Enterprises and government agencies conduct penetration testing (or pentesting) to simulate various attacks and discover how real cybercriminals can access their infrastructure. While the pentesters search for vulnerabilities and demonstrate possible attack vectors, there is one more project member whose role remains unclear to the customer – a cybersecurity analyst. They can provide unbiased expertise on the company’s protection. Kaspersky’s Security Services team provides insights into every stage of an analyst’s work and explains how they increase the efficiency of the project.
No two IT infrastructures are the same, and the most powerful cyber threats are tailor-made to exploit the specific vulnerabilities of individual organizations. Security assessment projects are conducted to test IT infrastructure and ensure it is secured against such cyberattacks. Pen testing – an adversary attack simulation conducted by cybersecurity experts – can be part of a security assessment project. It is relevant for companies from any field: from financial to industrial, from telecoms to government. However, it is crucial to have an expert who is able to estimate how efficient a pen tester’s work is. This is where a cybersecurity analyst on the pen testing team comes to the rescue, and Kaspersky Security Services experts explain the role of a specialist like this in 8 stages.
Stage 1 assessing a company’s digital footprint before pentester starts their work.
Analysts start their work before pen testers, gathering information about business systems and external resources from open source. They also check for data leaks available in public web resources that may involve customer’s and employees’ personal data, and domain credentials – the information which can be used, for instance, in social engineering attacks. Often, this data is sold on the dark web and the task of the analyst is to detect these references and warn the customer. All this information is collected to create potential attack vectors which will then be tested by pen testers.
Stage 2 highlighting network perimeter security problems, while the pen tester focuses on breaking into the infrastructure.
In most organizations, the cybersecurity state of the network perimeter is far from perfect. And at the next stage of their work, analysts examine instrumental network scan outputs and highlight key problems.
“For example, an analyst detects one hundred active hosts with remote management interfaces (like SSH, RDP, etc.) available from the Internet without limitations, but the pen tester only needs one to break into the infrastructure. Analysts will still report that there are one hundred security network flaws. This specialist highlights all problems requiring attention and plays the role of a liaison between a pen tester, a project manager and a company”, said Olga Zinenko, Senior Security Services Expert at Kaspersky.
Stage 3 turning the pen tester’s report into a comprehensive picture with all the vulnerabilities and security flaws
An analyst obtains data from pen testers about all successful attack vectors and puts it into the report in more detailed way with descriptions of vulnerabilities and security flaws, proofs and screenshots of a certain incident. This helps in-house security specialists and top managers answer such questions as “What are the conditions for exploitation?”, “Which component is vulnerable?”; “What are the consequences of an attack – credentials theft, sensitive data disclosure, unauthorized access, etc.?” and others.
Stage 4 and 5: transfiguring vulnerabilities into threats, creating a visualization
At the fourth stage, threat modeling, all vulnerabilities are grouped into categories and then transfigured into threats. With information about the customer’s business systems, an analyst can assess which critical resources a cybercriminal will have access to in the event of an attack.
Then, the analyst visualizes all pen tester actions on the scheme so that the customer can clearly see what happened during an attack simulation. In some cases, pen testers can also make use of the visualization – for example, to find additional attack vectors.
Stage 6: prioritizing which vulnerabilities should be fixed first (spoiler – not necessarily the ones of high severity)
When all vulnerabilities and threats have been identified, analysts move on to the prioritization stage to advise which vulnerabilities need to be fixed first. The vulnerabilities with the highest severity level do not necessarily get a priority. Analysts assess the overall impact of the attack vector, which employs a specific vulnerability, and the damage from its implementation. Then they check which vulnerabilities are easier and faster to fix, and which ones require major changes in business processes.
