Penetration testing, also known as pen testing, is the act of attempting to breach an organization’s network, computers, and systems to identify possible means of bypassing their defenses. It's an "art" because there is no one-size-fits-all method or process. Testers need a variety of skills, knowledge, and tools to make these attempts.
Most testers are hackers trying to use their skills legitimately, technical administrators, network administrators, or just computer enthusiasts who enjoy trying to undermine IT security stacks. Many testers are masters of them all. Their primary goal is to succeed in getting past defenses and report on their findings. An MSPs intention is to NOT allow this to happen by putting up the right security posture through layered defenses.
So it’s easy to see how the relationship can quickly become adversarial. But there are ways pen testing organizations can help MSPs. Before we get to that, more details on types of pen tests.
Types of testing
An issue with pen testing is a lack of standard operating procedures. Not a single company performs the tests the same way. Testers are fallible actors with certain skills they apply to circumvent defenses. While testers and testing organizations are usually highly skilled, they are not all-knowing. Trust them, but also verify.
So, what types of testing methods are there? While standardization is scarce and pen testing is pretty much a Wild West environment, there are some common methods and approaches. Generally, these can be broken down into two categories: Blue Teams and Red Teams. Purple Teams formed in some special conditions.
Tools are specific to the environment.
The Blue Teams
With Blue Teams, "tester" has some information about the network, computers, and organization that they're pitted against. They know how things are set up and are there as more of an audit/report type tester rather than a malicious hacker.
Blue Teams can be anyone inside or outside the organization. However, in the MSP community, the Blue Teams are usually the technicians responsible for establishing the layered security defenses and then verifying their effectiveness. They're the internal folks that are standing up various tools to block bad actors from encroaching or breaching their network, computers, and systems.
Here's where it can get murky and why you should always insist on more information about a client’s pen test. Pen testing can be an outside organization performing a Blue Team activity and their report can be communicated as a Pen Test Failure. Trust, but verify.
The Red Teams
Red Team testers have no idea about the organization they're testing against and must figure out the technology, network, computers, and systems before doing anything. These are true hackers starting from nothing. They may use port scanning and vulnerabilities scanning tools or social engineering and phishing attacks to conduct reconnaissance, they may google employees, use LinkedIn, or any other publicly available information to gain a foothold with the organization before they write one line of code.
This is real penetration testing, as they make the attempt to access networks, computes, and systems of the identified organization they're testing against. When a Red Team reports its findings on why and how they were able to breach a client, it’s time to pay attention.
The Purple Team
The purple team is a mix of Blue and Red team members.
While red and blue teams have the same goal of improving the security of an organization, too often both are unwilling to share their "secrets". Red teams sometimes will not disclose methods used to infiltrate systems, while blue teams won't say how red team's attacks were detected and defended against.
The value of the red and blue team is nil if they don't share their research and report. These research and reports are critical to strengthening the company's security posture. This is where the purple team comes into play. Both, red and blue team members work together to share insight about their knowledge, reports, resources, and research.
Should you retain a Penetration Testing company?
So, now that we've established some high-level perimeters, how should Managed Service Providers engage with pen testers?
First, it’s important to learn everything you can about your tools. The mantra of a strong security posture is ‘know your tools inside and out.’
But don’t stop there. Rather than stand up the layers of the latest cool tools and cross your fingers no pen tester hits a client with a failing report, be proactive. Learn about the penetration testing market, find a good pen testing company with strong credentials and engage with them. With security concerns exploding over the past few years, pen testing should be considered an essential tool for validating your effort and spend on the security stack. So get to know the good ones.
Again, many MSP view third-party pen testing organizations as the enemy. Instead, engage with pen testing organizations to test your own defenses before issues affect your customers.
Here are a few tips for improving your business’s relationships with pen testers:
- Pen test your own network, computers, and systems. If you want to know how good your "Blue Team" is, put their feet to the fire and have a solid, reputable third-party pen-testing organization attempt to breach your own defenses. Learn all you can about their methods and findings, then review and adjust.
- Work with the pen test organization as a potential revenue opportunity. Work out an agreement that lets you as the MSP provides work and opportunity through your own customer network. You act as the lead generator and offer their services as an adjunct to your own.
- When customers come along with a report that you were not involved, ask questions about how the test was conducted and then offer your own services to proactively verify their report.
Now that you know the basics of pen testing and how they can be used constructively, here’s a question: what happens when a customer fails a pen test?
You’ll get your answer in an upcoming post.