Penetration testing: shifting paradigms from reactive to proactive

Coalfire's 5th Annual Penetration Risk Report, released on Sept. 12th, leverages findings from thousands of penetration tests conducted by Coalfire over the last five years from web, cloud, API, wireless, network, IoT hardware, and mobile tests to provide analysis and recommendations for companies, large and small, that are in the cloud, hybrid, or on-prem.

The report underscores a concerning trend: many organizations rapidly transition to the cloud without mastering essential security measures. Nevertheless, the report points out that while many falter in their secure cloud migration, those who prevail consistently embrace a deep understanding of cloud security and cultivate a threat-informed defense culture.

Vulnerabilities by industry

The retail sector emerged as the most vulnerable this year. Meanwhile, the financial industry saw a significant surge in high-risk findings from the previous year. Despite a consistent decline in the past, vulnerabilities are rising again within the healthcare industry. The tech sector also experienced a noticeable increase year over year.

What does it all mean?

The findings from Coalfire's report underscore the pressing need for a shift in how businesses perceive and approach cybersecurity. As the landscape of threats evolves, relying solely on traditional penetration testing methods isn't enough. These methods, which often focus on a single snapshot in time, fail to capture today's cyber adversaries' continuous, adaptive, and sophisticated tactics.

Industries must move beyond these periodic assessments and embrace a continuous, threat-informed defense strategy. Offensive security-minded organizations engage in frequent activities to mimic known adversaries' tactics, techniques, and procedures (TTPs), achieving tremendous success in effectively identifying risk exposures, validating security measures, and prioritizing cybersecurity initiatives.

Pen testing with a threat-informed mindset

The interconnectedness of today's digital ecosystem, encompassing web, mobile, IoT, and cloud, amplifies the need for a holistic approach to security. This vast interconnectedness is precisely where MITRE's Threat-Informed Defense strategy plays a pivotal role. MITRE's approach emphasizes understanding the behaviors and strategies of adversaries, providing industries with a proactive way to counter potential threats rather than merely reacting to them.

In the context of the evolving digital landscape, the essence of MITRE's methodology lies in its iterative nature. Businesses better prepare themselves by continuously updating defensive strategies using real-world tactics and adversaries' TTPs. This approach aligns perfectly with the call for continuous security assessments and a 360-degree understanding of risk exposures.

Our research indicates that organizations excelling in threat-informed defense maintain a strong cybersecurity posture by prioritizing a human-centric approach that is enhanced by automation.

Critical thinking and human ingenuity are paramount in understanding potential risk exposures and determining how an adversary might exploit them. By incorporating automation, these organizations enable their security teams to identify a broader spectrum of threats at scale – further amplifying their efforts.

Coalfire is a benefactor of MITRE’s global R&D program, MITRE Engenuity. In the report's foreword, MITRE Engenuity's Director of the Center for Threat-Informed Defense, Jon Baker, said, "In alliance with Coalfire, we're turning the tables on our adversaries by injecting uncertainty into their next move."

Based on our findings over the last five years, Coalfire has merged high-frequency offensive pen testing with defensive risk management to set a new standard in vulnerability lifecycle management. With the launch of Hexeon™ this year, we're introducing efficiencies at scale by combining human intelligence and oversight with tech-enabled attack surface management, adversarial emulation, and practical remediation.

In our next blog, we'll review the Hexeon platform in more detail and discuss the new ways we're empowering our customers with tech-enabled, human-first security pen testing.