benefits. Organizations use these exercises to find/fix vulnerabilities, review risk status with executives, use the results to reassess IT and security priorities, and determine where they need to hire and/or train employees.
Problems with penetration testing and red teaming processes
Yup, penetration testing and red teaming can be quite beneficial, but there are several problems with the current processes, including:
Testing frequency. Like any other type of IT or security scanning, penetration testing/red teaming results have a short shelf life …