As every organization knows, cybercriminals are becoming smarter and more malicious. They also have more funds at their disposal and are better able to hide their tracks and evade detection. For all these reasons, a reactive, remediation-focused security approach is ineffective at best, and downright dangerous at worst.
A more proactive approach, where organizations actively look for system vulnerabilities by simulating the actions bad actors could take to infiltrate their network is absolutely critical. Thus, they need to think about penetration testing – whether it’s coverage-based penetration testing or depth-based penetration testing. This helps them prevent future exploitation, which is a more effective cybersecurity strategy than detecting and remediating hacks and breaches that have already happened.
But which method is “better”?
Should they focus on one or the other, or should they implement both in tandem?
To decide whether they need coverage-based penetration testing or depth-based penetration testing, they must first understand the differences between the two, compare their relative advantages, and then make an informed decision that has the best chance of strengthening their security posture.
The Need for Penetration Testing
Why penetration testing and not vulnerability scanning? In simplest terms, penetration testing or “ethical hacking” is about thinking like a hacker. Vulnerability scanning does not understand context and impact.
How can a hacker possibly attack and infiltrate our corporate network? What can we do to prevent them from doing so?
The best way to understand these critical issues is to purposely simulate an attack on the network. Penetration testers deliberately exploit security vulnerabilities to move laterally within the network and try to gain control over it. The goal is to find weaknesses in the org’s security arrangements and identify opportunities to eliminate them.
Penetration testing is not the same as vulnerability assessment, although the two concepts are frequently (and mistakenly) used interchangeably. A vulnerability assessment is a less intrusive testing process that involves searching a system for known vulnerabilities. It is often automated, and frequently results in false positives, and worse, missed vulnerabilities. Penetrating testing, on the other hand, simulates the possible actions of a potential threat actor. It is usually a goal-oriented process, where the goal is tied to a specific business objective and strategy.
Depth-based Penetration Testing
As the term suggests, depth-based penetration testing focuses on exploring one system or exploit in detail. These penetration testers compromise one system, escalate privileges, and then write up the report. Thus, they have a narrower, more targeted focus wherein they dig deeper to fully understand the risks of a particular exploit. The report contains details of this exploit and possible ways to mitigate it.
Coverage-based Penetration Testing
Unlike depth-based penetration testing, coverage-based penetration testing has a broader, “let’s keep looking” focus. In this type of pen testing, testers look for multiple ways to compromise a system and exploit its vulnerabilities. In fact, they look for as many ways as possible and don’t simply stop after the first exploit. Once the initial penetration testing is done, they also retest any issues that have been fixed to ensure a more holistic test-fix-protect cycle.
All in all, coverage-based penetration testing is both a defence-in-breadth and defence-in-depth approach that enhances the organization’s ability to successfully exploit vulnerabilities, and more importantly, fix them before they can be exploited by bad actors.
Which approach is better?
Usually, a coverage-based penetration testing approach, such as the one provided by Packetlabs, is better than a depth-based approach. This is especially true for organizations that don’t have a mature cybersecurity posture.
Why is this important?
Cyber-mature organizations with robust security infrastructure and great security maturity can probably get by with depth-based penetration testing. However, most organizations are not cyber-mature, and therefore cannot afford to take this “one-path”, narrow view which is why coverage-based penetration testing is so essential.
Hollywood movies would have us believe that hackers are insanely smart, sophisticated and glamorous. While the first two adjectives are mostly true, the last is not – at least not from the perspective of organisations that have been their victims.
Penetration testing is a way to “think like a hacker” to better understand what they could do. Even more important, it enables orgs to strengthen their security posture, and avoid falling victim to bad actors. Every organisation today needs pen testing, and the sooner they realise this, the faster they can take action to strengthen their cyber-infrastructure. However, it’s important to select the right pen testing method, particularly if they are not cyber mature (yet). In this case, a coverage-based penetration testing approach is almost always preferable.