An Introduction to Next-Gen Penetration Testing

The penetration test, or as it is fondly nicknamed, the pentest, has been a security staple for decades. But is it time for an upgrade?

As security breaches (and budgets) continue to bloom, many firms are looking for ways to boost their security preparedness by taking advantage of the latest innovations in AI, DevOps, and security analytics. In this article, we'll discuss some of the latest updates to?the classic penetration test , helping you decide which, if any, are a good fit for your business.

Risk-centric Pentests

As cyber-crime becomes increasingly diversified and personalized, companies are investing in ways to identify and analyze their individual risk profiles. To support this effort, a number of penetration tests have been developed to evaluate individual cyber-attacks rather than focusing on cyber risk as a whole.

For example, after a recent wave of high-profile ransomware attacks swept the country, many firms added an annual?Ransomware Readiness Audit (RRA) ?on top of their regular web app, network and social tests.

Risk-centric pentests place the impact at the center of the exercise, rather than focusing on a specific attack vector or tech stack. An RRA, for example, allows pentesters to leverage any route necessary to plant ransomware, more closely mimicking a real-world attack.

Another risk that has seen increased visibility in recent years is Business Email Compromise (or BEC). This occurs when attackers pose as a company employee or vendor to commit financial fraud via illicit wire transfers. A financial fraud penetration test will utilize any means necessary to mimic a BEC attack and is a great way to expose any current gaps in the company's ability to defend itself from most cases of financial fraud.

AI-based Pentests

When ChatGPT took the internet by storm, hackers were quick to jump on the bandwagon, utilizing the generative AI bot to develop and support their criminal activities. In one famous example,?social hackers ?had the chat bot compose hundreds of highly realistic phishing emails, saving them valuable time while simultaneously improving their success rate. In another incident, security researchers found that ChatGPT was happy to create new firewall-evading malware strains.

Here are a few ways that?we've put ChatGPT to use ?to help secure our clients:

• Providing information on known vulnerabilities: ChatGPT can help identify known vulnerabilities that are relevant to a particular system or application. This can include vulnerabilities in software, operating systems, or network configurations.
• Suggesting potential attack vectors: Based on the information provided about the target system or application, ChatGPT can suggest potential attack vectors that could be used to exploit vulnerabilities.
• Recommending mitigation strategies: ChatGPT can provide recommendations on how to mitigate the identified vulnerabilities and potential attack vectors, including suggestions for patches, configurations, or other controls.
• Conducting simulated attacks: ChatGPT can simulate attacks on a system or application to help identify vulnerabilities that may not be evident through traditional testing methods.

The truth is that while ChatGPT may be a new phenomenon for casual users, AI-based cyber attacks have been happening for years. At Silent Breach, our security team leverages a number of AI/ML tools to help simulate advanced attacks by determined actors.

Dark Web Pentests

We've?written extensively ?on the many benefits that companies can extract from?the dark web , and next-gen penetration testing is certainly one of them.

Today, the dark web is perhaps?the single greatest source of threat intelligence ?and breach detection data. The closer you are to the source of the crime (i.e., the hackers), the quicker and more informed your incident response will be. At Silent Breach, our security analysts are often alerted to third party breaches before the companies themselves are aware they've been compromised.

This is done by scanning hacker forums, marketplaces, and databases where attackers are known to post details of their attacks, sometimes even before or during execution.

Dark web penetration tests focus on identifying and then leveraging any data available on the dark web that might implicate the target company. While standard penetration tests help companies prepare for future attacks, dark web pentests can even uncover breaches or security gaps that occurred in the past.

DevSecOps Pentests

Research shows that security protocols are more effective and less costly the sooner they are implemented. Rather than waiting until just before production to pentest an application, many companies have proactively introducing?targeted DevSecOps tests ?at periodic stages throughout the development lifecycle. This not only results in more resilient and safe software, but also helps with budgeting, forecasting, and more seamless mitigation.

Continuous Pentesting

Why confine yourself to a 14-day test?

Silent Breach encourages our clients to convert their pentest findings into a continuous monitoring solution like?Quantum Armor ?that tracks your progress, develops mitigation guides, and provides ongoing security analytics. This helps firms extend the scope and value of their annual pentest, without any of the outsized costs.

Always-on penetration testing platforms will also automatically suggest customized tests based on anomalous events, attack surface restructuring or other gaps that it detects in your network.

About Silent Breach:?Silent Breach ?is an award-winning provider of cyber security services.

About Levitate:?Levitate ?is marketing & strategy firm specializing in cybersecurity and early-stage tech.