External Attack Surface-driven Continuous penetration testing as a Service for Banking and Finance
Internet published Web Applications and services are subject to constant change due to the addition of new workflows, features, functions, and patches that occur quite often. The external attack surface is dynamically evolving with exposures through ephemeral assets, VM sprawling, agile development practices and no real control over change management practice. Waiting for the next scheduled penetration testing to validate the external attack surface observations give ample chances for the attackers.
What affects the overall security posture of a web application?
Many of these changes impact the overall security posture of the web application. If changes are only security tested quarterly or annually, the lack of timely penetration testing can become a very costly decision if attackers succeed in exploiting any weaknesses introduced by such changes.
At the same time, conducting penetration testing against all published applications and services corresponding to every minor change might not be always feasible, seeing as they might create stability and availability issues in the production environment. Automated threat simulations often repeat pre-scripted attack test cases at varying intensity levels to blindly give a false sense of security assurance. Similarly, continuous vulnerability scanning will only discover a vulnerability if it is known and published in the scanner’s database. To address this issue, the concept of continuous penetration testing is introduced.
“Why limit penetration testing to quarterly or annually when it can be attack surface driven and still you can meet compliance requirements”
The PCI-SSC mandates that penetration testing be carried out routinely (at least annually) and after major changes to the environment. The PCI requirement may be easily met thanks to our continuous penetration testing software, NST Cyber, which automatically runs a thorough periodic penetration test and keeps an eye out for changes to your in-scope environment to invoke testing without waiting for the scheduled assessment alone.
Concept of continuous penetration testing
The continuous penetration testing process should ensure that the web presence of the target financial organization is monitored by a continuous asset discovery service, and new exposures should invoke the process of penetration testing. In addition to this, a confirmed set of assets in scope should always undergo scheduled penetration testing that is performed with manual expertise and contextual knowledge. The target asset group cycles through different processing phases of penetration testing. While the application development and maintenance team is educated with remediation steps of previous findings, the testing should continue with new facets of attack discovery. Once the remediation efforts are completed, revalidation penetration testing should be initiated to measure the effectiveness of remediation measures.
Since this process is continuous and constant, remediation and threat discovery occur incessantly. This approach helps banks and large enterprises to publish applications to their customers on time without delay, while ensuring critical security issues are not left unaddressed until quarterly or annual penetration testing schedules.
On-demand testing helped discover dependencies on time
On-demand testing should also be triggered upon addition of new components to the application at any time. Asset discovery and detailed technology stack enumeration must be performed, and the blueprint of asset inventory must be cross-checked against new findings. This not only ensures the addition of new libraries, but that other dependencies are discovered on time and the applicable risk is re-calculated. Special emphasis must be given for important business workflows and features.
Role of cyber threat management teams
Cyber threat management teams must monitor the latest attack trends, techniques, and availability of exploits to take necessary measures to ensure that the actual risk to the asset in scope is always under control with automated penetration testing. Lessons learned from previous exercises help enhance the blue team’s capability to detect attack attempts near real-time. Changes to the threat landscape must be identified automatically, and this information can be used as a trigger to invoke a new round of penetration testing. Sometimes, automated asset discovery and technology stack enumeration may not produce enough results to detect a change in the threat.
Similarly, there will be scenarios where testing demands to be invoked as part of a new change deployed, or to ensure the effectiveness of specific inbuilt or compensatory security controls. In addition to this, a cyber threat management team may need to validate any new attack trend to ensure coverage against it. To address all this ad hoc testing upon request should be incorporated into the program.
Continuous penetration testing may be more relevant for internet-published web applications and services, however, it can be used for internal penetration testing requirements, as well as mobile applications and perimeter infrastructure devices can also be covered. The program can also cater to the requirements of several compliance standards and regulations. Unlimited revalidation and thorough coverage of all possible threat scenarios justifies the ROI. Unexpected breaches due to the scheduled nature of testing or complete lack of testing are thus eliminated. If immediate remediation is not possible due to design limitations and other dependencies, compensatory controls or workarounds should be recommended wherever possible.
External attack surface discovery with OSINT and Darkweb
External Attack Surface Discovery with OSINT and Dark web enumeration is an added benefit to such a program. Threat surface analysis of the organization and its assets performed with in-depth OSINT and Dark web mining can produce datasets that can in turn be used for the development of new relevant security test cases. NST Assure is the world’s first and only true Continuous Penetration Testing as-a-Service Platform (CPTaaS), and is intelligence led and external attack surface management driven.
About NST Assure
With NST Assure, changes in your external attack surface are continuously monitored with an AI/ML powered discovery process. Observations are near real-time validated and de-duplicated by experts to avoid noise and false positives. The relevant observations might auto trigger manual expert-led penetration testing.
NST Assure ensures the discovery process is in-depth, comprehensive, and covers all channels like the Internet, Deepweb and Darkweb.
In addition to the auto-invoked penetration testing, NST Assure supports the management of scheduled and on-demand security assessment engagements. This makes sure the customer is in control of the security assessment management process and can directly collaborate with assessors and SMEs.
Scheduling debriefing sessions, requesting revalidation of observations, retrieving penetration testing reports or trackers, and setting up new assessment engagements all can be seamlessly and securely managed with in NST Assure.
NST Assure also comes with vulnerability risk prioritization support and ability to convert security assessment observations to Machine Readable Threat Intelligence (MRTI) bundles which your SOC and network security team can use it for proactive security monitoring and defense of exploitation attempts.
About NST Cyber
NST Cyber is an emerging leader in the Cyber Threat Management space. NST Cyber provides a portfolio of Security assessment, Control validation, Defensive, and Detective Security advisory to Enterprises. NST Cyber collaborates with several business verticals like Banking and Finance, Oil and Gas, Retail, Manufacturing, and Healthcare to assess their current security posture and continuously improve resilience against targeted cyber-attacks. NST Cyber assists several esteemed Banks and FinServ companies to improve Enterprise-wide security posture and meet compliance requirements from regulators.