Attackers don’t all approach a target in the same way. Often, they’ll target the lowest-hanging fruit or the easiest way to get through your defenses; however, their unique skills and preferences mean they’ll go about those attacks in different ways. To defend against these attacks, you want to hire or work with penetration testers with their own diverse skills. When your penetration testers have similar backgrounds and tactical operations, they may have unintentional blind spots about your attack surface – which means they’re missing security issues and gaps.
With a multi-faceted team on your side, you’re less vulnerable to falling into the trap of groupthink -- when decisions are made by a group of people with similar backgrounds and worldviews. By only looking at a problem or a finding through a single, limited lens, the group’s solutions and decisions lack any forethought of the total impact they’ll have because the full picture is never factored in. Decisions made in the vacuum of groupthink have historically been disastrous – think Enron or the Bay of Pigs. Yale Alumni Magazine wrote a really solid thinkpiece on this subject that’s worth a read.
And that’s not just the case with pen testing groups, but with product development and engineering teams, too. When you evaluate what tools to bring in to fortify your defenses, you’re assuming that the tools themselves are unbiased. After all, it’s technology, not a group of people with opinions, built-in predispositions, and prejudices, right? But remember that technology is built by, and in the case of artificial intelligence continually taught by, humans. Technology is not infallible.
For this reason, automated attack surface management tools will never be enough to find all your weaknesses on their own. You need a diverse team of highly specialized and complementary security experts who can think creatively and holistically about the findings the automation tools identify, as well as the business impact they present.
What you need, then, are automated tools that can scale to cover the entirety of your agile attack surface. Then match this full, comprehensive view of every issue with a team of humans who can validate those risks, cut through the noise, and hone in on the issues that impact you most. Those humans, however, are also at risk of falling into groupthink. This is where the importance of having a diverse group of pen testers comes into play. These pen testers can mimic attackers and act as a mini red team who are working continuously alongside your team to ensure full coverage of your attack surface.
Having a diverse group of pen testers on your side helps represent the full skill sets, capabilities, and viewpoints/perspectives/preferences of your attackers. After all, information security is a multifaceted discipline where specializations are as varied as the technologies used.
When we were building our Continuous Attack Surface Testing (CAST) team, we sought out experts who each brought unique skillsets to the table for our clients. We sought out senior-level individuals from a variety of specializations, from traditional penetration testers to seasoned red teamers. Each member’s skillset complements the team in a different way; some of our operators were developers, others hailed from IT backgrounds, and a few were fortunate enough to focus on security from the very start of their careers. Read more about our CAST experts and their varied backgrounds.
We group these folks into teams who work closely alongside our clients, so they receive cross-functional security expertise. Together, they work from the leads generated by our automated mapping technology to determine which findings and potential attack vectors are most likely to be exploited against the client’s perimeter.
These diverse teams can see the same attack surface from many different angles, to better simulate a real attack environment. Each expert offers a different perspective when testing a suspected vulnerability. While some team members are more focused in post-exploitation and are accustomed to long protracted engagements, others are highly skilled in reconnaissance and automation, which led to their previous success in bug bounties.
The teams get stronger, better, and faster when members with different experiences and perspectives share their knowledge. Then, we approach our clients’ attack surfaces as a united front – merging our varying strengths like a red team or advanced persistent threat might do.
If you’d like to see how it all comes together in CAST, we’d be happy to chat with you to demonstrate how our combination of automated, continuous testing, and human validation can find weaknesses before they become issues. Visit https://services.bishopfox.com/continuous-attack-surface-testing-cast for more information and to sign up for a demo.