Blogs

Is penetration testing dead?

11/11/2020

“Penetration Testing is dead, long live Red Teaming” is an oft proclaimed term nowadays. Whilst QinetiQ’s Security Health Check team, the UK’s first formalised Penetration Testing team, understand the sentiment, we aren’t convinced by its accuracy.

Traditional Penetration Testing has been successfully delivered for over two decades, by the very capable UK Cyber Security industry and certainly has its place. However, its limitations need to be fully understood by those who commission it.

If a new system or application is being delivered which has very little reliance on existing systems in your enterprise then it is absolutely the right answer to test it in microcosm via a tightly scoped, change-focused, penetration test. This is because the results of a penetration test will give you a complete and definitive view of the cyber posture of the tested system. In essence, it will either be good to go or will need some remedial work. The problem space is well defined.

Penetration testing may still be the most appropriate approach if the system is not fully compartmentalised and has interactions with other systems, such as Active Directory. The type and extent of testing selected should be based on the criticality of the system and the data it contains.

Should the system, or the data it holds be at all critical to the business, then it may be more appropriate to undertake an adversary simulation ‒ colloquially called a “Red Team” exercise.

Red Teaming is a much more holistic approach. Instead of looking at the target system in relative isolation, it looks to simulate how attackers will actually go about attacking an organisation. There is nothing more realistic than this and it allows defenders to “train as you fight” providing them valuable experience with how an actual attack may manifest in their business. 

Penetration Testing is dead

Test

Our cyber security testing team will work with the customer to define a highly realistic scenario, based on the exact threats that keep their senior cyber practitioners up at night. We then set about simulating an end-to-end attack which is designed to realise that nightmare. The phases can include:

  • Surveillance of the organisation
  • Gaining an initial foothold (be this in the physical or cyber sphere)
  • Building command and control channels
  • Prosecuting the attacker’s objectives
  • Egress of data

During the exercise both technological controls and staff behaviours can be assessed to determine if issues are most likely to exist in the technology or training realm.

Often it is not the case that wholesale change or massive investment is required to fix the holes in your cyber security systems. Small tweaks to existing configurations or processes can have demonstrable effects on the chance of an attacker gaining access to your organisation’s crown jewels.

The Cost

While such an exercise sounds expensive and all-consuming, it needn’t be. As well as delivering our class-leading Advanced Intrusion Testing service, for large enterprise customers we also offer Cyber Intrusion Exercises tailored to the needs and budgets of small to medium enterprises. This new service means we can provide a full spectrum of capability at an appropriate price whether your organisation has tens or thousands of seats.

If you want to learn more about how our Red Teaming and Penetration Testing services email cyber@qinetiq.com