Identifying and eliminating security vulnerabilities that may be exploited by a threat actor is a key part of protecting your computer network from compromise. Threat actors often exploit vulnerabilities to:
- Gain initial access to a network
- Spread malware to additional hosts
- Gain access to privileged user accounts
It’s equally important to identify security vulnerabilities in your organizational processes and user practices. Threat actors commonly target users with social engineering campaigns to steal account credentials or execute malware and gain initial network access. To reduce the success and impact of social engineering attempts, organizations can implement robust company-wide security policies and offer user training.
While it may not be possible to remove all vulnerabilities in a network, actively working to identify and eliminate them where possible can significantly decrease the likelihood of initial network compromise and hinder malicious activities post-compromise. It can also force threat actors to use a larger number of tools and techniques, making it easier for cybersecurity solutions to detect the attack.
Passive vulnerability tracking
One of the best ways to eliminate security vulnerabilities is to ensure that all software used within your network is promptly updated as updates become available. Vendors commonly publish security advisories when updates are made available, or may release scheduled security updates (for example, Microsoft typically offers updates for Windows and related software on the second Tuesday of every month).
Unfortunately, threat actors also monitor vendor updates to determine where vulnerabilities may exist in out-of-date systems. They’ll act quickly to exploit software not yet patched following an update. For this reason, it is essential that any known vulnerable software present on a network is quickly identified and updated.
Active vulnerability testing
While passive vulnerability tracking and software updates are extremely important, computer networks are complex. Unique combinations of software, systems, and services create unique vulnerabilities. These security vulnerabilities can be difficult to find without directly interacting with systems and assessing how they respond during testing.
Active testing is typically referred to as penetration testing, though this term is broad and may be used to refer to several diverse types of testing activities. Let's look at some of the more common types of active vulnerability testing.
Several vendors offer automated testing solutions, such as:
- Vulnerability scanners
- Ransomware simulators
- Automated penetration testing software
These tools can offer good coverage where manual testing is not possible, though they may require a compromise between convenience and scope of testing.
Automated testing: Strengths
Automated solutions are typically much less expensive, less time-consuming, and easier to implement than manual testing.
Automated testing: Weaknesses
Since automated solutions cannot be monitored in real-time to ensure no actual damage is done to a network, they’ll typically limit their activities more than manual testing would.
For example, automated ransomware simulation typically would not involve the actual encryption of pre-existing files on a host as this could result in permanent loss of data. This restricts the tool from accurately simulating ransomware and other malicious activities, and as a result, may not meaningfully test security policies and defensive software monitoring for real events.
Automated solutions are further limited in their ability to customize or adapt testing to a specific network environment. Because of this, they struggle to detect more complex vulnerabilities, such as those that:
- Need several stages of interaction
- Involve end-user interaction
- Arise from interactions between multiple systems
A vulnerability assessment involves an active examination of a network to identify any hosts, software, and configurations with vulnerabilities that have not been remediated.
This type of test can be used to find many security vulnerabilities, including unpatched software, network protocols using outdated encryption and security standards, or exposed ports and network services not adequately protected behind a firewall.
Vulnerability assessments typically do not involve attempting to exploit any found vulnerabilities.
Vulnerability assessments: Strengths
Vulnerability assessments pair well with passive tracking and software updating and are excellent at highlighting missed software updates.
They can also typically detect security vulnerabilities from software and network misconfigurations or inadequate network segmentation, which are rarely addressed by software updates.
Vulnerability assessments: Weaknesses
Since vulnerability assessments do not attempt to exploit identified vulnerabilities, they may not provide full insight into the likely impact of exploitation, or level of risk.
Additionally, many security vulnerabilities are only exposed by first exploiting others, so this type of test is better used to detect surface vulnerabilities.
Penetration testing involves a cybersecurity professional or 'ethical hacker' attempting to compromise a network how a threat actor would. Testers use a combination of automated tools, manual testing, and individual skill to identify vulnerabilities, then attempt to exploit them to gain access to additional hosts, accounts, and permissions. This process is repeated to bore into a network and identify vulnerabilities hidden from surface assessments.
If your organization uses a managed detection and response (MDR) solution, you will want to notify the provider before the penetration testing begins. This way, you can clearly communicate what response you expect from them.
For example, you may want the provider to act as if there was a real compromise or to avoid responding to allow the test to continue without being blocked. This can also avoid potential impact on business-critical servers as the provider will know not to respond to activity relating to the test.
Penetration testing: Strengths
Penetration tests allow for real vulnerability exploitation. The tester can assess surface vulnerabilities and those buried within layers of software and unique configurations, all of which threat actors use to compromise networks.
Since pen testers use similar tactics to threat actors, they can not only identify security vulnerabilities but accurately assess their severity exactly as presented in a specific network.
Penetration testing: Weaknesses
Penetration tests differ from real-world compromise in a couple of ways. The tester must be careful not to cause any actual damage to essential systems. They must also be sure all test activities can be reversed afterwards.
While this does not limit the tester’s ability to identify vulnerabilities, it won't adequately test your cybersecurity solution since the tester won’t be able to safely employ malware, for example.
Additionally, pen testers are often given legitimate privileged account access to conduct testing. This means they get to skip some initial access and privilege escalation activity that would be common in a real compromise.
Social engineering simulations
Outside of software and system vulnerabilities, threat actors often exploit employees in the form of social engineering. A social engineering simulation may be used to:
- Determine the likelihood of users falling victim to social engineering
- Raise user awareness about social engineering attempts
- Identify opportunities for additional user security training
This type of test is often delivered in the form of an email phishing simulation. Phishing is a technique commonly used by threat actors to trick users into downloading malware or exposing sensitive information such as account credentials. The threat actor will send an email containing malicious links or attachments, often impersonating a recognized contact to make the email appear legitimate.
Social engineering simulations: Strengths
User activity is one of the largest security vulnerabilities and is not easily remediated. However, showing users that they may be susceptible to social engineering attempts and offering more training can improve user security awareness and reduce the likelihood of an incident.
Social engineering simulations: Weaknesses
Social engineering is complex and may be implemented in many ways, so the ability of a user to detect a simulated attempt does not necessarily prove their ability to catch real-world attempts.
A security assessment is a high-level audit and can be used to assess an organization’s policies and practices and even employee behaviour. Rather than focusing on system and software vulnerabilities, the assessment identifies where policies and common practices could be changed to reduce the threat surface and improve security.
In some cases, security assessments may involve assessing physical security and asset storage. This type of assessment is typically needed for compliance audits, such as those used to assign certification under the International Organization for Standardization (ISO) or Payment Card Industry (PCI).
Security assessments: Strengths
By targeting policy and awareness, security assessments may improve an organization’s ability to react to security threats—including those not seen or trained for. Precautions taken at an organizational level can reduce the dependence of security on the actions of individual users.
Security assessments: Weaknesses
Security assessments, especially those used for compliance certification, may be a slow process and require significant revision to organizational policies and employee training.
Tips to test more effectively
Field Effect strongly supports a holistic approach to security, which includes testing activities to find and fix security vulnerabilities combined with threat detection and response.
To ensure that an organization gets the maximum possible benefit from testing, it's important fully understand the intent, capabilities, and limitations of each test to be used.
This means understanding the:
- Intent of the type of testing used—no single solution will identify all types of vulnerabilities.
- Static nature of many tests, meaning they may not offer a full view of the live network environment.
- Limitations of testing, including where tests may differ from real-world exploitation and compromise.
- Role of MDR solutions, and how tests apply to or potentially hinder them.
- Potential impact on the network during and following testing, including potential downtime and the administrative work needed to return systems to normal after a test.
How Field Effect can help
Field Effect offers multiple vulnerability assessment and threat surface monitoring techniques as a part of Covalence MDR. In addition to threat monitoring and active response, Covalence routinely identifies vulnerabilities by:
- Passively monitoring software and network configurations
- Active vulnerability scanning using context-specific threat intelligence
Field Effect additionally offers a wide range of highly customizable services that can be used alongside Covalence or as stand-alone assessments, including:
- Network penetration testing to ensure full coverage of both surface vulnerabilities and in-depth vulnerability chains used by threat actors.
- Web application penetration testing to identify exploitable configurations in one of the most readily accessible means of entry into your network.
- Customizable phishing simulations, ranging from generic spam campaigns to manually crafted and sophisticated campaigns tailored to your specific organization.
- Security training courses and simulated network exercises for developers, IT staff, and security pros via Field Effect Cyber Range.
- Security assessment, as part of the vCISO service, to help guide organizational policy and best practices throughout your cybersecurity journey.
Not sure which service is right for your organization? Get in contact with our team for a no-obligation consultation.