A shift-left in offensive cybersecurity: How analyzing threats make you a better pentester?
What is shift-left in cybersecurity?
If you’re in the IT world, chances are you’re already familiar with the term “shift left”. If not, shift-left refers to the idea that to have a better cybersecurity posture, security checks should start as early as the development of a system or application begins. This contrasts with the regular practice of relying only on post-development tests or tools like vulnerability scanners, firewalls, or XDRs.
The main advantage of this approach is saving future costs and also reducing the possibility of a negative impact right from the start.
Since a penetration test is a time-constrained assessment of an environment with clear goals, how should ethical hackers spend their time during the engagement? Is it enough to count on a standard set of tools and techniques?
As complexity increases with more technologies coexisting together, and more abstraction layers being on top of each other to bring us seamless experiences while using a system or application, it makes sense that the task is becoming harder and harder even for experienced testers. So, what shall we do then?
Level up the game
Shift-left could be interpreted as an earlier prevention of cybersecurity incidents, but this doesn’t occur in an isolated world, the focus must take into account the means that will be used to achieve the desired ends.
What to prevent depends first on what is likely to happen and this, in turn, depends on the experiences of people who have engaged in similar activities before. This same logic can be applied to pentesting. What to test might also depend on what is likely to happen and, in turn, on what has happened before.
This might not seem something new as there are many checklists and benchmarks based on that premise, like the OWASP Top 10, the SANS Top 25, or the CIS benchmarks. Nevertheless, these guidelines tend to be a one-size-fits-all solution that doesn’t differentiate between industries, company sizes, or technologies being used. And of course, when we dig deeper into all of these categories we find that some things are more common than others. It is important to put things in context to understand the problem better.
Being threat intelligent
Just as Shift-left, Threat Intelligence is another term commonly used in cybersecurity. Broadly speaking, it refers to the tactics, techniques, and procedures used by threat groups. This offers a huge help in detecting the most used weak spots in our security posture that should be fixed to avoid a potential attack. But there’s also a chance that the attackers might change their modus operandi a little bit to keep themselves out of the radar. Is that the end of the story? Not quite.
By using the insights from threat intelligence and analyzing them on a higher level of abstraction, security teams can model different combinations of steps that yield the same outcome and make sure as new techniques are discovered, that they are correspondingly prioritized and addressed. This is called threat modeling and the MITRE organization offers different attack paths by type of organization or target to cover a broad spectrum of activities that a threat actor can undertake.
What does pentesting have to do with all of this?
We believe that a good tester is one who is capable of spotting vulnerabilities and exploiting them, a great tester has a flexible routine to deliver results according to the exact client needs and a top pentester is one who is one step ahead and is capable of adjusting their routine to match most likely weak spots in a system based on data from the environment itself, their experience, and trends that could be followed by current attackers.
Here at Red Sentry, we combine a testing team together with a research team to deliver effective assessments tailored to your particular needs. We find out what attackers could do before they even figure it out.