Penetration Testing to Improve Vulnerability Identification

Modern-day businesses must be proactive when it comes to the identification and mitigation of vulnerabilities in their IT systems. As cyberattacks evolve in sophistication, security leaders are responsible for strengthening cyber resilience in order to minimize expensive security outcomes.

Meanwhile, the volume of reported vulnerabilities has continued to rise, bringing the total number of reported vulnerabilities in the CVE database to more than 196,000. Of these reported vulnerabilities, 10.20% are critical, meaning their CVSS score is nine or more. A Ponemon Institute report recently found that ethical hackers discovered and reported over 65,000 vulnerabilities in 2022 alone, an increase of 21% over 2021.

Security teams that prioritize the act of vulnerability identification can see the CVEs and critical risk exposures that require timely patching or prioritized remediation. The processes involved in identifying vulnerabilities lay the foundation for DevOps to proactively mitigate known risks and manage overall cybersecurity risks.

How Vulnerability Identification Works within Vulnerability Management

When considering how to measurably reduce the risks that lead to preventable security breaches, the vulnerability management (VM) program offers a significant opportunity to lower the probability of a preventable breach.

The first requirement of the VM program is to identify the vulnerabilities. A comprehensive approach to vulnerability identification ensures that a business finds vulnerabilities in its IT systems before hackers exploit them.

There are a few ways to conduct vulnerability identification: vulnerability scanning and penetration testing.

Vulnerability Scanning

The first approach is via modern protective technology, such a vulnerability scanner. The vulnerability scanner is proactively integrated into the security tech stack to support the vulnerability management program.

Penetration Testing

The second method is to conduct a penetration test, which includes vulnerability identification in two phases of the penetration testing lifecycle: vulnerability discovery and vulnerability assessment. In a penetration test, vulnerabilities may be identified with scanning technology and/or with a human pentester trained in vulnerability identification.

To get most comprehensive vulnerability idenfication documented within a pentesting exercise, these are the best practices recommended by industry leaders and security experts to get the desired results of validating security and compliance on-time and improving overall security outcomes over time.

NVD Vulnerability-related Standards

Thousands of vulnerabilities are reported and published every year by organizations like National Vulnerability Database (NVD). Before vulnerability-related information is listed in NIST’s NVD, the Security Content Automation Protocol (SCAP) collects and catalogues vulnerabilities, assigning a unique identifier for each vulnerability. This unique identifier is provided under the Common Vulnerabilities and Exposures (CVE) system.

The CVE system was launched for the public in 1999 and is operated by the MITRE Corporation with funding from the US Department of Homeland Security. Each vulnerability is assigned a severity score using Common Vulnerability Scoring System (CVSS). At present, there are more than 196,000 reported vulnerabilities in the CVE database. The CVE system has emerged as the most preferred system for vulnerability identification in leading security tools.

Table: CVSS ratings for the severity of vulnerabilities

Pentesting Best Practices for Vulnerability Identification

NIST defines penetration testing as “Security testing in which evaluators mimic real-world attacks to identify ways to circumvent the security features of an application, system, or network. Most penetration tests involve looking for combination of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.”

A successful penetration test begins with a comprehensive discovery of potential vulnerabilities. This phase is called the “Discovery” phase. The next step is to confirm the findings are accurate and require remediation with an assessment that identifies known vulnerabilities and – ideally – eliminates false positives. This phase is called the “Vulnerability Assessment” phase.

1. Defining your objectives for a pentest

Before starting any project, the first step is to define the objectives and expected goals. This is a must for businesses to have clarity on the intended outcomes. Here, a business should have answers to questions such as:

• Why is the pentest being performed?
• Are there any specific questions that need to be answered?
• What is the scope of the pentest?
• What will be the duration of the testing exercises?
• Is the necessary budget available? If not, how will it be arranged?

Pentesting exercises simulate tactics, techniques, and procedures (TTPs) adopted by real-world hackers to identify vulnerabilities in the IT systems of a business and fix them via patching or risk mitigation. Given this important role in organizational security, businesses should invest time preparing for a pentest. With well-defined objectives, the testing team is better positioned to deliver effective results for vulnerability identification and remediation within the given scope.

2. Selecting a pentesting methodology

When a pentest involves all of your IT assets, the testing team can craft their exercises based on their expertise and professional experience. This “full-scope” pentesting approach is helpful for businesses conducting a penetration testing exercise for the first time or lacking clarity on the resiliency of their security posture. The “full-scope” pentesting approach can be tweaked to answer specific questions within the existing budgetary constraints.

For example, if a business has recently updated its web application, the scope can be limited to this web application, excluding its networks and other IT assets.

Irrespective of the approach, a business must follow certain good practices. Before starting the engagement, security experts recommend defining rules of engagement during the pentest and thereafter. Whether the exercise will be evasive, or will it be blind, or full disclosure, can have a direct impact on the results. For instance, consider a medium-scale business that has decided to conduct a pentest. They do not have a monitoring solution in place. Here, an evasive pentest will not be fruitful as the testing team would try to avoid detection while no monitoring solutions are in place.

3. Finding the skilled testing team

Security experts, along with many regulations and standards, suggest that pentests must be conducted by a team with organizational independence from the business. For most businesses, hiring dedicated security staff with a variety of skill sets can be a challenge. Requiring the right skillset can drive budget discussions and decision-making processes at multiple levels. Seeking help from well-known pentesting vendors can give peace of mind that the IT environment is secure and professionals with proven experience are conducting the testing exercise. Before onboarding a pentesting vendor, questions about testing methodology, pentesting staff qualifications, reporting, certificates, and references must be asked.

4. Monitoring the pentesting exercise

Once the pentesting exercise starts, businesses should continue interacting with the penetration testing team. Internal IT and security teams of a business should actively coordinate with the pentester(s). This will help them understand how the pentesting methodology in adversary replication of TTPs – the tactics, techniques, and procedures that real-life hackers adopt. This activity will generate actionable insights for these teams, which will contribute to improving the security posture of IT assets.

5. Remediation and further steps

After the pentesting team has completed security testing, they will deliver a final report with a complete list of vulnerabilities identified within the defined scope. Along with the vulnerabilities identified, the pentest report will detail different exercises conducted, the potential impact on the business due to successful exploitation, and remediation guidance to mitigate risks.

Based on these inputs, the internal team can prioritize the vulnerabilities and start with the remediation of identified vulnerabilities. A good pentesting provider will also offer validation of mitigation measures implemented by the internal team. Validating mitigation with retesting and continuous penetration testing is necessary to ensure the IT environment is secure and patches are working.

The pentesting report also helps assess whether existing security tools and techniques efficiently report vulnerabilities. The insights gathered so far must be utilized as lessons learned. Here, decision-makers must analyze if the objectives and goals set out at the start of the pentest have been achieved. If not, the areas of concern should be outlined, along with a plan to incorporate them in the next pentest.

Increase Vulnerability Identification with Pen Testing as a Service

Comprehensive pentesting has become one of the most important security practices in recent years. While planning and executing a pentest, a business should not rush to check the box. Sufficient time should be dedicated to defining the pentesting scope, including documenting the objectives and goals. While hiring an external vendor, the skills and qualifications of the pentester must be assessed to ensure unnecessary risks are not introduced into the environment.

Pentesting exercises help identify vulnerabilities that businesses do not know exist in their environment. Once these known vulnerabilities are identified, security teams can efficiently prioritize remediation of critical and high-risk vulnerabilities without delays – and prevent a known breach from happening whenever second counts.

BreachLock offers a secure and scalable cloud-native penetration testing platform and service – called Pen Testing as a Service – that comprehensively identifies critical vulnerabilities and enables in-house teams with streamlined DevSecOps workflows that speed up remediation. BreachLock’s award-winning, analyst-recognized approach combines the power of AI and human expertise who use both manual and automated vulnerability identification methods aligned with industry best practices. To see how it works, schedule a discovery call today.