My work takes me around the country and provides me with the opportunity to visit a wide variety of CDW customers across industries. As I’ve traveled over the past year, IT and cybersecurity leaders throughout the US sometimes tell me, “We’ve already handled the cybersecurity basics and conduct regular vulnerability scans and penetration tests. How do we take our security assessments to the next level and derive more value from them?”
Some of these customers ask my opinion on black box penetration tests that seek to evaluate an organization’s security posture from the attacker’s perspective. In this approach, the testers have no advance information about the client’s technology environment and frequently have no stated objectives. It’s the digital equivalent of saying, “Just come at me and see what you can do.” I generally advise clients to avoid this type of testing parameter. In my experience, testing under black box parameters says more about the skill level of the engineer and less about the effectiveness of an organization’s technical security controls. Perhaps even worse, some elements of the client’s architecture might not be tested at all, with unidentified vulnerabilities remaining.
If conducted with some caveats, though, black box testing isn’t without merit. For those looking to do more than traditional penetration testing, I recommend some alternative exercises.
Capture the Flag Exercises
In these assessments, our experts seek to evaluate the ability of an attacker to gain access to a critical resource. For example, a healthcare provider might task CDW security experts with obtaining protected health information, while a retailer might want to assess the vulnerability of credit card information. In a capture the flag exercise, the security testers approach these objectives in a focused way that allows them to apply all their available tools and mimic the actions of a determined attacker seeking to access specific critical assets.
Purple Team Penetration Tests
These assessments combine elements of friendly (“blue team”) and adversarial (“red team”) exercises. One set of CDW engineers works to gain unauthorized access to the client’s systems and information, while another CDW team provides the client’s security operations center with a bird’s-eye view of the incident as it unfolds. This approach combines a rigorous penetration test with an excellent learning opportunity for the SOC — assessing not only the existing security controls but also the in-house capability to identify and respond to threat actors.
Flipping the concept of a penetration test on its head, compromise assessments or threat hunting engagements allow clients to perform due diligence around their most critical resources to ensure that they have not already fallen victim to an attacker. At CDW, we use threat hunting techniques and strategies to assess three primary areas: hosts, network and event logs. We then leverage the established MITRE ATT&CK framework to establish any indicators of compromise to hunt for malicious activity in a customer environment. Threat hunting takes due diligence to the next level when there is zero risk tolerance for particular critical assets.
Incident Response Service Agreements
Finally, while I hope none of our clients ever need it, having some incident response capability is always an excellent option. CDW offers all of our clients access to top-notch cybersecurity experts who can assist with triage and response to cybersecurity incidents. We don’t require payment of upfront fees or retainers and will help you complete all the paperwork in advance to ensure you have rapid access to expertise as soon as it is needed. Clients with agreements in place can get a CDW cybersecurity engineer on the phone, usually within two hours of their initial request, 24 hours a day, 365 days a year.
As always, security expenses should never exceed the value of the protected asset — to the extent we can assess that value. I would always recommend a gray or white box approach to penetration testing to truly evaluate the overall security posture before engaging in some of these asset-centric methodologies. But if an organization already has a mature security capability and is looking to grow its in-house knowledge, these are some more forward-leaning options.