Businesses regularly conduct cyber security assessments for a number of reasons, including government and regulatory requirements, corporate compliance audits, or as part of their own responsible data protection policies. However, when it comes to choosing a particular assessment approach, decision makers may be unaware of the differences and advantages between two of the most commonly employed cyber security assessments.
To that end, this article covers the fundamentals of Vulnerability Assessment & Penetration Testing and Compromise Assessments. Both approaches will be compared, and readers will walk away with a better understanding of which evaluation is better suited for their needs.
What is vulnerability assessment and penetration testing (VAPT)?
Vulnerability Assessment & Penetration Testing (VAPT), also known as “penetration testing”, “pen testing”, and “red teaming”, is a preventive exercise aimed at discovering an organization’s cyber security weaknesses and patching them before an attack takes place.
VAPT follows an “outside–in” approach, looking at the company’s systems from an attacker’s perspective, mimicking the actions an attacker might take when approaching the company’s network. The goal of VAPT is to find any security bugs or misconfigurations within a software program or a computer network and highlight where the organization needs to focus its cyber security hardening efforts from a defense structure perspective.
While VAPT is often referred to as a single exercise, the process actually requires two separate phases: “Vulnerability Assessment” (VA) and “Penetration Testing” (PT). Vulnerability Assessments first search for any “open doors” or vulnerabilities that attackers may exploit to penetrate the system. Penetration Testing is then performed by human-led “Red Teams” (or offensive ethical hackers) who use real-world adversary tradecraft and security gaps found in the Vulnerability Assessment phase to attempt to enter the system (whether both “VA” and “PT” are offered in conjunction or as separate services depends on the provider).
VAPT ultimately supports the overall goal of improving an organization’s cyber security by identifying security infrastructure holes to be remediated.
The limitations of VAPT
Whilst VAPT is very good at assessing system defenses, its outside–in approach does not account for any malicious activity already occurring within an environment. In other words, VAPT does not produce any information about what is actually happening within the organization’s systems. For example, VAPT would neither prevent nor detect unauthorized access using stolen but legitimate credentials (such as through a phishing attack, which is the avenue of approach for 95% of all cyber attacks today, according to the SANS Institute).
Additionally, penetration teams are often banned from touching production systems, as this may compromise sensitive information or impact operations. Thus, such systems remain out of the scope of the test and the true havoc an attacker may wreak on a system is not fully assessed. Only through a Compromise Assessment can all the exploited vulnerabilities be caught and patched.
Given the speed at which attacks can spread from one infected endpoint to all network endpoints, early detection of an active intrusion can make the difference between surviving an attack and shutting down operations due to extensive damage. As such, companies may prefer to prioritize regularly scheduled Compromise Assessments as a means of detecting active threats and already-exploited infrastructure gaps — not just theoretical ones.
The benefits of an inside-out approach via compromise assessment
A Compromise Assessment is essentially what an Incident Response firm would do in the event of a breach: an inside–out investigation and security audit of the organization’s internal environment, applications, infrastructures, and endpoints.
Today, as attackers and their methodologies outstrip the abilities of cyber defense, preventative products and services often fail in stopping breaches. Conducting a Compromise Assessment is akin to defaulting to the last resort in a proactive manner, essentially undertaking the correct assumption that even the most sophisticated cybersecurity defenses cannot guarantee safety. This philosophy is called “Assumed Breach”, which is growing as a common framework to view cyber security due to the explosion of attacks as the adversaries scale their technologies and tactics at an alarming rate since the start of COVID.
With phishing-led attacks on the rise, and 78% of organizations in APAC planning to maintain at least some of the “Work From Home” (WFH) arrangements set out during the COVID-19 outbreak - meaning people are working in environments where endpoints are scattered across different networks - Compromise Assessments should be carried out with higher frequency to ensure the systems are safe from within. Compromise Assessments look at the system from the inside, searching for malware that has attempted or successfully compromised the network to provide insights on which vulnerabilities are being exploited. Results are based on suspicious user behaviors, extensive log review, Indicators of Compromise (IOCs), and any other evidence of malicious activities to identify attackers residing in the current environment (or active in the past).
This is why global financial institutions have internal teams, just like Blackpanda’s, conducting Compromise Assessments on a daily basis, as their risk tolerance for being unaware of an active breach is essentially nil. For smaller companies which can assume a higher risk tolerance, Compromise Assessments can be conducted weekly, monthly, or even quarterly -- the decision regarding frequency ultimately being a financial cost-benefit analysis for each business. Blackpanda recommends a minimum of quarterly Compromise Assessments in Asia due to the average dwell time, or the amount of time for a victim to detect an active intrusion, is slightly above 90 days. Conducting Compromise Assessments on a quarterly basis would enable victims to preemptively detect an active breach prior to accidentally discovering it in a normal dwell time scenario, thus resulting in a reduction of the damage otherwise to be inflicted.
Carrying out Compromise Assessments through an Incident Response specialist firm like Blackpanda has great advantages when it comes to identifying breaches and backdoors early and kicking them out before they can cause severe financial damage. This way, as soon as an attack is identified during a Compromise Assessment, Blackpanda can immediately begin Incident Response to contain and eradicate the threat. Eliminating threats early and often is key to safeguarding an organization’s cyber health and overall survival, as the dwell time of a cyber attack, or the amount of time to detect an active intrusion, is one of the most important factors in determining the severity of a breach. Catching a fire while it is still a small flame is better than allowing the spark to turn into a raging inferno before noticing it and attempting to address it. Similarly, conducting frequent Compromise Assessments to catch attackers in early-stage, and then transitioning immediately into Incident Response to stamp them out can significantly limit breach damage.
Recurring Compromise Assessments thus serve as both a preventive and proactive defensive tool, offering a real-time view of an organization’s security posture and the opportunity to promptly respond to any attack before further damage can be done.
Preventive VAPT is important, but outside–in assessments alone can only discover vulnerabilities without verifying whether a system has already been breached. Compromise Assessments offer a more holistic alternative, as they help single out bugs and vulnerabilities in the network, identify opportunities for improvement, and produce information about whether the company is already under attack.
Thanks to their inside-out approach, Compromise Assessments further support Incident Response efforts, helping reduce dwell time by enabling prompt activation of response plans and processes.
Blackpanda security specialists operate both on-site and remotely to conduct Compromise Assessments and evaluate the security risk of organizations by assessing critical assets, networks, and logs through its proprietary forensics tool, Pandarecon.
To learn more about how proactive cyber security forensics audits can improve your organization’s security posture and fulfill compliance requirements, contact Blackpanda today.