Penetration Testing Is A Vital Tool To Deal With AI-Based Attacks 

Uploaded on 2023-06-19 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Penetration testing is one of the best ways a business can understand its risk posture. Vulnerability management, architecture reviews, auditing, gap assessments and many more techniques are staples of defence.

However, pen testing - in which simulated threat actors exploit a system’s vulnerabilities to teach the company how to correct them - has always held its own as a unique gauge to help match defences to the realities of attacks today.

Enter AI. Having taken the world by storm in the last few months, the cybersecurity community is expecting a vast increase in the number of attacks powered by AI. The technology democratizes cybercrime, making highly sophisticated tactics, techniques and procedures (TTPs) available to all with minimal investment of time or money. 

To counteract this oncoming storm, penetration testing can indicate the best ways to defend, remediate and recover in the light of these new, AI-inspired and AI-powered attacks. Here’s how. 

Beating AI Threats Requires The Right Goals 

It might come as a surprise to some business leaders to learn that penetration testing and vulnerability assessments are not two sides of the same coin. In fact, while the latter is static and lacking in context, the former is designed to uncover fundamental business risks by manually testing an organization’s defensive posture to steal data or achieve a level of unauthorized access.

What this means is that identifying surface-level vulnerabilities is by no means the purpose of an ethical hacker’s investigation. Instead, it’s all about the business consequences of allowing an adversary to walk through the doors that vulnerabilities open. As a result, ethical hackers need goals around targeting those specific areas, to measure the organization’s level of cyber resilience and reveal how pockets of low-risk vulnerabilities can combine to create an overarching high-risk scenario that puts their business in jeopardy. 

Share Your Pen Testing Results With The C Suite

The distinct illumination and reassurance afforded by penetration testing also helps demystify the complexity of the cyber threat landscape, translating cyber risk into actionable business terms that better resonate with the C-Suite and Board. Actual illustrative stories from recent penetration testing engagements make it much easier for cyber resilience leaders to articulate risk in a way that fosters collective buy-in across corporate leadership to ensure security remains a top organizational priority. 

It's important to remember that regardless of a penetration testing program’s effectiveness, grey areas and precarious judgement calls relative to risk prioritization will always exist. Penetration testing helps ensure CISOs can come to the most informed decision possible. Otherwise, they are taking a blind shot in the dark at what their real business risks are.  

Bring Red & Blue Teams Together For Best Results

Just as cybersecurity is a team sport, so too is penetration testing. Red team exercises involve a “red” offensive team, along with threat hunters and SOC analysts as the “blue” defensive team. And just like we all learned in elementary (and cybersecurity) school, fusing both together creates the color purple. 

The concept of purple teaming is often mischaracterized. It isn’t a singular team of offensive experts and hunters all operating together in unison. Rather, it’s a verb in this context that describes how red and blue sides can collaborate to expand knowledge, sharpen strategy, and boost operational efficiency. And while it’s less obvious at the surface level, blue can help red just like red helps blue. 

Collaborative intelligence sharing, for example, provides further perspective to ethical hackers on how a particular TTP was identified. That way, the red team can adjust their approach for the next attempt to ensure it’s more lethal, which in turn makes the blue team stronger. Consider it like iron sharpening iron -  ultimately everybody benefits. 

One of The Best Defences Against Weaponized AI

Despite calls from industry leaders to slow down the rate of AI innovation, business leaders would be mistaken to believe that they can rest on their laurels for the time being. Unbeholden to regulators or stakeholders, threat actors will be innovating as we speak.

Penetration testing is a key part of the toolkit of any CISO today. Alongside purple teaming, prioritizing risks correctly, and defining goals effectively, pen testing can help organisations get ahead of malicious actors by understanding their own threat landscapes. Only this level of visibility will give businesses the necessary confidence to know their systems are safe in the age of AI.  

Ed Skoudis is  President of SANS Technology Institute and  founder of the SANS Penetration Testing Curriculum and Counter Hack. 

You Might Also Read: 

How To Leverage AI For Real-Time User Verification:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Mobile Authentication: The Good, The Bad & The Ugly
Nine Types of Modern Network Security Solutions »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA) is a non-profit organization dedicated to leading a diversified research agenda in the field of cyber conflict.

HUB International

HUB International

HUB is one of the largest insurance brokers in the world. HUB Risk Services provides the full range of expert consulting to identify risks, reduce exposure to loss and manage claims issues.

Security Industry Association (SIA)

Security Industry Association (SIA)

The SIA's mission is to be a catalyst for success​ within the global security industry through information, insight and influence.

Morphisec

Morphisec

Morphisec's world leading prevention-first software stops ransomware and other advanced attacks from endpoint to the cloud.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

Total Cyber-Sec

Total Cyber-Sec

Total Cyber-Sec is a company specialized in providing Professional Information Security and Cybersecurity Services.

Cyscale

Cyscale

Cyscale automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Bl4ckswan

Bl4ckswan

Bl4ckswan is a Management Consulting firm specialized in the delivery of information security and compliance services.

Identifi Global Recruitment

Identifi Global Recruitment

Identifi Global is one of the UK's leading Cyber Security & IT Recruitment specialists.

Onsist

Onsist

Onsist brand protection services provide proactive defense against fraudulent use of your brand online.

ditno

ditno

ditno uses machine learning to help you build a fully governed and micro-segmented network. Dramatically mitigate risk and prevent lateral movement across your organisation – all from one centralised

Stefanini Group

Stefanini Group

Stefanini is a global IT services company providing a broad range of solutions for digital transformation including automation, cloud, IoT and cybersecurity.

Raxis

Raxis

Raxis is a cybersecurity company that hacks into computer networks and physical structures to perform penetration tests, assessing corporate vulnerability to real-world threats.

Kobalt.io

Kobalt.io

Kobalt are bringing the monitoring capabilities of enterprise-class security teams to smaller organizations.

HADESS

HADESS

We are "Hadess", a group of cyber security experts and white hat hackers.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.