Behind the eight-ball: Why companies struggle with penetration risk

Coalfire’s upcoming 5th Annual Penetration Risk report confirms that check-the-box penetration testing is not effective, highlighting the emergence of the much-needed Threat-Informed Defense strategy.

Traditional penetration testing has focused on point-in-time, compliance-driven activity. However, given today’s expanding attack surface and more sophisticated cybercrime, this approach limits visibility, detection, and remediation capabilities. As a result, cyber best practices are transforming from point-in-time to all-the-time adversarial operations informed by intelligence-driven attack simulation.

Unfortunately, too many executive leadership teams are overwhelmed by their dynamic attack surface and ever-changing threat landscape. The current state of cybersecurity was captured in keynotes and briefings at the recent Black Hat convention and confirmed in Coalfire’s upcoming report: IT and security teams are failing to keep up with rapid cloud migration.

Based on decades of experience and thousands of real-world engagements, our research demonstrates that organizations are aggressively moving to the cloud, yet all too often, without a mastery of cloud security fundamentals.

It's difficult to stay ahead of the cloud adoption curve, especially with the plague of cyber hygiene failures and social engineering exploits. High-risk cloud vulnerabilities increased over the last year, with 79% of those surveyed reporting security misconfiguration at the top, followed by injection and encryption issues.

Threat-informed defense

In this environment, CISOs and their teams are behind the eight-ball. With accelerating cloud adoption and a dramatic surge in generative AI cybercrime, organizations find themselves on the threshold of a daunting new era in cyber risk

Though traditional check-the-box testing models have their place, today’s most successful CISOs are gaining advantage by moving their companies to embrace pen testing automation, red teaming, and adversary behavior emulation.

MITRE’s Center for Threat-Informed Defense (TiD) provides a knowledge base and framework that organizations can leverage in order to implement an adversary-centric approach. TiD incorporates offensive security activities to mimic the tactics and techniques of adversaries, which allows organizations to implement, test, and configure security controls based on specific threats.

Open-source intelligence (OSINT) on the web (all types including clear, deep, and dark web) is freely available to bad actors who conduct ongoing reconnaissance for vulnerabilities to exploit. Meanwhile, management still takes its cues from regulators and compliance bodies like PCI, HITRUST, FedRAMP, and NIST as to when to conduct the next test or when to produce the next oversight report. Bad actors aren’t waiting around for the next audit cycle —they’re finding new ways around organizational defenses in real time.

Too many companies ignore this new reality and remain stuck in the predictable cadence of framework-defined tests and metrics. At the same time, budgets are squeezed, operational resilience is faltering, and the consequences of breach and disruption are off the charts. Security programs can’t afford to simply scan for vulnerabilities and patch – they must adopt a TiD approach to gain broader insights into the threats that are relevant to their organization.

Informed by human experience, today’s enterprise security programs require complex, managed service application of continuous, actionable insight along the entire vulnerability management lifecycle. To make it work, CISOs must think and act like adversaries.

In the next blog in this series, we’ll discuss what’s working and what’s not in risk management technology. Look out for Coalfire’s 5th Annual Penetration Risk report, which drops September 12.