Penetration testing is used to examine an organisation’s IT systems for potential entry points for attackers.
Part of this practice involves “white hat” attacks, who expose existing security weaknesses in externally facing aspects of an organisation’s IT infrastructure, such as its web servers, email servers, and firewalls.
But, with an increasing number of different devices being added to IT networks due to BYOD, the cloud, shadow IT ,and other recent phenomena, these potentially vulnerable areas are growing in number.
Free Cyber Security Training! Join the revolution today!
And with the Internet of Things set to introduce more connected devices, network perimeters will continue to expand and change in shape, presenting attackers with significantly more potential entry points.
One might assume, therefore, that penetration testing would be more important than ever for a network’s security.
This may not be the case, however.
Cisco recently revealed that it found a form of malware on every one of the networks it tested, so it’s not unreasonable for organisations to assume that their IT networks have already been compromised. Additional research found that two-thirds of breaches lay undiscovered for months, suggesting that security teams should focus less on whether their network had been infiltrated and more on what to do assuming that it probably already has been.
Instead of spending resources on methods such as penetration testing, which is designed to keep attackers out, IT security teams should adopt a new approach and invest in ways of monitoring for, identifying, and quarantining the malware that’s already made its way into their system.
By acknowledging that its system has probably been compromised, an organisation will be better able to identify the breach and take appropriate remedial action.
Silent and deadly
The motive behind cyber-attacks used to be largely based around gaining notoriety or prestige for the criminal responsible. The attacks themselves tended to be noisy and were therefore easy to identify and isolate.
Nowadays, though, the key driver behind these attacks tends to be monetary gain. A new breed of deliberately invisible advanced persistent threats (APTs) silently make their way into an organisation’s system, where exfiltrate valuable corporate and financial data, all the while remaining undiscovered for days, weeks, and sometimes months.
On around half of compromised machines, APTs rely on end-users clicking on an innocuous looking link that is usually contained within an email or document, making a connection to a website from which the main element of the attack is downloaded.
Used by almost all network communication protocols as a means of connecting with their destination domains, the Domain Name System (DNS) is regarded as the Internet’s address book.
It also serves as the main method for APTs to “call home” and receive instructions from their Command and Control servers, download additional malware payloads, or steal data.
It’s here, at the heart of the IT network, that APTs are most effective. And it’s here, at this choke-point, that IT security teams should focus their attention.
Instead of concentrating all of their efforts on detecting what’s making its way into the system, it’s time that organisations turn their gaze further inward to consider what’s making its way out.
By Chris Marrison, EMEA technical director, Infoblox
Infoblox (NYSE:BLOX) delivers network control solutions, the fundamental technology that connects end users, devices, and networks. These solutions enable approximately 7,500 enterprises and service providers to transform, secure, and scale complex networks. Infoblox helps take the burden of complex network control out of human hands, reduce costs, and increase security, accuracy, and uptime. Infoblox is headquartered in Santa Clara, California, and has operations in over 25 countries.