Penetration Testing Is A Vital Tool To Deal With AI-Based Attacks 

Uploaded on 2023-06-19 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Penetration testing is one of the best ways a business can understand its risk posture. Vulnerability management, architecture reviews, auditing, gap assessments and many more techniques are staples of defence.

However, pen testing - in which simulated threat actors exploit a system’s vulnerabilities to teach the company how to correct them - has always held its own as a unique gauge to help match defences to the realities of attacks today.

Enter AI. Having taken the world by storm in the last few months, the cybersecurity community is expecting a vast increase in the number of attacks powered by AI. The technology democratizes cybercrime, making highly sophisticated tactics, techniques and procedures (TTPs) available to all with minimal investment of time or money. 

To counteract this oncoming storm, penetration testing can indicate the best ways to defend, remediate and recover in the light of these new, AI-inspired and AI-powered attacks. Here’s how. 

Beating AI Threats Requires The Right Goals 

It might come as a surprise to some business leaders to learn that penetration testing and vulnerability assessments are not two sides of the same coin. In fact, while the latter is static and lacking in context, the former is designed to uncover fundamental business risks by manually testing an organization’s defensive posture to steal data or achieve a level of unauthorized access.

What this means is that identifying surface-level vulnerabilities is by no means the purpose of an ethical hacker’s investigation. Instead, it’s all about the business consequences of allowing an adversary to walk through the doors that vulnerabilities open. As a result, ethical hackers need goals around targeting those specific areas, to measure the organization’s level of cyber resilience and reveal how pockets of low-risk vulnerabilities can combine to create an overarching high-risk scenario that puts their business in jeopardy. 

Share Your Pen Testing Results With The C Suite

The distinct illumination and reassurance afforded by penetration testing also helps demystify the complexity of the cyber threat landscape, translating cyber risk into actionable business terms that better resonate with the C-Suite and Board. Actual illustrative stories from recent penetration testing engagements make it much easier for cyber resilience leaders to articulate risk in a way that fosters collective buy-in across corporate leadership to ensure security remains a top organizational priority. 

It's important to remember that regardless of a penetration testing program’s effectiveness, grey areas and precarious judgement calls relative to risk prioritization will always exist. Penetration testing helps ensure CISOs can come to the most informed decision possible. Otherwise, they are taking a blind shot in the dark at what their real business risks are.  

Bring Red & Blue Teams Together For Best Results

Just as cybersecurity is a team sport, so too is penetration testing. Red team exercises involve a “red” offensive team, along with threat hunters and SOC analysts as the “blue” defensive team. And just like we all learned in elementary (and cybersecurity) school, fusing both together creates the color purple. 

The concept of purple teaming is often mischaracterized. It isn’t a singular team of offensive experts and hunters all operating together in unison. Rather, it’s a verb in this context that describes how red and blue sides can collaborate to expand knowledge, sharpen strategy, and boost operational efficiency. And while it’s less obvious at the surface level, blue can help red just like red helps blue. 

Collaborative intelligence sharing, for example, provides further perspective to ethical hackers on how a particular TTP was identified. That way, the red team can adjust their approach for the next attempt to ensure it’s more lethal, which in turn makes the blue team stronger. Consider it like iron sharpening iron -  ultimately everybody benefits. 

One of The Best Defences Against Weaponized AI

Despite calls from industry leaders to slow down the rate of AI innovation, business leaders would be mistaken to believe that they can rest on their laurels for the time being. Unbeholden to regulators or stakeholders, threat actors will be innovating as we speak.

Penetration testing is a key part of the toolkit of any CISO today. Alongside purple teaming, prioritizing risks correctly, and defining goals effectively, pen testing can help organisations get ahead of malicious actors by understanding their own threat landscapes. Only this level of visibility will give businesses the necessary confidence to know their systems are safe in the age of AI.  

Ed Skoudis is  President of SANS Technology Institute and  founder of the SANS Penetration Testing Curriculum and Counter Hack. 

You Might Also Read: 

How To Leverage AI For Real-Time User Verification:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Mobile Authentication: The Good, The Bad & The Ugly
Nine Types of Modern Network Security Solutions »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Ixia

Ixia

Ixia provides testing, visibility, and security solutions to strengthen applications across physical and virtual networks.

SentinelOne

SentinelOne

SentinelOne is a pioneer in delivering autonomous security for the endpoint, datacenter and cloud environments to help organizations secure their assets with speed and simplicity.

ODVA

ODVA

ODVA is a global trade and standards development organization whose members comprise the world’s leading industrial automation companies.

Swiss Cyber Think Tank (SCTT)

Swiss Cyber Think Tank (SCTT)

The Swiss Cyber Think Tank is a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms.

Savanti Consulting

Savanti Consulting

Savanti provides practitioner-led cyber security services tailored to meet each organisation’s unique requirements.

Lexsynergy

Lexsynergy

Lexsynergy is a global domain name management and online brand protection company.

PurpleSynapz

PurpleSynapz

PurpleSynapz provides hyper-realistic Cyber Security Training with a modern curriculum and Cyber Range.

TM One

TM One

TM One is the enterprise and public sector business solutions arm of Telekom Malaysia Berhad (TM) Group.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

Tenet3

Tenet3

Tenet3's vision is to make optimal cyber strategy development tractable, data driven, with concrete success metrics. The result is cost effective cyber resilience for our customers.

SecOps Group

SecOps Group

SecOps Group is a boutique cybersecurity consultancy helping enterprises identify & eliminate security risks on a continuous basis.

Zyston

Zyston

Zyston's solutions provide end-to-end management of your cybersecurity needs. Our range of services help protect your business where it needs it the most.

Strata Information Group (SIG)

Strata Information Group (SIG)

Strata Information Group (SIG) is a trusted partner in IT solutions and consulting services.

Thoropass

Thoropass

Thoropass (formerly Laika) helps you get and stay compliant with smart software and expert services.

NMi Group

NMi Group

NMi Group is a global pioneer in mission-critical Testing, Inspection, Certification, and Calibration (TICC) services.

Amtivo Group

Amtivo Group

Amtivo provides Certification, Inspection and Training services to national and local Government bodies, multi-nationals, enterprise clients and SMEs.