The Future of the Pentest Industry

Self-driving cars, uber everything, Subway delivered to my front door, the COVID technology revolution has propelled virtually every industry making “life” automated and technology dependent.

Once perceived as non-IT industries are now fully emersed in IT.  This has made ransomware and supply chain attacks feel like a commonplace scenario.

Cybersecurity and penetration testing is no different. For years it has been an area of cybersecurity, already incredibly resource constrained, where a select few expert hackers were able to service clients via manually preforming an annual focused penetration test. This provided a snapshot of risk bound by time and scope. With modern networks, systems, and applications, like a self-driving car, the view changes every second. Can this method of annualized labor driven assessments persist in this new dynamic attack surface and constant threat landscape? 

 With the advent of on-demand cloud services and an industry shift left towards DevOps, where applications are being changed frequently within production environments, the old model of performing an annual assessment is no longer sufficient to provide a reasonable level of assurance that applications, networks, information systems, and cloud environments remain in a secure state. 

 As Cloud adoption grows and DevOps becomes the default for engineering new software, “as a Service” ( i.e. *aaS ) providers within the cybersecurity space, seek to provide solutions that are dynamic and scalable enough to keep up with the rapid change of pace within forward thinking companies. Anything as a Service ( i.e. XaaS) seeks to industrialize a transaction where the service provider delivers value to the consumer, leveraging their unique resources and ingenuity, in manor which is generally programmatically driven ( e.g. API driven services with an accompanying web portal). 

Given limitations in talent within cybersecurity space generally, and especially in the field of offensive security specifically, which are also compounded the exponential growth of applications within Cloud environments, something must change. It is logical that leaders within the offensive market segment ( e.g. penetration testing segment, vulnerability management segment, etc.) would also follow the broader cyber security trends by amplifying the constrained labor using technology and scale it using an “as a Service” delivery model to address this growing market gap.  

Unfortunately, in the race to be first to this market, many trends and companies have recently emerged, that are not fully addressing the real core issues clients are facing today.

Firstly, top talent in the offensive cybersecurity space is still extremely rare (e.g. people with the ability to find zero days within reasonable secure solutions) and their ability to scale to meet the current rate of software growth is an insurmountable problem when taking a purely labor driven approach to solving these critical cybersecurity issues ( e.g. Garter forested that the cloud spend for 2021 would be approximately $332.3 billion with nearly half [46%] of all data being now stored in a Cloud provider). 

Given talent and time limitations, many new “as a Service” offerings have recently emerged offering a purely automated solution to addressing these challenges. For example, Breach and Attack Simulation (BAS) solutions have sought to reduce the time to detect various offensive techniques via completely automating common techniques used during offensive operations. 

Continuous Automated Red Teaming (CART) solutions are attempting to build platforms which automate more of an offensive team’s complex methodologies in a fully automated manor. CART platforms may attempt to find various access vectors (e.g. known vulnerable software, etc.) and automatically decide which actions they should take next (e.g. exploit and execute offensive code to the target, etc.), and then report the success or failure of the automated operations. 

These new BAS and CART solutions each are features pieces of the puzzle but fail to deliver a complying replacement for the traditional penetration test.  These solutions almost entirely ignore the fact that a key ingredient to the penetration testing industry success has been the involvement of expert hackers who apply problem solving skills to frequently find new attack paths on engagements. These new attack paths are the result of a human being driven to solve hard problems in new and unique ways. 

We need a solution that will take what was excellent in the traditional penetration test space, the rare but extremely talented hackers, and enable the hackers to scale their talent across many clients, using systems built from the ground up to specifically be a force amplifier of talent, rather than a replacement of talent via automation. 

The superior solution is a hybrid approach leveraging technology and automation to harness the power of big data to keep up with the dynamic continuously morphing attack surface with the expertise of seasoned penetration testers.  A blend of art and science. 

That’s exactly what we have done at S2 Security.

We have built a platform that will enable expert hackers to scale their expertise across thousands of clients and millions of information systems, enabling the team to find more critical and high impact security risks in a mere fraction of the time previously required.

We achieved this scale of operations by implementing a DevOps ethos to our penetration testing engagements. For example, when our expert hackers find interesting data, unique access vectors, and/or custom exploits they can easily package up the techniques they created into Penetration Teaming as Code (PTaC) modules. These PTaC modules are loosely coupled but highly cohesive and easily chained together into logical flows. Leveraging a micro-services based design, PTaC modules and flows are then scaled in near real-time across our cloud-native platform, enabling the ingenuity of the expert hacker to scale across all clients, applications, and information systems. 

Currently, these PTaC modules and flows fall within a few major categories: 

1. Cloud – e.g. AWS, Azure, GCP, etc. 

2. External – e.g. Credential Stuffing, Zero Day Vulnerabilities, etc. 

3. Internal – e.g. Phishing, Exfiltration, etc. 

4. Open Source Intelligence (OSINT) – e.g. Breached Credential Discovery, etc. 

Due to our micro-services based, highly scalable design, all modules and flows can easily be chained together on the fly into an extremely complex red teaming methodology which may not have previously been known or desired, at the time when the module and/or flow was originally created.   

We also use this “as code” approach for compliance.  Two thirds of cloud attacks could be stopped by checking configurations.  Our Mage platform also has “Security and Compliance as Code” modules for doing Cloud Security Posture Management (CSPM).  Here we reuse the organizations’ read only cloud credentials that we leverage for our PTaC cloud modules to also look test for CIS compliance and misconfigurations using our custom assessment templates. 

Another key element to the success of the solutions, is its ability to quickly and easily preform targeting and analysis activities on all data collected. As our experts execute penetrating testing operations, both host-based and network-based telemetry from the operations are sent to our observability pipeline, which processes the data, and stores in within an easily searchable data lake. This data can then be examined both in near real-time to find interesting insights, and retrospectively when new exploits are released to find potential vulnerable targets. 

Leveraging these leaps forward in force multiplier technologies, we have created services aimed at all levels of need and designed to meet even the most discerning clients.  Our aim is to provide expert level offensive security services, once reserved for only the largest of budgets, to any organization. 

Firstly, PTaaS ( Penetrating Testing as a Service ) provides you with an annual focused assessment to meet all your traditional security requirements (e.g. PCI, SOC2, etc.), continuous OSINT to monitor for notable information throughout the year (e.g. new breached creds). 

Secondly, PTaaS+ ( Penetrating Testing as a Service Plus ) provides in addition to the PTaaS services (e.g. in addition to the annual assessment), continuous testing of your external applications and networks for the latest zero-day and n-day exploits. Furthermore, we will continuously test your Cloud (AWS, Azure, & GCP) environment for the latest applicable access vectors (e.g. cloud sprawl with overly permissive service accounts/roles, etc.). As part of continuously monitoring your cloud we provide continuous cloud security posture management running compliance-as-code to provide insights into compliance with industry standard benchmarks or custom corporate policies.  At S2 we always go above and beyond the competition, hence we will even preform continuous quarterly phishing exercises and provide you with the key metrics on how users operated under these social engineering engagements.  

Thirdly, RTaaS (Red Teaming as a Service ) provides all the features of both PTaaS and PTaaS+, but additionally adds continuous internal testing operations, to ensure continuous testing of your attack surfaces are covered. 

S2 Security’s solution creates an offensively focused Managed Security Service (MSS) which combines the best of the traditional artful pentesting with a modern and scalable service offering, enabling our clients to sleep easier at night, knowing we are continuously providing visibility into which security issues are real threats to your organization.