Security testing and vulnerability assessments have become another one of the checkboxes on the machine that is the corporate world. That's where pentesting companies, and risk assessment “solutions” operate currently. The same applies to what people call "red teaming" today - nothing to do with Red Teaming, just another form of pentesting. People expect these assessments to be quick, and to follow a pattern. And when all it's said and done, the can check that box and publish on their website that "we are [enter some acronym] certified and run pentesting".
Attackers know these tests will follow a pattern.
They know these companies will scan networks and servers, that they will use tools that are predictable, and they know they will remain within the boundaries considered good pentesting, leaving the majority of systems and networks out of scope. Leaving the more important things out of scope: the people, and the policies and procedures.
As security professional, mimicking and acting like real adversaries, it’s time we begin to disrupt that.
A real security assessment, the real adversarial look into things, is about mimicking the attackers, and how they will act, attacking any and all aspects of an organization's security. The point is to really stress test all domains, including policies and those things called assumptions. You have to change your standard operating procedure (SOP) every time, adapting to what you have in front of you, the organization and its capabilities.
This means using resources and techniques that are not expected. Yes… This means attacking things.
Disruptive security assessments should be the main target. A good security assessment begins once the "check the box" tests end. It begins once audit or pentesting companies go home and the organization feels like they are now “secure”. Disruptive assessments bring security to the right place, and test the right things.
It's time to change the mindset, to change what everyone thinks security is. Make an organization more resilient by being a disruptive force. Bring the power of thinking like an adversary to their doorsteps.
Disrupt. And then disrupt again. Until they do it themselves.
(note: an earlier version of this article was posted on the Advanced Capabilities Group blog)