Penetration Testing Is A Vital Tool To Deal With AI-Based Attacks 

Uploaded on 2023-06-19 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Penetration testing is one of the best ways a business can understand its risk posture. Vulnerability management, architecture reviews, auditing, gap assessments and many more techniques are staples of defence.

However, pen testing - in which simulated threat actors exploit a system’s vulnerabilities to teach the company how to correct them - has always held its own as a unique gauge to help match defences to the realities of attacks today.

Enter AI. Having taken the world by storm in the last few months, the cybersecurity community is expecting a vast increase in the number of attacks powered by AI. The technology democratizes cybercrime, making highly sophisticated tactics, techniques and procedures (TTPs) available to all with minimal investment of time or money. 

To counteract this oncoming storm, penetration testing can indicate the best ways to defend, remediate and recover in the light of these new, AI-inspired and AI-powered attacks. Here’s how. 

Beating AI Threats Requires The Right Goals 

It might come as a surprise to some business leaders to learn that penetration testing and vulnerability assessments are not two sides of the same coin. In fact, while the latter is static and lacking in context, the former is designed to uncover fundamental business risks by manually testing an organization’s defensive posture to steal data or achieve a level of unauthorized access.

What this means is that identifying surface-level vulnerabilities is by no means the purpose of an ethical hacker’s investigation. Instead, it’s all about the business consequences of allowing an adversary to walk through the doors that vulnerabilities open. As a result, ethical hackers need goals around targeting those specific areas, to measure the organization’s level of cyber resilience and reveal how pockets of low-risk vulnerabilities can combine to create an overarching high-risk scenario that puts their business in jeopardy. 

Share Your Pen Testing Results With The C Suite

The distinct illumination and reassurance afforded by penetration testing also helps demystify the complexity of the cyber threat landscape, translating cyber risk into actionable business terms that better resonate with the C-Suite and Board. Actual illustrative stories from recent penetration testing engagements make it much easier for cyber resilience leaders to articulate risk in a way that fosters collective buy-in across corporate leadership to ensure security remains a top organizational priority. 

It's important to remember that regardless of a penetration testing program’s effectiveness, grey areas and precarious judgement calls relative to risk prioritization will always exist. Penetration testing helps ensure CISOs can come to the most informed decision possible. Otherwise, they are taking a blind shot in the dark at what their real business risks are.  

Bring Red & Blue Teams Together For Best Results

Just as cybersecurity is a team sport, so too is penetration testing. Red team exercises involve a “red” offensive team, along with threat hunters and SOC analysts as the “blue” defensive team. And just like we all learned in elementary (and cybersecurity) school, fusing both together creates the color purple. 

The concept of purple teaming is often mischaracterized. It isn’t a singular team of offensive experts and hunters all operating together in unison. Rather, it’s a verb in this context that describes how red and blue sides can collaborate to expand knowledge, sharpen strategy, and boost operational efficiency. And while it’s less obvious at the surface level, blue can help red just like red helps blue. 

Collaborative intelligence sharing, for example, provides further perspective to ethical hackers on how a particular TTP was identified. That way, the red team can adjust their approach for the next attempt to ensure it’s more lethal, which in turn makes the blue team stronger. Consider it like iron sharpening iron -  ultimately everybody benefits. 

One of The Best Defences Against Weaponized AI

Despite calls from industry leaders to slow down the rate of AI innovation, business leaders would be mistaken to believe that they can rest on their laurels for the time being. Unbeholden to regulators or stakeholders, threat actors will be innovating as we speak.

Penetration testing is a key part of the toolkit of any CISO today. Alongside purple teaming, prioritizing risks correctly, and defining goals effectively, pen testing can help organisations get ahead of malicious actors by understanding their own threat landscapes. Only this level of visibility will give businesses the necessary confidence to know their systems are safe in the age of AI.  

Ed Skoudis is  President of SANS Technology Institute and  founder of the SANS Penetration Testing Curriculum and Counter Hack. 

You Might Also Read: 

How To Leverage AI For Real-Time User Verification:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Mobile Authentication: The Good, The Bad & The Ugly
Nine Types of Modern Network Security Solutions »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Advent IM

Advent IM

Advent IM is one of the UK’s leading independent cyber security specialists, with a unique approach to providing holistic security management solutions.

Cyfor

Cyfor

Cyfor provides digital forensics and eDiscovery in civil, criminal, intellectual property, litigation and dispute resolution investigations.

Cyberint

Cyberint

Cyberint, the Impactful Intelligence company, fuses open-deep-and darkweb Threat Intelligence with Attack Surface Management to deliver maximum protection from external threats.

Guardsquare

Guardsquare

GuardSquare is the global reference in mobile application protection. We develop premium software for the protection of mobile applications against reverse engineering and hacking.

Wolfpack Information Risk

Wolfpack Information Risk

Wolfpack specialise in information and cyber threat management covering the full spectrum of prevention, detection, incident response and business resilience capabilities.

Zeguro

Zeguro

Zeguro provides complete cybersecurity risk assessment, mitigation and insurance, allowing you to easily manage your cyber risk.

Echosec Systems

Echosec Systems

Echosec Systems is a data discovery company delivering social media and dark web threat intelligence. Our web based security software delivers critical information for situational awareness.

Cyway

Cyway

Cyway is a value-added cybersecurity distributor focusing on on-prem, cloud solutions and hybrid solutions, IoT, AI & machine learning IT security technologies.

AaDya

AaDya

AaDya provide smart, simple, affordable and effective cybersecurity software solutions for small and medium businesses.

Conseal Security

Conseal Security

Mobile app security testing done well. Conseal Security are specialists in mobile app penetration testing. Our expert-led security analysis quickly finds security vulnerabilities in your apps.

Nonprofit Cyber

Nonprofit Cyber

Nonprofit Cyber is a first-of-its-kind coalition of global nonprofit organizations to enhance joint action to improve cybersecurity.

BrainStorm

BrainStorm

BrainStorm Threat Defense takes a new human-focused approach to security awareness that traditional training lacks. It’s a cutting-edge platform to make your users more security savvy.

GoPlus Security

GoPlus Security

GoPlus is working as the "security infrastructure" for web3, by providing open, permissionless, user-driven Security Services.

NewEvol

NewEvol

Don’t React, Evolve! Outsmart threats with real-time AI-powered dynamic defense capability of NewEvol all-in-one cybersecurity platform.

CyberCure

CyberCure

CyberCure provide specialised roles and services to manage your organisations cybersecurity requirements and professional advisory services in governance, risk and compliance.

CIS Secure

CIS Secure

CIS Secure is an innovator, integrator and expert advisor supporting the broadest portfolio of powerful, mission-specific C5ISR communications and cybersecurity solutions.