CTEM Definition: What is Continuous Threat Exposure Management?

CTEM is more than just a buzzword — it’s a vital shift in how organizations view and manage their security posture. A recent article in BizTech Magazine highlights experts’ insights on CTEM. In the article, Erik Nost of Forrester describes CTEM as “a new approach that unifies various proactive security solutions, offering a comprehensive view of vulnerabilities, visibility, and response orchestration.” By enabling continuous assessment of digital and physical assets for exposure, accessibility, and exploitability, CTEM provides a proactive approach to identifying and addressing modern threats. Now more than ever, proactive security strategies are critical in mitigating risks before they become full-blown security incidents, and in ensuring organizations stay cyber resilient.

According to Gartner, “What’s needed is a continuous threat exposure management (CTEM) program that surfaces and actively prioritizes whatever most threatens your business. Creating any such program requires a five-step process.”

According to Gartner, “What’s needed is a continuous threat exposure management (CTEM) program that surfaces and actively prioritizes whatever most threatens your business. Creating any such program requires a five-step process.” It allows organizations to continuously assess the accessibility, visibility, and exploitability of their digital environments. Unlike traditional risk-based vulnerability management (RBVM), CTEM expands beyond identifying vulnerabilities. It includes governance, process optimization, and long-term improvements to ensure vulnerabilities are remediated.

At its core, CTEM serves as a broader exposure management process that proactively minimizes risks while optimizing how organizations address and resolve security gaps. By integrating process improvement with technical threat assessments, CTEM shifts organizations from reactive to proactive security operations.

5 Steps to Implement a CTEM Program

1. Scoping Process

Start by defining the scope of objectives and aligning them with your business priorities. During this process, you want to identify sensitive assets, evaluate potential impacts, and foster collaboration across your organization to establish a focused, business-aligned scope for managing threats.

2. Discovery Process

Consider using a combination of penetration tests and an attack surface management solution to gain visibility of all known and hidden assets. Penetration testing is an effective point-in-time test that provides a snapshot of how vulnerable your critical assets are, so you can prioritize what matters most in the next step of CTEM. Using an attack surface management solution will give you continuous visibility into all hidden and known assets and manage the attack surface. These insights help you establish a clear understanding of your threat landscape.

3. Prioritization Process

Not every risk can be remediated immediately, so focus your resources on those with the highest potential impact. Balance technical severity with business relevance to ensure that you’re addressing the most critical vulnerabilities first, particularly those most likely to be exploited.

4. Validation Process

Test and retest your vulnerabilities to verify if they can be exploited, and ensure that mitigation efforts are effective. This is where breach and attack simulation, red teaming exercises, and additional penetration tests can validate the efficacy of your security program and remediation efforts.

5. Mobilization Process

Remediate high-risk vulnerabilities, track progress, and develop ongoing strategic plans for threat management. Mobilization also requires communication and training across your organization to ensure adoption and incremental improvement in CTEM practices.

What Are the Benefits of Adopting CTEM?

Adopting CTEM provides multiple advantages for enterprises aiming to stay ahead of the evolving landscape and improving cyber resiliency.

Maximize Security Resources

By prioritizing vulnerabilities and addressing critical threats early, CTEM allows for more efficient allocation of security resources. According to Gartner, “By 2026, Gartner predicts that organizations prioritizing their security investments based on a CTEM program will realize a two-thirds reduction in breaches.” This shift to proactive security preventing breaches will allow security teams to maximize their resources.

By prioritizing vulnerabilities and addressing critical threats early, CTEM allows for more efficient allocation of security resources.

Stay Ahead of Bad Actors

Cyberthreats evolve at an alarming pace, and CTEM empowers security teams to adapt just as quickly. Continuous exposure assessment and remediation equips security teams to address vulnerabilities before bad actors exploit them, minimizing risks and response times.

Build Long-Term Cyber Resilience

Beyond addressing immediate threats, CTEM emphasizes continuous improvement in both processes and governance. This holistic approach doesn’t just repair security gaps — it helps prevent similar vulnerabilities from emerging again. Over time, this drives long-term risk reduction.

How Does NetSPI Align with a CTEM Program?

NetSPI takes a proactive approach to cybersecurity programs by embedding CTEM principles directly into The NetSPI Platform, enabling you to align your security efforts with the CTEM process: scoping, discovery, prioritization, validation, and mobilization. The Platform includes Attack Surface Management, Penetration Testing as a Service, and Breach and Attack Simulation solutions, which all work together to support your alignment with CTEM and achieve consistent threat exposure management outcomes.

Penetration Testing as a Service (PTaaS)

NetSPI PTaaS delivers a robust pentesting program that includes more than 50 types of pentests that uncover vulnerabilities, exposures, and misconfigurations to help you through the initial processes of CTEM. The NetSPI Platform contextualizes outcomes in real-time, while our experts provide detailed guidance on prioritization and classification of risk. The Platform integrates with many common security tools, so you can accelerate your remediation and quickly close gaps. PTaaS provides additional support through the validation process by retesting to verify remediation effectiveness, and it addresses new threats as they arise. NetSPI PTaaS supports you through all processes of CTEM, so you can proactively reduce risk.

Attack Surface Management (ASM)

NetSPI ASM encompasses External Attack Surface Management (EASM) and Cyber Asset Attack Surface Management (CAASM) to deliver complete visibility into your attack surface, always-on coverage, and deep data context. This can significantly support scoping, discovery, and prioritization processes by identifying and inventorying visible and hidden assets and vulnerabilities, mapping attack paths, and providing deep contextual insights for streamlined remediation. With always-on monitoring and real-time asset and vulnerability updates, you can proactively inventory assets and tackle vulnerabilities as they arise in the evolving threat landscape.

Breach and Attack Simulation (BAS)

NetSPI BAS supports your CTEM program in the discovery, validation, and mobilization processes by testing your security controls to uncover vulnerabilities and misconfigurations against specific threat actors and malware techniques across your environment.  

Our security experts will work alongside you to provide deep context of your vulnerabilities and help prioritize risk. The Platform also helps prioritize, validate, and mobilize threats by providing step-by-step instructions to test, retest, and remediate threats, and by illustrating areas of high risk in a MITRE ATT&CK matrix. With BAS, you can optimize security controls, enhance detection, and track progress over time.

Ready to Bolster Your Proactive Security Journey?

The evolving threat landscape requires a proactive and adaptive approach. Aligning your security operations and processes with CTEM ensures you’re not just reacting to threats, but actively staying ahead of them. Let us help you accelerate your proactive security journey with The NetSPI Platform and our security experts by your side.

The post CTEM Defined: The Fundamentals of Continuous Threat Exposure Management appeared first on NetSPI.

We see this rapidly changing threat landscape as an opportunity. An opportunity to rethink resilience, innovation, and accountability in cybersecurity. The coming year will demand organizations to prioritize proactive strategies, seamless collaboration, and smarter, more integrated solutions that can keep pace with modern risks. 

By anticipating the trends and innovations shaping the future, NetSPI’s 2025 cybersecurity predictions explore how the industry will redefine cybersecurity, empowering businesses to stay ahead in the fight for digital resilience. 

Hear from security experts across NetSPI, including:  

• Aaron Shilts, CEO, on platformization gaining momentum 
• Nabil Hannan, Field CISO, on the shift toward CISO accountability 
• Tom Parker, CTO, on the downfall of present-day encryption 
• Patrick Sayler, Director of Social Engineering, on the rise of vishing and implications of AI 
• Kurtis Shelton, Principal AI Researcher, on agentic AI and AI as a decision-maker 
• Maril Vernon, Solutions Architect, on the evolution of threat modeling 
• Karl Fosaaen, VP of Research, on continuous assessment in the cloud 

NetSPI’s 2025 Cybersecurity Predictions 

Aaron Shilts
CEO 

Consolidation and platformization gain momentum  

“In 2025, the platformization trend will continue to gain momentum as cybersecurity executives remain focused on the effectiveness of their technology stack and service providers. This will drive a greater shift towards fewer, more comprehensive solutions that reduce management complexity and enhance team productivity.  

With cyber threats growing more complex and frequent, CISOs are under immense pressure to ensure that their teams can respond rapidly and decisively. To address this, in the coming year, they will focus on quality over quantity, favoring vendors that deliver integrated, streamlined platforms over a multitude of point solutions that are expensive and resource-intensive to manage. Consolidation will enable cybersecurity teams to work within a unified ecosystem, simplifying data management, minimizing redundancies, and reducing vendor fatigue—which can lead to critical information being overlooked. As security teams seek to reduce noise and increase efficiency, platforms offering broader functionality without the bloat of fragmented solutions will stand out, ultimately empowering teams to concentrate on the highest-priority risks.” 

“Consolidation will enable cybersecurity teams to work within a unified ecosystem, simplifying data management, minimizing redundancies, and reducing vendor fatigue—which can lead to critical information being overlooked.”

The rise of real-time, comprehensive attack surface management (ASM) 

“In 2025, the demand for comprehensive ASM solutions will drive significant consolidation within cybersecurity platforms. Organizations are increasingly focused on gaining real-time, holistic visibility into their digital assets—whether external, internal, or cloud-hosted. For today’s security teams, the source of an asset is less critical than understanding its role and risk within the broader ecosystem. As a result, the cybersecurity market will shift toward unified platforms that provide clear, real-time visibility across the entire asset landscape, eliminating the need for fragmented, asset-specific solutions that can create data silos and impede response times.” 

Nabil Hannan
Field CISO

Landscape shift toward CISO accountability 

“I anticipate that in 2025, we will see a shift in the CISO accountability landscape and how these leaders are held responsible when data breaches and cyberattacks occur.  

First, security will be increasingly viewed as a business-wide responsibility in the coming year, with proper definitions of which departments are responsible for which aspect of security. For example, IT is responsible for the infrastructure, HR manages employee security awareness, and so forth.  

Second, the CISO role will become more collaborative and advisory to other departments, with the CISO sharing their security expertise to assess, prioritize, mitigate, and/or accept risk.  

“The CISO role will become more collaborative and advisory to other departments, with the CISO sharing their security expertise to assess, prioritize, mitigate, and/or accept risk.”

Finally, CISOs will increasingly have a seat at the table to ensure that security decisions are being made in proper business alignment with the relevant business goals, with a focus on proactive risk management.  

Security needs to be weaved into the day-to-day operations of the business, instead of being the sole responsibility of the CISO. Building a culture of security across the organization will need to be a critical focus in 2025.”

Tom Parker
CTO

Downfall of present-day encryption 

“Over the next several years, attackers will increasingly leverage artificial intelligence (AI) and machine learning (ML) to both introduce new attack techniques and accelerate existing ones. As a result, cyber companies will seek to implement products to detect and respond to both conventional and AI-based threats, resulting in an arms race, where adversarial AI is pitched against defensive AI. Additionally, we will likely see the downfall of present-day encryption, used to protect much of the internet – namely SSL. Companies should prepare for this, by taking inventory of their SSL attack surface for critical applications, to evaluate compensating controls.” 

“Additionally, we will likely see the downfall of present-day encryption, used to protect much of the internet – namely SSL. Companies should prepare for this, by taking inventory of their SSL attack surface for critical applications, to evaluate compensating controls.”

Patrick Sayler
Director of Social Engineering

Vishing will gain popularity among threat actors 

“Vishing was on the rise throughout 2024, and this will continue into 2025 as deepfakes and voice cloning technology becomes more accessible. Phishing protections are becoming increasingly more robust – for example, mail filters are smarter about the content they let through, and identity providers have started to enforce stricter default controls. However, live, real-time interaction introduces several layers to an attack that simply aren’t present when a victim is reading text in an email. Hearing the emotion and intention behind a voice can disarm an individual, putting them on the spot and causing them to think less critically about the situation. Vishing detection tools will need to evolve to keep pace, adopting advanced techniques, like voice pattern recognition and behavioral analysis, to accurately identify and prevent these threats.” 

AI lowers the barrier of entry but results in less sophisticated attacks  

“Specific tactics and pretexts used by threat actors will largely remain the same throughout the next 12 months. Phishing toolkits will capture credentials and hijack user sessions, and phone calls to support teams will still result in an account compromise through a simple password reset. Instead, I predict that some attacks may devolve in 2025, driven by the commoditization of AI. The increased availability of AI tools has significantly lowered the barrier to entry and has given anyone the ability to become an effective social engineer. Entire emails can be generated by large language models from a single sentence prompt, and voices can be cloned from mere seconds of speech.  

“The increased availability of AI tools has significantly lowered the barrier to entry and has given anyone the ability to become an effective social engineer. Entire emails can be generated by large language models from a single sentence prompt, and voices can be cloned from mere seconds of speech.”

As a result, this could lead to a trend of less sophisticated attacks executed by groups that may not be trained – or even interested in – establishing long-term persistence in an internal environment. These threat groups would be driven by the immediate wins they see by “dumpster diving” and exposing customer data, internal communications, and company secrets. So while the attacks may be easier to detect and investigate from an incident response perspective, the reputational hit from such a breach could ultimately be more damaging in the long run.” 

Kurtis Shelton
Principal AI Researcher – AI/ML Penetration Testing (AML) Service Lead 

Agentic AI will continue to redefine security strategies  

“In the coming year, agentic AI is poised to significantly transform security strategies by enhancing both proactive and reactive measures. Autonomous agents will likely be used to monitor networks for threats, identify vulnerabilities before exploitation, and respond to incidents in real-time with minimal human intervention. They may dynamically adjust security rules based on evolving threat patterns or autonomously quarantine compromised systems, greatly reducing response times. 

“However, the rise of these autonomous agents will also introduce new risks, as they themselves can become targets for attacks.”

However, the rise of these autonomous agents will also introduce new risks, as they themselves can become targets for attacks. If compromised, they could inflict considerable damage to an organization due to their limited oversight. Future security strategies will need to focus on robust defenses against adversarial AI, emphasizing the importance of explainability, continuous monitoring of decision-making processes, and adherence to strong security principles to ensure that these systems remain secure and trustworthy in a rapidly evolving threat landscape.” 

AI will become an active decision-maker, shaping the future of accountability and misinformation control 

“Looking toward 2025, AI systems are set to gain greater autonomy in decision-making, driven by advancements in reinforcement learning and multi-agent systems. As AI evolves from passive tools to active decision-makers, transparent accountability frameworks will become essential, particularly in fields like cybersecurity, supply chain management, and customer service. 

At the same time, AI’s role in addressing misinformation will become even more critical. As synthetic media and deepfakes grow increasingly sophisticated, AI will be indispensable not only for generating but also for detecting misinformation. By 2025, we can expect a surge in AI-driven tools for verifying content authenticity, bringing greater focus to media literacy. With AI’s widening societal impact, regulatory bodies will require strict adherence to standards for fairness, bias reduction, and reliability, challenging organizations to balance innovation within these evolving frameworks.” 

Maril Vernon
Solutions Architect 

Collaborative threat simulation 

“Right now, the security industry doesn’t benefit from what law enforcement figured out a long time ago: information sharing catches bad guys.”

“Right now, the security industry doesn’t benefit from what law enforcement figured out a long time ago: information sharing catches bad guys. In 2025, I anticipate the security industry will see more collaborative simulations, where multiple organizations share anonymized attack data to improve collective defenses. This will be a key component in preventing supply chain attacks. However, prevention is only one pillar of resilience – organizations still need to identify, respond, and adapt. It’s believed that it’s shameful and taboo to experience a breach, but sharing with the community how it happened, what evaded detections, how effective–or ineffective–the response was, and what was done to adapt to future attacks will help everyone with the “adapt” piece of resilience.” 

Evolution of threat modeling 

“In 2025, threat modeling will have to expand and adapt to account for new areas like post-quantum cryptography and AI-specific vulnerabilities. Given the increased prevalence of AI, I anticipate a growing emphasis on API security and data strategies in threat modeling.  

“While there will be a stronger push toward automated threat modeling tools over the course of the next year, it’s important to recognize that threat modeling is fundamentally a collaborative, human exercise.”

While there will be a stronger push toward automated threat modeling tools over the course of the next year, it’s important to recognize that threat modeling is fundamentally a collaborative, human exercise. It involves thinking through complex attack paths, understanding nuanced business logic, and considering unique threats based on the organization’s specific architecture and environment—all of which require human reasoning. Automated tools may help reduce manual overhead next year, but I predict they will serve more as assistants rather than replacements for human-driven threat modeling.” 

Karl Fosaaen
Vice President of Research 

Continuous assessment in the cloud will enhance overall security posture 

“As we continue to embrace cloud solutions and remote work, the attack surface continues to expand. Remote work infrastructure introduces unique complexities that can be difficult to manage, so it must be properly designed, deployed, and secured to strike the balance between usability and security. By leveraging innovative technologies and continuous assessment, organizations can not only reduce their attack surface but also bolster their overall security posture in an increasingly challenging digital landscape. Looking ahead to 2025, I anticipate that we’ll see advancements in cloud security tools that could significantly enhance organizations’ ability to protect themselves from emerging threats. 

“Remote work infrastructure introduces unique complexities that can be difficult to manage, so it must be properly designed, deployed, and secured to strike the balance between usability and security.”

Further, while detection and alerting capabilities have improved, many organizations still lack critical indicators in their logs that should prompt actionable responses. This will be a key area for innovation in the upcoming year, as developments have already emerged in the cloud attack detection space to help organizations better recognize and respond to potential threats.” 

2025 will redefine the cybersecurity landscape, bringing both challenges and opportunities with it. From the rise of AI-driven threats and deepfakes to the increasing importance of integrated security solutions, organizations must adapt quickly to stay secure. Consolidating tools, fostering collaboration, and adopting real-time visibility into attack surfaces will be key to navigating this complex environment.  

By proactively addressing these trends and integrating strategies, organizations must not only defend against emerging threats, but also position themselves for long-term resilience. At NetSPI, we’re committed to empowering businesses with the tools and insights they need to thrive in this dynamic digital age.  

Discover how The NetSPI Platform can revolutionize your approach to security, offering advanced, proactive solutions to safeguard your organization. Take the first step toward redefining your security strategy for 2025 and beyond. 

The post 2025 Cybersecurity Trends That Redefine Resilience, Innovation, and Trust appeared first on NetSPI.

Forrester analyzed several attack surface management (ASM) vendors varying in size, type of offering, and use cases in its landscape report, The Attack Surface Management Solutions Landscape, Q2 2024. The NetSPI Platform was named by Forrester among notable vendors in the report for its Attack Surface Management solution.

The State of Attack Surface Management

ASM has grown exponentially over the last few years. Now a recognized market category, it equips businesses with crucial security strategies for comprehensive visibility into their attack surface. According to Forrester’s research, “ASM delivers insights on assets that ultimately support business objectives, keep the lights on, generate revenue, and delight customers.”  

NetSPI ASM allows you to inventory, contextualize, and prioritize assets and vulnerabilities on your internal and external attack surface with confidence and ease. Our ASM solution is backed by NetSPI’s team of dedicated security experts to help you discover, prioritize, and remediate security vulnerabilities of the highest importance, so you can protect what matters most to your business. 

Forrester on Choosing the Best ASM Solution

ASM is the first step in a proactive security program because it gives security teams a holistic view of your attack surface. Forrester defines ASM as “solutions that continuously identify, assess, and manage the cybersecurity context of an entity’s IT asset estate.” ASM allows your business to more clearly identify assets, establish and maintain the basics of a strong security system, and lay the groundwork for exposure management.  

Ideally, your ASM will offer both external attack surface management (EASM), which focuses on externally facing assets, and cyber asset attack surface management (CAASM), covering internally facing assets. This combination of EASM and CAASM provides both external and internal visibility to give you a complete picture of your assets. Additionally, the best ASM solutions will aid you in prioritizing risks specific to your business, guiding remediation steps, and integrating seamlessly into your environment. 

Opt For an All-In-One ASM Solution

When choosing an ASM partner, take into account the market dynamics in light of your current business challenges. Currently, the main market trend is ASM being delivered as part of a platform. This platform model gives security teams access to key proactive security solutions in a single technology. After all, no one likes switching programs to consolidate data.

In 2024, the ASM market’s top challenge is not the lack of visibility into the attack surface as you might expect, but the number of sources of visibility.

In 2024, the ASM market’s top challenge is not the lack of visibility into the attack surface as you might expect, but the number of sources of visibility. The information your security teams are looking to track is spread over too many sources, adding friction to gaining a comprehensive picture of the full attack surface.

A platform model addresses the challenge of technical debt by consolidating the security tech stack and optimizing the use of an ASM solution. This trend of consolidating solutions into a single platform will continue in the coming years as security teams face tighter budgets and look to get the most value of their current investments. 

NetSPI integrated our cornerstone solutions on The NetSPI Platform to equip security teams with a single proactive security solution. ASM, penetration testing as a service (PTaaS), and breach and attack simulation (BAS) are all delivered through NetSPI’s Platform, putting users one step closer to continuous threat exposure management (CTEM).  

Enhance Attack Surface Visibility with NetSPI

In its report, Forrester noted:

“The future and value of ASM is bringing these capabilities into a single view, meaning ASM has evolved into an established market that:  

• Relies less on external discovery and more on continuous posture evaluation.
• Contains a growing number of suppliers with substantial category crossover.
• Aggregates common discovery capabilities.”

The true value of ASM lies in its ability to deliver a real-time, always-on, comprehensive depiction of the complete attack surface.  

When used together, NetSPI EASM and NetSPI CAASM check all the boxes by delivering complete attack surface visibility, always-on coverage, and deep data context. NetSPI’s Platform can inventory both internal and external assets and vulnerabilities as they are added to your environment, eliminating manual discovery and maintaining an accurate list for you and your team.  

NetSPI’s always-on monitoring capabilities ensure your attack surface is protected around the clock. These real-time updates allow you to inventory assets and tackle vulnerabilities as they arise, significantly reducing risk. NetSPI’s Platform shows descriptions, severity, attack paths, blast radius, and more throughout your entire attack surface to implement informed decision-making, prioritization, and resource allocation.

The post NetSPI’s Insights from Forrester’s Attack Surface Management Solutions Landscape, Q2 2024 appeared first on NetSPI.

As we wrap up the month, we’re excited to blend awareness with entertainment by diving into a curated roundup of cybersecurity-themed fiction, recommended by The NetSPI Agents, our team of security experts. From thrilling films that highlight the dangers of cyberattacks to cautionary tales that explore the ethical dilemmas of technology, these selections offer both engaging stories and valuable lessons.

NetSPI’s Top 9 Cybersecurity Fiction Picks 

1. The Matrix 
2. Cryptonomicon 
3. Hackers 
4. Johnny Mnemonic 
5. Star Wars 
6. Swordfish 
7. Takedown 
8. Hacknet 
9. V for Vendetta

1. The Matrix 

The Matrix is a groundbreaking sci-fi film released in 1999, which follows Neo, a talented computer hacker, as he discovers that the reality he knows is a simulation created by machines to subdue humanity. When he is contacted by a group of rebels, Neo learns about the true nature of the Matrix and his potential as “The One” who can bring an end to the machines’ control.  

Cybersecurity themes are woven throughout the story, focusing on information control and digital manipulation. The Matrix itself serves as a metaphor for the vulnerabilities in our increasing reliance on technology, especially without precautions to protect valuable assets, as well as the potential consequences of being disconnected from reality.

2. Cryptonomicon 

Recommended by three NetSPI Agents, Cryptonomicon is a 1999 novel by Neal Stephenson. The book intertwines two parallel storylines: one set during World War II, focusing on a group of codebreakers and their efforts to secure Allied communications, and the other in the late 1990s, where a tech entrepreneur attempts to create a secure data haven in Southeast Asia.  

Themes of cryptography, information technology, and the intersection of history and modernity are explored throughout the story. With its complex characters and intricate plotting, Cryptonomicon delves into the implications of data privacy and the power of information in both wartime and peace.  

Cryptonomicon basically predicted Bitcoin and the rise of cryptocurrency.

– Joe Grassl, Security Consultant II

3. Hackers

Hackers is a 1995 film, about a group of teens in New York City. The story centers on Dade Murphy, known as “Zero Cool.” After being banned from using computers for a decade, he joins a new school where he meets a diverse group of fellow threat actors. Together, they uncover a conspiracy involving a corrupt corporate security officer.  

Hackers highlights both good and bad use cases of attacking systems, showcasing the importance of understanding cybersecurity practices in a digital world. Through this, the film raises awareness about data privacy, the implications of corporate surveillance, and the moral complexities surrounding information access.

4. Johnny Mnemonic

Selected by two of The NetSPI Agents, Johnny Mnemonic is a 1995 sci-fi film, based on a short story by William Gibson. Johnny has a cybernetic implant that allows him to store sensitive information in his brain. When he takes on a job to deliver critical data, he finds himself pursued by powerful corporate forces and a deadly crime syndicate.  

As Johnny races against time to retrieve the data and save himself, he navigates a dystopian future filled with cybernetic enhancements and virtual reality. Johnny Mnemonic explores themes of information control, technology’s impact on humanity, and the consequences of a hyper-connected world.  

Pre-Matrix, very corny, but in a good way. Based on a Gibson short story. The Flipper Zero is actually inspired by the dolphin in that movie!

– Joe Grassl, Security Consultant II

5. Star Wars

Star Wars, originally released in 1977, is a landmark sci-fi film that introduces audiences to a galaxy far, far away. The movie centers on Luke Skywalker as he joins Princess Leia, smuggler Han Solo, and Jedi Obi-Wan Kenobi in their fight against the oppressive Galactic Empire.  

The Death Star, a massive space station capable of destroying entire planets, stands for the vulnerabilities of centralized power and information. The Rebel Alliance’s efforts to steal the plans for the Death Star highlight the importance of data security and the risks of information being captured by malicious forces. And, the Empire’s reliance on technology and surveillance mirrors modern concerns about privacy and the misuse of data. 

Star Wars. It has it all: Biohacking, social engineering, physical security penetration. 

– Kyle Fowers, Security Consultant II 

6. Swordfish

2001 action thriller, Swordfish, follows Stanley Jobson, a threat actor recently released from prison, who is coerced into a high-stakes cyber heist by a criminal mastermind, Gabriel Shear. Gabriel aims to siphon off a massive sum from a secret government fund, using Jobson’s hacking expertise. 

Cybersecurity themes permeate the film, walking the line between ethical hacking and criminal activity. The narrative explores the risks associated with data breaches, the vulnerabilities of government systems, and the implications of technology in the hands of both criminals and law enforcement.  

A great addition if you’re in the mood to hate-watch something. Such a bad movie. I think it was attempting to portray the dark web, but it lacked any logic or realistic interpretation of interacting with a computer.

– Mike Kaplan, Vice President, Consulting 

7. Takedown

Takedown is a 2000 film, inspired by the life story of notorious hacker, Kevin Mitnick. Takedown presents a cat-and-mouse game between Mitnick, and a determined computer security expert, Tsutomu Shimomura. As Mitnick exploits vulnerabilities in various computer systems, he becomes increasingly evasive, prompting law enforcement and Shimomura to collaborate in an effort to track him down. 

The film prominently features themes of social engineering and cybersecurity. Mitnick’s tactics often rely on social engineering, manipulating people into divulging sensitive information or granting access to secure systems. This highlights the psychological aspects of cybersecurity, emphasizing that human behavior can be as critical to security as technology itself.  

Don’t know if it’s essential, but it got the social engineering part right.

– Patrick Gabriel, Principal Security Consultant 

8. Hacknet

Hacknet is a 2015 interactive hacking simulation game in which players take on the role of a threat actor, who is guided by an AI, after the mysterious death of a fellow malicious entity. The gameplay revolves around real-world concepts, allowing players to utilize terminal commands to navigate systems, solve puzzles, and uncover secrets. 

Cybersecurity themes are deeply integrated into Hacknet, emphasizing the skills and tools used in ethical hacking and the importance of digital security. The game takes on topics such as network security, data breaches, and the ethics of hacking, inviting players to consider the implications of their actions in a digital landscape. 

Maybe not quite a classic, but Hacknet is a pretty great game with semi-realistic hacking.

– Jason Juntunen, Senior Security Consultant 

9. V for Vendetta

V for Vendetta is a graphic novel written by Alan Moore and illustrated by David Lloyd, published in the 1980s. Set in a dystopian future, the story follows V, a mysterious anarchist wearing a Guy Fawkes mask, who seeks to overthrow a totalitarian regime in post-apocalyptic Britain. Using a combination of sabotage, propaganda, and guerrilla tactics, V aims to inspire the populace to reclaim their freedom. 

The exploration of surveillance, information control, and the power of digital communication are central themes in the novel. The government employs extensive monitoring and censorship to maintain its grip on society, reflecting contemporary concerns about privacy and data security. V’s use of technology to disseminate information underscores the importance of individual autonomy, making it a compelling commentary on the intersection of technology and freedom in the digital age. 

Although not exactly hacker fiction, I do feel that V for Vendetta (I prefer the graphic novel although the movie was pretty good) should count given its Guy Fawkes mask’s ties to hacktivism (see: Anonymous).

– Mike Kaplan, Vice President, Consulting 

Dive into Your Favorite Cybersecurity Fiction 

This October, let’s come together to raise awareness, enhance our knowledge, and empower ourselves against cyber threats. Add these movies, books, and games to your list, and let us know which ones are your favorite!  

Remember, in our interconnected world, staying informed and vigilant is our best defense. Happy Cybersecurity Awareness Month this October and beyond! 

The post Bytes, Books, and Blockbusters: The NetSPI Agents’ Top Cybersecurity Fiction Picks appeared first on NetSPI.

A 2022 Gartner survey showed that 75% of organizations are pursuing consolidation of their security vendors. The top benefit is reducing the complexity of their security stack and improving their risk posture. 

Unlocking NetSPI’s Platform Milestone 

To meet the industry’s growing need for simplicity and effectiveness of security strategies, NetSPI consolidated the following key proactive security solutions on The NetSPI Platform: 

• Attack surface management (ASM)  
• Breach and attack simulation (BAS)  
• Penetration testing as a service (PTaaS)  

Our customers now have the option to access all these solutions from a single user interface, bringing a new level of enrichment, highly actionable results, and real-time collaboration with The NetSPI Agents as they work toward proactive security.

Benefits of Security Platform Consolidation  

The top benefits of security platformization are reducing complexity and improving risk posture. Our decision to consolidate ASM, BAS, and PTaaS on The NetSPI Platform brings a few key benefits to our customers:   

• Single Source of Truth: Since all modules on The NetSPI Platform work on a unified common asset model, customers can see all assets and vulnerabilities, or findings, in one place. 
• Enhanced Visibility and Intelligence: You can go beyond a pentest with BAS and ASM working in tandem.  
• Comprehensive Data: You’ll acquire deeper insights into vulnerabilities, risk prioritization, and impact of exploitation.  
• Cross Module Use Cases: You’ll have access to attack paths and narratives, robust asset inventory, expanded integrations, and workflow automation that span multiple modules.  

Our goal with this update is to provide a more holistic and unified view of an organization’s proactive security readiness.

Continuous Threat Exposure Management (CTEM) as the Framework for Proactive Security 

Another trend sparking conversations today is the increased attention on CTEM as an effective framework for continuous security testing. 

CTEM is a proactive security framework that focuses on identifying, assessing, and mitigating risks within an organization’s digital environment.

Gartner’s Top Strategic Technology Trends for 2024 says, “by 2026, organizations prioritizing their security investments, based on a CTEM program, will realize a two-third reduction in breaches.”  

The five phases of CTEM are: scoping, discovery, prioritization, validation, and mobilization. It’s gaining traction as a framework to help teams shift from a point-in-time, reactive approach to security to a continuous, preventative one.  

By combining proactive security solutions such as BAS, ASM and PTaaS, security teams can tailor their journey toward CTEM – all using The NetSPI Platform.

Looking to the Future: What’s Next for NetSPI’s Platform  

In the coming months, we’ll expand the the NetSPI Platform’s solutions and functionality to enhance its value in a proactive security journey.   

In the near term, customers will have access to cyber asset attack surface management (CAASM) on NetSPI’s Platform, offering a unified view of their assets – both internal- and external-facing, along with their vulnerabilities and security control coverage. With this expansion, we’ll offer an enhanced and comprehensive view of exposure, and associated risk. 

The NetSPI Platform is a monumental step forward in preparing the industry for effective CTEM programs. We can’t wait for you to see the expanded capabilities for yourself. Request a demo to consult with our team on your path forward. 

The post The Strategic Value of Platformization for Proactive Security appeared first on NetSPI.

Team NetSPI showed up in full force with our updated brand, demos of The NetSPI Platform and our new Cyber Asset Attack Surface Management (CAASM) solution, and two buzzed-about talks.

Here, we summarize four key takeaways from the event, as told by members of our leadership team:

• Aaron Shilts, CEO
• Vinay Anand, CPO
• Tom Parker, CTO
• Nabil Hannan, Field CISO

Read on for their insights and get a glimpse into the excitement of Las Vegas!

NetSPI Heads to Hacker Summer Camp

Beyond the fantastic conversations, product demos, and familiar faces who stopped by on the show floor, this year’s Hacker Summer Camp was jammed packed with events, including our poolside lounge networking event at the Daylight Lounge in Mandalay Bay.

Kicking off day two, our very own hardware hacking duo – Sam and Patch – hit the stage to reveal how they built an affordable laser (or light) based hardware hacking tool. Read their exclusive interview with WIRED’s Andy Greenberg: A $500 Open-Source Tool Lets Anyone Hack Computer Chips With Lasers.

This was followed by Vinay and Tom who discussed how to improve continuous threat and exposure management (CTEM) by pairing External Attack Surface Management (EASM) with CAASM. They addressed the challenge of mapping a complete view of the attack surface, how EASM and CAASM work together to reduce attack surface sprawl, and tangible steps to work toward CTEM.

Additionally, 30+ of our security experts, The NetSPI Agents, went to DEF CON 32 – three of whom presented sessions on Google cloud pentesting tools, mainframe security, and Azure insecurities.

• Scott Weston presented on GCPwn: a Python toolset for easy GCP pentesting and module creation.
• Michelle Eggers discussed the relevance of mainframes and shared five solutions for securing them. And she did it twice, once at BSides Las Vegas and again at the DEF CON AppSec Village.
• Karl Fosaaen analyzed Managed Identities in Azure and shared a tool to automate attacks on them.

Watch our recap below and be sure to check out The NetSPI Agents’ recap of DEF CON 32 for more insights from the Las Vegas Convention Center. 

4 Observations from the Halls of Mandalay Bay at Black Hat 2024 

Whether you attended Black Hat or missed this year’s event, hear from Aaron, Vinay, Tom, and Nabil on the noteworthy trends we took away from the conference.

1. Consolidation of Security Solutions

One of the major themes at Black Hat this year was the shift from point solutions to consolidated security platforms. Aaron highlighted that customers are increasingly seeking integrated solutions that offer greater visibility and advanced features without the burden of managing multiple tools. This trend is driven by budget pressures and the need to replace outdated systems with more efficient platforms.

Forrester Analyst Erik Nost stopped by our booth to demo The NetSPI Platform and continues to be a champion of this consolidation trend, particularly in the proactive security industry.

Tom also observed this trend adding, “while concerns remain about concentration risk, the overwhelming sense from CISOs is that consolidation must happen and the benefits far outweigh the risks. The overwhelming amount of conversations had on site reiterated our platform vision, in particular, the ability to prioritize remediation based on asset and risk data.”

2. Navigating the AI Hype

Artificial intelligence was undoubtedly the buzzword of the event, with vendors across the board showcasing AI-driven solutions.  

Tom noted that AI is currently causing more problems than solving them. While AI offers potential, the cybersecurity industry must implement solutions that help us counter threat actors who are quicker to adopt AI than the security market, at least for now. 

Vinay believes the industry is making progress adding, “AI and LLMs are everywhere. We have moved beyond hype to actually seeing some useful outcomes from using LLMs. Just as ML was a thing for the last 10 years, LLM will be the next thing vendors will talk about. Going beyond headlines, vendors are starting to deliver outcomes that would not be possible without using LLMs, or would be much harder to accomplish.”

Field CISO Nabil Hannan also noticed the buzz around AI. His take on this is that AI isn’t actually “intelligent” and we must have sound strategies to effectively navigate and harness its power. Read more about Nabil’s take on AI in his recent blog, How Threat Actors Attack AI – and How to Stop Them.

3. Automation in Penetration Testing

Aaron and Vinay both observed a growing trend toward automated penetration testing.  

Aaron shared, “There is strong demand for greater automation in the pentesting process as customers need continuous testing coverage across more of their attack surface. The only way to do this is through greater automation and leveraging technology.” He reiterated, “We still believe strongly in the intersection of technology and talent. While several firms are taking a tech-only approach that we believe still does not yield the same results. This shift toward more automation reflects the industry’s move towards leveraging technology to enhance efficiency and effectiveness.”

“We still believe strongly in the intersection of technology and talent. While several firms are taking a tech-only approach that we believe still does not yield the same results. This shift toward more automation reflects the industry’s move towards leveraging technology to enhance efficiency and effectiveness.”

Vinay agreed with this sentiment observing, “Automated pentesting is definitely a trend that is catching on. On the show floor there were many vendors claiming to offer automated pentests and an increased number of startups offering a “fully-automated red teaming and pentesting platform.” 

4. Addressing Third-Party Risk Management

In addition to being NetSPI’s Field CISO, Nabil also hosts the Agent of Influence podcast and was able to host seven new guests for on-site recordings. During the interviews, one challenge became evident across the board: third-party risk management (TPRM). This indicates that the current approaches are often flawed and ineffective, and highlights the need for better solutions.

Additionally, the conversations pointed to a broader need for security education, particularly for vulnerable populations such as the less tech-savvy and elderly, who are often targeted by scams. These discussions underline the critical role of awareness and education in strengthening organizational and personal security. 

Black Hat USA 2024 offered invaluable insights into the cybersecurity landscape, emphasizing the need for consolidated solutions, judicious AI use, and enhanced automation. For cybersecurity executives, these trends present opportunities to refine strategies and strengthen defenses.  

As we move forward, staying informed and proactive will be key to navigating the evolving threat landscape. For anyone interested in exploring these insights further, we invite you to connect with our team at NetSPI and discover how our solutions can empower your organization to stay one step ahead.

The post 4 Key Themes from Black Hat USA 2024 appeared first on NetSPI.

What’s the most exciting aspect of bringing NetSPI and Hubble together?

Tom: I’ve spent much of my career in security consulting, so this is a full circle moment. Back in the day, I was a security researcher and a pentester, with multiple CVE’s next to my name. I started Hubble because it addressed one of the biggest challenges I found as an advisor to CISOs, and as a CISO myself: lack of visibility. Fortune 500 customers I worked with universally struggled to manage and remediate vulnerabilities and other security issues because of lack of visibility in their environment. Now we’re able to bring that technology to NetSPI, a rapidly evolving business that is leading the charge in technology-led cybersecurity offerings. That’s very exciting for me.

Aaron: For us, we’ve been on this journey from traditional pentesting to technology-enabled proactive security, integrating more technology into the services we deliver to drive efficiency and generate better outcomes. We’ve had a good view of the external and cloud attack surfaces, but we need to help our customers understand the entire IT estate.

Understanding and seeing the entire cyber asset estate, including internal, is vitally important. 

This has been a problem for a long time; I remember discussing it in the industry 20 years ago. We are at an inflection point where all the products customers use must have better integrations than ever before, making it easier to get visibility across technologies. We’re excited to have greater visibility and to start to fuse all the vulnerability information we have together.

Tom: Ten or 15 years ago, what we built wouldn’t have been possible because the technologies found in enterprise environments were largely siloed, self-enclosed systems which, for example, lacked APIs and other methods to integrate with them. Accessing that data was difficult. Now, we live in an ecosystem of technologies that are API-driven and generally play better with other vendors. Bringing data sets together, from existing technologies across your environment, and enabling decision-making on that data has suddenly become possible. Bringing our companies together, integrating independently powerful data sets from NetSPI’s base offerings, pentesting as a service (PTaaS), ASM, and breach and attack simulation (BAS), plus the CAASM capabilities that Hubble brings is a really exciting proposition. 

How does the pairing of NetSPI and Hubble enhance NetSPI’s overall capabilities?

Aaron: The enhancements from coming together as an organization create a one-plus-one-equals-three scenario. It’s a force multiplier. Furthering our mission to bring more technology to the proactive security landscape is important. Tom shares our vision of the intersection of technology and talent and the importance of the human element. The industry struggles with visibility and understanding of what they have. Many folks say they have maybe 80% visibility on the endpoint side but don’t know about the remaining 20% and the vulnerabilities there, which is concerning to our customers. Providing them with greater visibility through modern integrations is exciting.

Fusing together our attack surface, vulnerability, and breach and attack simulation (BAS) intelligence into one platform is groundbreaking. We aren’t seeing holistic capabilities like this in the industry, and we can offer our customers something truly innovative.

Tom: The security industry is notoriously guilty of creating siloed solutions — capabilities that address only a small part of the problem. It’s often up to the customer to figure out how to integrate them, which is why the consulting industry gets paid so much to integrate those technologies, in other words creating “single pane of glass.” That’s not the way it should be.

Over the last five years, when I’ve chatted with customers, the top three problems in security almost always include visibility. When I ask what they are doing about it, the response is often that it’s too hard. Well, it’s not too hard anymore. Between our capabilities, we can bring a holistic solution together, providing inside-out and outside-in visibility. With the coming together of our companies, there are no more excuses not to address this systemic issue once and for all. 

“Between our two capabilities, we can bring a holistic solution together, providing inside-out and outside-in visibility.”

Tom Parker, founder and CEO at Hubble (now CTO at NetSPI) 

One of the things that has changed in the last decade is the abundance of data. We’ve had the data needed to answer these questions for a long time. It’s just been a matter of bringing that information together and making it useful for the end user to drive whatever the use case might be.

Aaron: I agree, and it’s incumbent on us to help organizations bridge the gap between their IT and security teams. Often, the security team feels they don’t get what they need from the IT team in terms of visibility, and the IT team thinks the problem is too big to solve. We are in a good position to bring technology that can help bridge that gap for them. 

“It’s incumbent on us to help organizations bridge the gap between their IT and security teams”

Aaron Shilts, CEO at NetSPI

Tom: This speaks to the age-old challenge: if you talk to your network team, they’ll give you one number of assets; talk to your workstation team, and you’ll get a different number; talk to your cloud team, and you’ll get yet another number. Bringing together all these different disciplines and data sources means that, for the first time, organizations can have one answer on how many assets they have — not just network-connected devices, but also user devices, BYOD, applications, vendors, and more. 

Aaron: The heart of the technology you built at Hubble is about correlation deduplication, just figuring out how to pull this data together. How do you go about that journey as you’re building it and thinking about what that engine should look like? It’s a big challenge.

Tom: Data quality was always the most important thing for us when we were first building Hubble. We knew that we could have the best user interface, but if the data couldn’t be trusted, no one would use the product. Especially now, as we’re entering an age of hyper-automation, leveraging technologies that make use of machine learning and AI, quality data sets to drive decision making has never been more important. 

You don’t want a chatbot that gives you answers based on poor datasets. Things will break and people will make bad decisions. So, the quality of that data was of utmost importance for us. The problem we knew we had to solve was how do we bring data together from potentially dozens of sources, knowing that a lot of source data may not be accurate, would contain duplicates, or may not be complete. How do we scrub that data? How do we fill in the gaps with other data sources? How do we make sure we’re only using the data fields that are the most important and the most trusted, and giving customers the cleanest, most trusted view of truth available in the market? No one else is really doing what we’re doing together. 

What is CAASM and why is Hubble’s solution unique?  

Tom: CAASM has joined the long list of security alphabet soup that we’re faced with on a daily basis. The term CAASM was initially popularized by a Gartner Hype Cycle, and even then, the market lacked a clear definition of what CAASM actually is. Essentially, for most organizations, CAASM is an inventory of assets that enables cybersecurity practitioners with asset data to drive cybersecurity decision making. The notion was that legacy configuration management database (CMDB) technologies weren’t sufficient in providing security teams with what they needed. Those use cases were largely based in the security operations environment. When CAASM was first coined, the extent of what security organizations really need was not fully realized, for example the idea of integrated posture management capabilities wasn’t really a thing. The problem with the direction it’s gone in now is that certain CAASM vendors are more focused on posture management, some on cloud, and some on on-prem visibility and lack a holistic view of assets. 

What I’m really excited about coming together with NetSPI is that we’re able to answer that question in a much more holistic way, providing a capability that is far superior to other CAASM vendors. I’ve always said to customers that Hubble is an asset intelligence platform. If you think about the way that you operationalize threat intelligence to drive decision-making — I have a threat actor, these are the malware samples associated with that threat actor. How can I operationalize that information and drive decision-making to make my organization more secure? It’s the same use case with asset intelligence and I see CAASM as a subset of that. I always like to think bigger than where the industry is in terms of the status quo. CAASM is important, but I think there are extensions to this that go beyond most CAASM solutions in the market.

Without that visibility, it’s a big problem for the CISO/CSO. For them to get a holistic end-to-end view of their security posture without a capability like our joint offering, they should be able to go into one dashboard and understand everything about their security posture. Without it, they’ll likely have to create busy work for their teams, who will then have to go to different product dashboards and try to merge that data together manually. It’s highly inefficient and prone to error, creating risk. 

The big message I have for existing and potential customers is that we’re going to drive efficiency in your security programs. We’re going to help you eliminate previously unknown risks, by providing an unmatched view into your assets and your security posture. We’ll be bringing in data from your pentest reports, your BAS and ASM tools, all under one roof, to drive decision-making. For the first time, CISOs can have the confidence that what they’re looking at really represents a full picture of their environment. 

“We’re going to drive efficiency in your security programs. We’re going to help you eliminate previously unknown risks by providing an unmatched view into your assets and your security posture”

Tom Parker, founder and CEO at Hubble (now CTO at NetSPI)

How do CAASM and EASM work together to help prioritize issues?

Tom: I often talk to customers about security being a scale issue. We never have enough people, and there’s a massive talent shortage globally, not just for security, but for IT as well. To counter that scale issue, being able to rapidly understand the role of an asset (or asset context) very is important. We need to understand where our most critical assets are, combined with a threat model, to understand what could hurt the organization the most. Hubble has a unique capability for that, enabling customers to understand the context of an asset.

What I mean by that is not just a spreadsheet in the cloud like some of the CAASM providers offer. Rather, how does that asset relate to other things in the environment? If I’m concerned about a user, what does that user have access to? What could the blast radius be if there’s a critical vulnerability that’s identified? I have a thousand systems in my environment with that vulnerability. Where do I start? I have five people on my security team — they can’t possibly fix everything all at once. So, where do I need to focus? Together, we’re able to help customers prioritize and say, “Hey, you’re missing these critical security controls on the 5% of the systems that have the highest risk.” That’s game-changing for security teams. Without context, you’re unable to do that.

What can NetSPI customers expect from a from a technology perspective over the next six to 12 months?

Tom: Independently we both bring strong capabilities through penetration testing and Hubble’s CAASM offering. It’s going to become a powerhouse under The Platform that NetSPI announced just last month. I’m excited to see all those capabilities coming under one roof, so that customers can see that in a product-led fashion, and still have access to the same extremely high-quality penetration testing teams and security professionals employed by NetSPI.  

We’re not going to stop here. We’re going to continue to build and add capabilities. And I think there are a lot of opportunities in the market as we start to see consolidation in the market platform of security.

Read the press release:

Aaron: You mentioned how common technology silos are in this industry. I think it’s incumbent on us to ensure we don’t have our own silos and bring this together under one interface for our customers to find value. Fusing the data to build some of the advanced use cases like blast radius and other aspects could be really exciting. 

Tom: I’ve spent the last 20 years of my career seeing acquisitions done well and not so well. We’re being very thoughtful about the way we bring these capabilities together. What customers are going to see is not only our existing capabilities becoming stronger, but also the combined capabilities under a single platform to become something unique in the market. 

How have you seen CAASM benefit customers in the past?

Tom: Hearing feedback from customers is one of the things that keep us going as founders and entrepreneurs. One of my favorite success stories with a customer was when they were investing in an endpoint provider. They believed that they had complete coverage in their environment and needed to bring us in to validate their security controls.  

Through bringing together external and internal data sets, we showed where they were missing critical controls like endpoint coverage and where external assets were sitting in the cloud. We showed them where those went inside the network and who the owners of those assets were. We showed which organizations were responsible for those assets by bringing other data sets together. When you start a company and you have an idea for a technology, you have a thesis, and you hope that it works out. It’s not until you start getting that customer feedback that you start realizing you’re on to something rewarding.

This happened a couple of years ago now, but that was one of our watershed moments where we saw there was a problem, and we had technology that was proven to work at scale. It takes meaningful risk off the table for our customers. That use case is repeated time and time again because it’s a theme that we’ve leaned into.

What do you think is the real value that we bring to existing customers as we integrate our solutions?

Tom: As a former CISO, I would be most excited about this because instead of having to go to lots of different vendors for various components of my program and figuring out how to integrate it all, I can now go to a single leader in the market that has acquired another leading capability and get a holistic, fully integrated attack surface management solution. 

Aaron: Yeah, I agree. Fusing this data in a way no one else does allows us to drive advanced use cases and provide insights beyond simple visibility, which I think will become table stakes in the coming years. It will provide much more advanced views for our customers and their security posture. 

Watch the full conversation between Tom and Aaron to learn more about NetSPI’s new CAASM capabilities. If visibility of assets and prioritization of efforts is a thorn in your side, reach out to NetSPI for a demo. Our team’s deep expertise, intelligent process, and advanced technology will level up your approach to security no matter where you’re at today. Contact us to get started.

The post Inside CAASM: Q&A with NetSPI Leadership appeared first on NetSPI.

1. What is penetration testing?
2. How penetration testing is done
3. How to choose a penetration testing company
4. How NetSPI can help

Penetration testing enables IT security teams to demonstrate and improve security in networks, applications, the cloud, hosts, and physical locations. In this guide, learn what penetration testing is, how penetration testing is done, and how to choose a penetration testing company.

What is penetration testing?

Penetration testing, also called pentesting or pen test, is a cybersecurity exercise in which a security testing expert, called a pentester, identifies and verifies real-world vulnerabilities by simulating the actions of a skilled threat actor determined to gain privileged access to an IT system or application.

Penetration testing simulates the actions of a skilled threat actor determined to gain privileged access.

A pentester uses expertise, creativity, and pentesting tools to gain access to IT systems to demonstrate how a threat actor could access IT resources or breach sensitive data. Pentesters are also called vulnerability assessors, white hat hackers, and ethical hackers for hire. 

A penetration testing service, also called a pentesting company, identifies vulnerabilities in IT systems that pose real-world risk to the client’s systems. Pentest companies use automated vulnerability assessment tools in the discovery phase as a precursor to manual penetration testing. Scanning tools help penetration testers pick the most promising targets to use in a series of incremental manual steps to gain privileged access. 

It is important that penetration testing activities do not break the environment. Sometimes pentesters work against live production systems, and sometimes they work against sandbox environments, depending on the goals of the test, the availability of a sandbox environment, and the potential impact on the production system. 

Pentesting is performed with or without privileged credentials, depending on the objectives of the test. Penetration testing was historically performed from the perspective of an unprivileged or anonymous user. Today, the deepest dive into an application may require privileged login access, the actual software code for visual review, and control of the operating system hosting the application.

Although a penetration test is sometimes called a vulnerability assessment, many security vulnerability assessments use only automated scanners and do not simulate a skillful, determined human attacker. Pentesting also differs from a dynamic scan, which only uses vulnerability scanning technologies and not human intuition. Penetration testing is also different from what many software developers call a security test or security assessment, which is often a secure code review or static application security testing.  

Benefits of penetration testing

The primary benefit of penetration testing is to inform security efforts to proactively harden the environment. Penetration testing reveals an organization’s security weaknesses. Penetration testing rates and prioritizes vulnerabilities by severity of outcome factored against the likelihood of such an attack.

Additional benefits of penetration testing include: 

1. Deliver secure software for less money: Security gaps remediated earlier in the software development life cycle (SDLC) cost less to fix than problems found later. Despite best efforts, security vulnerabilities slip through software testing processes. Unlike secure code review, which identifies code that might be exploitable, the vulnerabilities identified by a penetration test are proven to be exploitable.
2. Avoid breaches: Discover vulnerabilities and exposures proactively, so you can remediate them and prevent an attack—and avoid the costs of downtime and clean-up resulting from a breach. In addition, you preserve the organization’s good reputation and protect relationships with business partners.
3. Use human insight like attackers do: Only a penetration tester (or a malicious attacker) can chain together seemingly low-risk events to verify which vulnerabilities enable unauthorized control. Threat actors adapt to a given environment, so security testers need to adapt, too. Understanding the implications of vulnerability scanner results to a specific application or organization requires human insight.

Pentesters chain together seemingly low-risk events to verify which vulnerabilities enable unauthorized control.

4. Achieve compliance: Meet security testing requirements from a third-party authority. Penetration testing is required to demonstrate cybersecurity and achieve compliance with regulations and industry standards, such as the payment card industry (PCI) security standard and the Health Insurance Portability and Accountability Act (HIPAA).
5. Eliminate false positives: Automated scans often report what appears to be a huge security hole in the infrastructure, but isn’t. Or a security gap exists, but the test results lack key information to enable remediation. Manual attacks help the organization avoid spinning its wheels dealing with inaccurate or incomplete vulnerability assessment data. 
6. Focus remediation: Prioritize remediation for the most important vulnerabilities and receive helpful guidance, such as how to remediate specific vulnerabilities and instruction.
7. Demonstrate business impact: Knowing the business impact of vulnerabilities helps justify security investments and improve decision making. Penetration testing clarifies the business impact of inaction. 
8. Augment the IT security team: A fresh set of eyes from third-party security experts can help strengthen an organization’s vulnerability management program and validate its ability to protect the business from cyber attacks. 

Pentesting trends

Four security and development trends are increasing the complexity of penetration testing and changing expectations. 

Shift left: Teams are introducing secure code review (SCR) and penetration testing into the software development life cycle (SDLC) to identify vulnerabilities earlier. Called shift left, this software development trend reflects efforts to improve software security and reduce testing costs.

DevSecOps: To ship secure software faster, organizations are working to integrate security processes seamlessly into the software development workflow and CI/CD pipelines. DevSecOps is driving requirements for continuous and comprehensive penetration testing.

Differentiation: Now that many people know about penetration testing, the discussion is changing to highlight differences in penetration testing methodologies, scopes of engagement, and report delivery methods.  

Penetration Testing as a Service (PTaaS): This new penetration testing delivery experience shares pentest results with the client in real time through a technology platform or web portal. Pentesting as a service delivers results year-round, unlike point-in-time pentests, which are typically executed just once a year. A PTaaS platform improves decision making and accelerates remediation with tool integration. 

Traditionally, pentesters complete an engagement and hand off a penetration testing report in a static PDF or excel spreadsheet. With the emergence of PTaaS, the pentesting firm is an IT security partner that provides continuous vulnerability scanning, conducts deep-dive manual tests as needed, and delivers real-time pentest reports in an interactive digital platform that separates critical vulnerabilities from false positives (a time-consuming activity for an in-house team). The pentesting experts continue to serve the client as remediation consultants.

Types of penetration testing

The targets of penetration testing include networks, software applications, the cloud, and employee behaviors. Each type of penetration test focuses on a different target:

Network penetration testing

Network penetration testing, also called network security testing, focuses on internal and external networks, wireless endpoints and wireless networks, email phishing, and other types of social engineering. Five types of network penetration testing are: 

1. External penetration testing
2. Internal penetration testing
3. Mainframe penetration testing
4. Wireless penetration testing
5. Host-based penetration testing

Application penetration testing

Application penetration testing, also called application security testing, focuses on web and non-web applications, finding vulnerabilities such as those described in the OWASP Top Ten and the CWE/SANS Top 25 Most Dangerous Software Errors. Unlike dynamic application security testing (DAST), which is usually automated, penetration testing is performed by an expert pentester. Four types of application penetration testing are: 

1. Web application penetration testing
2. Mobile application penetration testing
3. Thick client application penetration testing
4. Virtual application penetration testing

Cloud penetration testing

Cloud penetration testing focuses on cloud infrastructure. A cloud platform can create exposure from network, application, and configuration vulnerabilities that can result in external access to company credentials, internal systems, and sensitive data. The three most common types of cloud penetration testing are:

1. AWS penetration testing
2. Azure penetration testing
3. Google Cloud (GCP) penetration testing

Adversary simulation and red teaming

Adversary simulations, also known as red team simulations, are security exercises that assesses a company’s capacity to identify and respond to real-world attack and breach scenarios in real time. Four types of adversary attack simulation are: 

1. Detective control testing
2. Red team security operations
3. Social engineering penetration testing
4. Ransomware attack simulation

Note that social engineering penetration testing is different from most types of penetration testing in that it assesses the effectiveness of security awareness training by simulating real-world threats through email, phone, and in-person physical penetration testing.

Penetration test reporting

Pages and pages of pentesting data presented in a static Excel or PDF pentesting report are overwhelming, and yet a 100-page PDF is a common format for a penetration testing report. 

In contrast, a dashboard is a better type of penetration testing report because it delivers dynamic views of penetration testing results: metrics, trends, project communication, searchable and sortable pentest findings, and instruction to reproduce each vulnerability. With a dashboard, less time is spent by clients analyzing penetration testing reports, and critical and high-severity vulnerabilities are ticketed and remediated sooner. 

View an example of NetSPI’s penetration test report.

A penetration testing dashboard delivers dynamic views of pentest findings.

How penetration testing is done

In this section, you’ll learn about penetration testing tools, the phases of penetration testing, penetration testing methodologies, and reasons to use expert penetration testers.

Penetration testing tools

The best pentesters use automated tools throughout the pentesting process. Most penetration testing tools automate common exploits. NetSPI’s open source pentest tools on GitHub help penetration testers automate and understand pentest tasks. The most popular of these penetration testing tools are:

• PowerUpSQL: a PowerShell toolkit for attacking SQL Server 
• SQL Injection Wiki: a wiki focused on aggregating and documenting SQL injection methods 
• MicroBurst: a collection of scripts for assessing Microsoft Azure security 
• PESecurity: a PowerShell module to check if a Windows binary (EXE/DLL) was compiled with security features such as: ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), and SafeSEH (Structured Exception Handling), Strong Naming, and Authenticode 
• Goddi (go dump domain info): a tool that dumps Active Directory domain information

Other types of penetration testing tools enable high-volume scanning for vulnerability discovery and improve the delivery of pentest reports. NetSPI’s Scan Monster automates and orchestrates our automated scanning activities, freeing pentesters to do more manual testing. NetSPI’s Resolve streamlines penetration testing execution and delivery. The Resolve platform correlates vulnerability data into a single view to make pentest findings more actionable.

Discover NetSPI’s open source penetration testing tools. 

Phases of penetration testing

A skilled pentester follows five steps or phases of penetration testing with every engagement.

Step 1: Plan and map the test

The first phase of penetration testing clearly defines the scope and objectives of the penetration test, as well as what tests to perform and in which order. This phase also includes careful preliminary risk planning with continency plans to minimize service disruption.

Step 2: Scan for vulnerabilities

The second phase enumerates suspected vulnerabilities identified by automated scanning tools. Virtually every tool generates false positives (vulnerabilities that don’t really exist), so a vulnerability is only enumerated when it appears across multiple automated tools, not just one tool.

Step 3: Assess the vulnerability results

In the third phase, a pentester analyzes the suspected vulnerabilities using specialized pentesting tools and manual pentesting techniques. The goal in this phase is to identify and validate exploitable entry points. 

Step 4: Gain access

The fourth phase verifies high-risk vulnerabilities comprehensively using safe exploitation techniques, such as automated pentesting tools, manual processes, and code injection. Often a goal in this step is to gain privileged access status on a networked device and then pivot between trusted network zones and move unabated from one system on a network to another system in a different security zone on the same network. The pentester fully documents the vulnerabilities that enable each successful exploit.

Step 5: Report findings

The fifth phase reports on the pentest findings ranked by severity with a focus on critical and high-severity vulnerabilities. The report includes step-by-step instructions for how to reproduce the pentester’s exploits so remediators can reproduce and fix them. 

Penetration testing methodologies

Security testing requires penetration testing companies like NetSPI to balance creative disruption and methodical, systematic structure to ensure high-quality service. A penetration testing methodology is an approach to pentesting that involves repeatable processes and many checklists. Pentesting methodologies should vary based on the business supported, the IT environment, the attack surface, and the target system or application. 

Published penetration testing methodologies and frameworks include:

• Information System Security Assessment Framework (ISSAF)
• Technical Guide to Information Security Testing and Assessment (NIST)
• Open Source Security Testing Methodology Manual (OSSTMM)
• Open Web Application Security Project (OWASP)
• Penetration Testing Methodologies and Standards (PTES)

The type of environment has a big impact on penetration testing methodology. Red teaming or adversary simulation are always, and network penetration testing is nearly always, performed on the production network. In contrast, most application penetration testing is performed in a sandbox or development environment, where a pentester can be more rigorous. We might tune a scanner to simulate 10-20 simultaneous users on a non-production system but only one or two on a production system to minimize impact. Pentesting a production system often limits the test cases to read-only. 

Runbooks, checklists, and penetration testing tools ensure broader coverage and a consistent penetration testing approach. A vulnerability found in one client’s environment can be added to a checklist for future tests.

Runbooks, checklists, and pentesting tools ensure broader coverage and a consistent penetration testing approach.

At NetSPI, we build runbooks and checklists for every penetration testing service we offer to codify our penetration testing methodology. We build our proprietary penetration testing methodologies into the Resolve penetration testing execution and delivery platform to ensure consistent delivery of service.

Why use expert pentesters

Having the right people on staff for pentesting or contracting with the right trusted partner for the work is the most critical component of any pentesting program. Only certain people have the skills, knowledge, and experience to discipline them to:

• Methodically work through the entire penetration testing process
• Effectively use the necessary tools
• Do the necessary ad hoc research required during testing
• Properly interpret, analyze, and communicate the results

Expertise is essential, because poor tool selection, a testing mistake, or the faulty interpretation of vulnerability scanner or pentest results can lead to a false sense of security. Every member of an expert penetration testing team brings insights about security risk assessments to every project. Innovation is critical, as pentesters must test ever more complex environments and new technologies. A collaborative penetration testing team produces the highest quality work when industry-leading pentesters disseminate expertise throughout the team.

Explore NetSPI’s pentesting blog, a resource for the cybersecurity community written by our expert penetration testers and cybersecurity experts.

How to choose a penetration testing company

The success of your vulnerability management and penetration testing program depends on choosing the right penetration testing partner. In this section, you learn nine criteria to choose the best penetration testing company:

1. Prioritize non-negotiables like employing a team of talented and creative deep-dive manual pentesting professionals supported by industry-leading automation technology. Skilled manual testers are essential to every pentesting service, because only a human can identify and verify complex high-severity and critical threats and eliminate false positives. 
2. Consistent, high-quality processes set the best penetration testing companies apart from the rest. A pentest company that disseminates industry-leading expertise to all its pentesters delivers the best work consistently.  

Consistent, high-quality processes set the best penetration testing companies apart.

3. Pentest companies need technology to automate and orchestrate recurring tasks, saving time so penetration testers can focus on higher-value tasks. A technology-savvy pentesting company discovers and verifies more high-risk vulnerabilities.

4. Insist on real-time reporting that can be easily sorted and acted upon; don’t settle for reams of static PDF reports. Dynamic penetration testing reports make pentest findings more useful and reduce the amount of time your team spends reviewing the reports. A penetration testing delivery platform, like NetSPI’s Resolve, reports on vulnerabilities the same day they are verified—no waiting.

NetSPI’s Resolve pentest delivery platform reports on vulnerabilities the same day they are verified.

5. Attackers innovate and so should penetration testing companies. A pentesting vendor should be agile, invest in research and development, and stay ahead of software development and cybersecurity testing trends.
6. Look for a penetration testing firm with experience in your industry vertical and other verticals. Real-world experience gained by working with clients in your industry provides immense value. 
7. Your goals and objectives are unique, so look for custom services. A penetration testing company should scope work and make recommendations according to your needs. Some pentesting companies work with you to find the right balance of how much to invest—based on the system, the type of data and information it supports, its business role, and risk exposure—not a one-size fits all approach. 
8. Top penetration testing companies can help you mature your application security program. Some penetration testing firms can support your company as it grows, from pentesting to vulnerability management. 
9. The best pentesting client experience includes a project manager to support you at every phase from scoping to delivery. 

How NetSPI can help

NetSPI partners with and provides penetration testing services to nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many Fortune 500 companies. We offer decades of penetration testing experience across many domains with a focus on best practices and an extremely disciplined process. In this section, you will learn about our industry leadership and deep expertise in penetration testing.

Penetration testing services

NetSPI is the leader in enterprise penetration testing and attack surface management. Our experts perform deep dive manual penetration testing services for application, network, cloud, and other attack surfaces. Our approach is to work closely with your team as a trusted, un-biased advisor with no interest other than the security and health of your network. 

We promise a mature, business-centered, and collaborative process with your team. We use multiple best-of-breed tools picked for your unique environmental and targeted needs, in addition to the best, highly skilled penetration testers. We deliver clear, actionable recommendations through our PTaaS service delivery platform that enables our clients to find, track, and fix vulnerabilities faster. 

NetSPI finds vulnerabilities that other penetration testing service vendors miss. With NetSPI, you get an experienced penetration testing service team, a project manager, and penetration testers with consistent and proven pentesting playbooks. 

Our consultants are also adept at assisting our clients with the development and improvement of penetration testing and vulnerability management programs.

NetSPI finds vulnerabilities that other penetration testing service vendors miss.

Penetration Testing as a Service

NetSPI uniquely delivers Penetration Testing as a Service (PTaaS) through our Resolve penetration testing execution and delivery platform. Clients love PTaaS for the simplicity of scoping new pentest engagements, viewing pentesting report results in real-time, orchestrating remediation, and the security of always-on continuous pentesting services. 

PTaaS combines manual and automated ethical hacking attempts with 24/7 scanning, consultation, streamlined communication, and pentest reporting. With NetSPI’s Resolve, you can even import vulnerabilities found by other tools and manual pentesting reports to manage in one place all your company’s vulnerabilities worldwide. Explore the features of PTaaS.

Clients love PTaaS for the simplicity of scoping new pentest engagements, viewing results in real-time, orchestrating remediation, and the security of always-on pentesting services.

Our industry leadership

NetSPI supports global organizations in protecting and securing their technology and data. NetSPI conducts more than 150,000 hours of testing every year, and we’re changing pentesting entirely. Our people, our processes, and our technology are unrivaled. We make it easier to track trends, track vulnerabilities, and improve your vulnerability management program. 

Our security experts notably:

• Author one of the industry’s top security testing blogs
• Develop leading open source pentesting tools
• Are the industry-leading experts in Azure penetration testing

Learn more about penetration testing, cybersecurity, and vulnerability management by exploring our:

• Executive blog
• Webinars
• Podcasts
• More resources

Contact Us:
Our team of security testing experts is ready to answer your questions.

The post Penetration Testing: What is it? appeared first on NetSPI.

1. What is ransomware?
2. Ransomware trends
3. Ransomware prevention
4. Ransomware detection
5. Ransomware simulation
6. Ransomware security terms
7. How NetSPI can help

What is ransomware?

In this section, you learn what is ransomware, how it fuels criminal activity, how ransomware works, and how to stop ransomware.

Ransomware, a definition

Ransomware is a set of malware technologies, hacking techniques, and social engineering tactics that cybercriminals use to cause harm, breach data, and render data unusable. Ransomware adversaries hold the data hostage until a victim pays the ransom. Increasingly, they also threaten to leak stolen data.

Ransomware is a business model for cybercriminals. Victims pay ransomware adversaries for decryption keys through cryptocurrency, such as Bitcoin. Many victims pay a second ransom to get assurance that the threat actor won’t release stolen data.

How does ransomware fuel criminal activity?

Ransomware fuels a criminal economy through five steps:

Step 1: Cybercriminals execute ransomware attacks.

Step 2: Attackers make money when they collect a ransom.

Step 3: Ransoms fund the purchase of new exploits, lists of vulnerable networks, and ransomware-as-a-service toolkits.

Step 4: Attackers use malware and exploits off-the-shelf or customize the tools to create ransomware variants and new techniques.

Step 5: Ransomware developers engage with attack partners who use the tools and techniques to perform the attacks. 

How does ransomware work?

A ransomware attack follows a series of steps called a kill chain. Most ransomware attacks follow a variation of this ransomware kill chain: gain access, escalate privileges, target data, exfiltrate data, remove recovery capabilities, deploy ransomware, and get paid.

Tip: Attackers have options, so every ransomware attack is different. Defenders must prepare to detect and block the many choices available to a ransomware attacker, not a single path.

Do antivirus and endpoint detection and response (EDR) tools stop ransomware?

Only about 20% of the ransomware tactics, techniques, and procedures (TTP) used by ransomware attackers are identified out-of-the-box by antivirus (AV), endpoint detection and response (EDR), and security information and event management (SIEM) tools. Given AV, EDR, and SIEM vendors choose to focus on limiting false positives, many true positives are missed in Windows, Linux, and mainframe environments. 

How to stop ransomware

Every step in the ransomware kill chain is an opportunity for defenders to detect and stop a ransomware attack—but you don’t need to achieve 100% detection at every step. Instead, if you can detect one or more malicious events present in most kill chains before the attackers meet their objective, then you can prevent ransomware attacks. 

Tip: Detecting a ransomware attack earlier in the kill chain delivers more value, so prioritize detective controls that enable detection when an attacker accesses systems, escalates privileges, or targets data.

Ransomware trends

In this section, learn how ransomware attackers gain access, escalate privileges, target data, steal data, and deploy ransomware as well as the average ransomware payment.

How do ransomware attackers gain access?

Ransomware attackers get into a network in many ways:

• Social engineering. Users unintentionally download and execute ransom malware via malicious emails, PDFs, drive-by downloads, malvertising, forced download, and browser exploits.
• Unpatched exploits. Most ransomware attackers use exploits that have been around for years. An attacker can easily scan the internet for websites that haven’t patched a vulnerability for which the attacker has an exploit. 
• Ransomware-as-a-Service (RaaS). Malicious software developers provide ready-made malware to criminal groups who already have access to environments or the ability break in. 
• Logins without multi-factor authentication. Without MFA to stop them, attackers gain access to the same powerful tools used daily by IT administrators who manage corporate networks and IT resources. Administrators who access IT management interfaces—e.g., terminal services, virtual private networks (VPNs), and remote desktops—often use weak passwords and do not require MFA. Attackers guess the passwords easily, find them in open source code repositories, or collect them via phishing.

How do ransomware attackers escalate privileges?

Ransomware attackers work to exploit bugs, design flaws, and configuration oversights in an operating system or application to gain access to protected databases, file shares, and business sensitive data. They often use Server Message Block (SMB) exploits, weak passwords, and insecure Active Directory configurations to gain more privileges on systems and those of trusted partners. 

Ransomware attackers may go after a subsidiary or service provider with weaker security controls and then ride the third-party trust relationship into your environment. Or vice versa: your organization may be used to spread ransomware to your customers and partners. 

What data and resources do attackers want?

Ransomware attackers search the network and systems for valuable data and resources to target, such as:

• Non-public information
• Regulated data, such as personal healthcare data (HIPAA) and payment card information (PCI)
• Operational technologies in manufacturing, industrial control systems (ICS), and other critical infrastructure
• Hardware and software supply chains
• Cyber insurance policies that reveal the maximum payout 

To find resources to target, ransomware attackers may follow a workflow like this: 

1. Perform Active Directory reconnaissance for all domain computers, SQL Server databases, and server message block shares.
2. Attempt access to file and SQL servers with privileged accounts.
3. Search for sensitive data patterns across file servers and SQL Server databases.

How and why do ransomware attackers exfiltrate data?

In addition to encrypting data and holding it hostage, ransomware attackers also upload valuable data to other systems on the internet. This enables the attacker to extort more money in exchange for a promise not to leak the exfiltrated data. 

Rather than stealthily copying the data, ransomware attackers may upload the data quickly to a website via FTP using SSH encryption. They may exfiltrate the data in one large file or in parts using common protocols such as Secure Message Block (SMB), Secure Sockets Shell (SSH), File Transfer Protocol (FTP), and HTTP/HTTPS.

Tip: You may be able to detect ransomware exfiltration by monitoring for large file uploads, excess bandwidth usage, or data loss prevention (DLP) via alternate protocols. 

How do attackers deploy ransomware?

Once they have encrypted and uploaded the data, many ransomware attackers remove the victim’s ability to recover independently. Often, ransomware families follow steps like this to deploy ransomware: 

1. Verify correct platform, language, and time zone.
2. Disable or bypass detective security controls.
3. Hunt and destroy or encrypt backups hosted in local and cloud networks as well as virtual machine snapshots. 
4. Target IT management systems that an administrator could use to recover from ransomware. 
5. Search for targeted file types, generate a unique set of encryption keys, and encrypt the target files, often with custom libraries.
6. Remove system restore capabilities by killing processes and services, removing restore points, deleting volume shadow copies, and overwriting master boot records on local workstations and servers. 
7. Propagate the ransomware using worm-like self-propagation to network shares via server message block (SMB). 
8. Remove their own files, scripts, and tools.
9. Leave payment instructions.

How much do ransomware victims pay?

Average ransomware payouts are on the rise as attackers target bigger companies, specific sectors, and markets with deeper pockets. About 1 in 4 victims pay the ransom. Some can’t afford not to pay, and some are covered by cyber insurance. To date, the largest known ransom payment is $70 million.

Ransomware prevention

In this section, learn about ransomware preparedness resources and leverage our ransomware prevention checklist.

What ransomware preparedness resources are available?

Several toolkits provide guidance to help organizations prepare for and become more resilient to ransomware: 

• Ransomware Response Checklist (CISA)
• Ransomware Guide, which includes ransomware prevention best practices (CISA)
• Ransomware Tips (CISA)
• Preparing for a Cyber Incident (US Secret Service) 
• Ransomware Protection and Response (NIST) 

Checklist: How to prevent ransomware attacks

The best ransomware protection is prevention. Invest in security and ransomware prevention to protect sensitive data and avoid paying a ransom and downtime. The following checklist of ransomware prevention best practices can help you to minimize the risk of ransomware:

• Reduce the attack surface presented by internet-facing systems, applications, and clouds. This requires an asset inventory. In general, the fewer assets you have exposed to the internet the better, so if it doesn’t need to be out there, remove it, and bring it inside your virtual private network (VPN).
• Enable multi-factor authentication. Inventory all management interfaces of internet-facing assets—e.g., email, remote desktops, and Citrix—and secure them with MFA.
• Make your vulnerability management program a priority, including asset management, configuration management, patch management, application management, Active Directory management, and cloud management.
• Segment and isolate sensitive systems, applications, data, and privilegesto slow down or block threat actors. Isolate privileges between user levels. Isolate administrative management platforms to prevent ransomware attackers from using these tools.
• Protect your backup systems. Does backup protect against ransomware? In some cases, but ransomware can infect NAS (network attached storage). That’s why off-site backups are critically important for recovery. In some cases, cloud storage is safe from ransomware, but it needs to be isolated, too. Be sure to segment and isolate access to your backup management interfaces.
• Protect and validate recovery capabilities. Test your ability to restore from backups. In addition to making sure they are functional, consider the costs and time required to restore from backups. Have an incident response plan in place.
• Test all ransomware security controls regularly through security audits, penetration testing, detective control reviews, and security awareness training.

Tip: Replicated data will replicate ransomware. Immutable offsite backups are required to restore point-in-time systems.

Tip: Tabletop exercises are a good start but not enough. Don’t assume that technical security controls will work as expected. Test them.

Should I get a ransomware cyber insurance policy?

Many organizations have used cyber insurance to recover from ransomware attacks. Because ransomware insurance losses have increased, however, common ransomware scenarios may now be excluded. The insurance company may require you to manage your risk and follow ransomware prevention and mitigation best practices before they issue a cyber insurance policy. Read the fine print of any ransomware policy to understand your coverage. 

Ransomware detection

Defenders only need to detect one malicious event to recognize a ransomware attack in progress, quarantine the attacker, and prevent damage. In this section, learn about the detective control lifecycle and how to detect ransomware.

Checklist: How to detect a ransomware attack

Successful ransomware detection requires research from which data is fed into a detective control lifecycle with the following phases: 

1. Measure and track key performance indicators (KPIs) for detective control baselines to identify gaps and improve performance in data source logging, detection, blocking, alerting, and response.
2. Identify high-impact and common tactics, techniques, and procedures based on current ransomware trends and historical data. TTPs are found in corporate annual reports, CISA, threat intelligence feeds, user groups such as Financial Services Information Sharing and Analysis Center (FS-ISAC), offensive security trends, and MITRE ATT&CK groups and software.
3. Understand trending ransomware families to identify data sources and artifacts associated with the TTPs in your environment. Maintain this list over time. Know what artifacts are left behind by each ransomware family and its known bad behavior. At a minimum, learn about the following ransomware families:

4. Map your current detective controls coverage of the identified ransomware behaviors. Ensure data sources are available to provide your security operations teams and partners with enough information to develop detections for common malicious behavior, such as file modification events, registry modification events, process creation events, image load events, network connection events, Windows endpoint security event logs, command line event logs, PowerShell event logs, NetFlow/PCAP (packet capture) data, and security event data from third-party software and devices.
5. Develop new detections that work for your environment, based on data sources and the known bad behavior of ransomware families, while excluding the known good behavior of your users.  Ensure detections cover common defensive evasion techniques.
6. Test new detections to determine fidelity, block, alert, and response levels. Ensure that alert levels trigger an effective response for high-risk behavior associated with high-fidelity detections.
7. Deploy new detections with a rollback plan. 
8. Monitor, monitor, monitor. Deploy or configure monitoring for high-risk command execution related to scheduled tasks, service manipulation, and living off the land binaries (lolbins). Monitor for the deletion of shadow copies and modifications to SafeBoot.sys (SafeBoot) and similar restore capabilities. Monitor for high CPU utilization on individual systems and across the network. Ensure security tool tampering logs are enabled and forwarded to the SIEM.
9. Repeat, because trending ransomware families and your environment will change. 
10. Continuously evolve and grow your detective control capabilities.

WEBINAR: How to Build and Validate Ransomware Attack Detections

Learn tips to make your organization more resilient to ransomware attacks.

Ransomware simulation

In this section, learn about ransomware attack simulation.

What is ransomware attack simulation?

Ransomware attack simulation is a collaborative, live test with a ransomware simulation tech-enabled service like NetSPI’s and your security operation center (SOC) team. During a ransomware simulation, we test your team’s visibility into your security controls and ability to detect each phase of real ransomware attack TTPs used by threat actors and malware.

Deliverables include a baseline report of your detective controls, a robust inventory of your security controls, custom recommendations to improve your security posture, as well as access to NetSPI’s continuous Breach and Attack Simulation platform to track your progress over time.

Tip: A ransomware simulation may identify an opportunity to stop paying for a software tool, such as a redundant endpoint detection and response tool, and free up budget for more valuable security efforts.

What is Breach and Attack Simulation?

Many companies spend millions of dollars on security controls and processes for ransomware prevention and detection, however, very few companies test if they really work. Would you know if an adversary was in your environment planning a ransomware attack? Breach and Attack Simulation (BAS) allows you to confidently answer this question.

Some key breach and attack simulation terms to understand first:

• Procedure: A procedure is a description, recommendations, step-by-step attack instructions, and other educational content related to an attack behavior.
• Play: A play is the automation of a specific manual procedure.
• Playbook: A collection of plays that can be automated, ordered, and executed to simulate real-world threats.
• Operation: Operations define the scope of plays, playbooks, and the agents they run on, as well as the scope of detective control coverage tracking.
• Agent: The software users download which runs the plays and playbooks.
• TTPs: Tactic, techniques, and procedures
  • Tactic: Tactics equate to the threat actor’s intended goal and reason for performing an action. This is the “WHY”.
  • Technique: A technique is the broad description of how a threat actor accomplishes their goal. This is general “HOW”.
  • Procedure: A Procedure is the specific action taken to accomplish the goal. This is specific click-by-click “HOW”.

NetSPI’s Breach and Attack Simulation (BAS) platform leverages a collection of pre-built procedures to simulate common attack TTPs. This helps clients determine if they can detect and respond to specific breach scenarios, including ransomware attacks, as well as other common attack types such as denial of service, data loss, fraud, information leaks and more.

Through BAS, NetSPI delivers a centralized detective control platform that gives companies the ability to create, execute, and automate pre-loaded and customized procedures. Utilizing purpose-built technology and professional human penetration testers, NetSPI can simulate real-world ransomware attack behaviors, not just IOC’s, to put your detective controls to the test in a way no other organization can and validate detection and response throughout the cyber kill chain.

Ransomware security terms

In this section are security acronyms that you may encounter as you learn about ransomware.

• AC: Access Control
• APT: Advanced Persistent Threat 
• ASR: Attack Surface Reduction
• AV: Antivirus
• C2: Command and Control
• CIA: Confidentiality, Integrity, and Availability
• CIRT: Computer Incident Response Team
• CISA: Cybersecurity and Infrastructure Security Agency
• CMDB: Configuration Management Database
• CSF: Cybersecurity Framework
• CSIR: Computer Security Incident Response
• CSP: Cloud Service Provider
• CVE: Common Vulnerabilities and Exposures
• DAST: Dynamic Application Security Testing
• EDR:  Endpoint Detection and Response
• FSISAC: Financial Services Information Sharing and Analysis Center
• GRC: Governance, Risk, and Compliance
• HIDS: Host-based Intrusion Detection System
• IAM: Identity and Access Management
• ICS: Industrial Control Systems
• IDS: Intrusion Detection System
• IOC: Indicators of Compromise
• IOT: Internet of Things
• IPS: Intrusion Prevention System
• IT: Information Technology
• ITAM: Information Technology Asset Management
• ITSM: Information Technology Service Management
• MFA: Multi-Factor Authentication
• MSP: Managed Service Provider
• MTD: Maximum Tolerable Downtime
• NAC: Network Access Control
• NAS: Network Attached Storage
• NDR: Network Detection and Response 
• NVD: National Vulnerability Database
• OSINT: Open-Source Intelligence
• OT: Operational Technology
• RaaS: Ransomware as a Service
• RBAC: Role-based Access Control
• RCE: Remote Code Execution
• RPO: Recovery Point Objective
• RTF: Ransomware Task Force
• RTO: Recovery Time Objective
• SAR: Suspicious Activity Report
• SAST: Static Application Security Testing
• SCA: Software Composition Analysis
• SEIM: Security Information and Event Management
• SEM: Security Event Management
• SI: System and Information Integrity
• SOAR: Security Orchestration, Automation, and Response
• TIP: Threat Intelligence Platform
• TTP: Tactics, Techniques, and Procedures
• TVM: Threat and Vulnerability Management
• VM: Vulnerability Management
• VPN: Virtual Private Network
• WAF: Web Application Firewall

How NetSPI can help

Reduce risk with ransomware attack simulation services

NetSPI’s ransomware attack simulation service raises the ransomware security awareness in your organization, measures ransomware prevention and detection controls, and provides prescriptive guidance to improve your ransomware security posture. NetSPI’s cybersecurity experts work with your team to evaluate your security controls against the tactics, techniques, and procedures (TTPs) used by real-world ransomware families. You can continue to use our Breach and Attack Simulation platform after the engagement to run custom ransomware exercises and develop and test your ransomware playbooks. 

Contact us to learn more and get a quote.

The post Ransomware Prevention, Detection, and Simulation appeared first on NetSPI.

• What is External Attack Surface Management?
• Beyond Asset Discovery: How External Attack Surface Management
  Prioritizes Vulnerability Remediation
  • Why Asset Discovery Isn’t Enough
  • Using an EASM Platform for Prioritized Vulnerability Remediation
• The Role of EASM in Continuous Threat Exposure Management (CTEM)
  • According to Gartner, there are 5 Phases of Continuous Threat
    Exposure Management
  • External Attack Surface Management Supports Scoping,
    Discovery, and Prioritization
• How External Asset Surface Management Relates to Penetration Testing
• Manage Your Growing Attack Surface with NetSPI ASM

External Attack Surface Management (EASM) accelerated to the frontline of proactive security — and for good reason. The technology creates a comprehensive view of a company’s external assets by mapping the internet-facing attack surface to provide better insight into changes and where to focus the attention of security teams. Gartner wrote a report that explains EASM in-depth, including why asset discovery is the tip of the EASM iceberg, and how EASM support Continuous Threat Exposure Management.¹ 

What is External Attack Surface Management? 

External Attack Surface Management provides an outside-in view across a company’s attack surface to reveal assets and potential exposures. Focusing on external attack surfaces brings the greatest security value to organizations because of the sprawling growth of external attack surfaces. In fact, 67% of organizations have seen their attack surfaces expand in the last two years.² 

EASM is useful in identifying unknown assets and providing information about the organization’s systems, cloud services and applications that are available and visible in the public domain and therefore could be exploited by an adversary. 

According to Gartner, “Common EASM capabilities include:  

• Performing external asset discovery of a variety of environments (on-premises and cloud).  
• Continuously discovering public-facing assets as soon as they surface on the internet and attribute those assets to the organization (commonly using proprietary algorithms) for a real-time inventory of assets. Examples of public-facing assets are IP, domains, certificates and services.  
• Evaluating if the assets discovered are risky and/or behaving anomalously to prioritize mitigation/remediation actions.” 

Beyond Asset Discovery: How External Attack Surface Management Prioritizes Vulnerability Remediation 

Given the inevitable sprawl of attack surfaces, many companies are embracing External Attack Surface Management solutions to discover their full scope of assets and prioritize critical remediations. 

Asset discovery is an important capability to have, and one that’s helping to drive the adoption of external attack surface management. That said, asset discovery is only one aspect of effective EASM.  

Why Asset iscovery Isn’t Enough 

While asset discovery is an important and complex step, by itself, it’s not a comprehensive measure to advance security posture. 

According to the Gartner report: 

“In order to be more actionable, EASM needs to support data integration and deduplication of findings across systems, automation of assigning the asset/issues to the owner of the remediation process and tighter integration with third party systems. These include ticketing systems, security information and event management (SIEM), security orchestration, automation and response (SOAR), configuration management database (CMDB), and vulnerability assessment tools. Some EASM provides remediation steps and guidance on prioritized issues, a dashboard to track the remediation progress, or the creation of playbooks.” 

For attack surface management to effectively improve an organization’s offensive security program, it must incorporate vulnerability prioritization and remediation tracking as well, such as with NetSPI ASM. 

See what NetSPI ASM can do for your security by watching an on-demand demo of NetSPI’s solution.

Using an EASM Platform for Prioritized Vulnerability Remediation 

Taking a penetration testing engagement from start to finish requires many phases, including steps for remediation. Tests often result in a lengthy list of vulnerabilities that are ranked by severity. At NetSPI, our differentiator is the people behind our platform. Our human team of proactive security agents has deep cross-domain experience with manual analysis of vulnerability findings to validate their potential risk to a business. This context limits false positives, reducing noise and helping security teams respond more effectively. 

Automation is a vital capability, both for asset discovery and vulnerability remediation. But when human-driven noise reduction is involved, it creates the strongest attack surface possible. 

The Role of EASM in Continuous Threat Exposure Management (CTEM)

Gartner states:  

“CTEM is defined as a set of processes and capabilities that allows enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets. It is composed of phases — scoping, discovery, prioritization, validation and mobilization — and underpinned by a set of technologies and capabilities, of which EASM is one. CTEM is different from risk-based vulnerability management (RBVM) in that the latter is an evolution of traditional vulnerability management, while CTEM is the wider process around operating and governing overall exposure. It includes solving the identified vulnerabilities as well as optimizing processes in the future so that the vulnerabilities do not resurface. 

EASM is foundational to CTEM for two reasons. First, it provides continuous and improved visibility into assets that organizations have less control over, such as SaaS applications and data held by supply chain partners and suppliers. Second, it assesses and prioritizes resources in mitigating/remediating issues that attackers are most likely to exploit and therefore benefits organizations during the first three phases of CTEM: scoping, discovery and prioritization.”

According to Gartner, there are 5 Phases of Continuous Threat Exposure Management: 

1. Scoping 
2. Discovery 
3. Prioritization 
4. Validation 
5. Mobilization 

External Attack Surface Management Supports Scoping, Discovery, and Prioritization 

External Attack Surface Management assists in the first three phases of CTEM: scoping, discovery, and prioritization by supporting businesses through the inventory of known digital assets, continuous discovery of unknown assets, and human intelligence to prioritize severe exposures for timely remediation.  

Let’s look deeper at the first three phases in CTEM: 

• Scoping: Identifies known and unknown exposures by mapping an organization’s attack surface. 
• Discovery: Uncovers misconfigurations or vulnerabilities within the attack surface. 
• Prioritization: Evaluates the likelihood of an exposure being exploited. NetSPI ASM combines technology innovation with human ingenuity to verify alerts and add the necessary context to prioritize remediation efforts. 

In some cases, such as with NetSPI, proactive security companies take this a step further by also performing penetration testing on the identified vulnerabilities to validate they are vulnerable and to prove exploitation.

How External Asset Surface Management Relates to Penetration Testing 

The Gartner report explains: 

“EASM can complement penetration testing during the information gathering phase about the target (finding exploitable points of entry). The convergence between penetration testing and EASM will become more prominent as automated penetration testing solutions continue to emerge. 

Most penetration testing performed today is human-driven, outsourced and conducted annually (making it a point-in-time view), which is why the automated penetration testing market has emerged. Although automated penetration testing is an emerging market on its own, some vendors have already added EASM and vice versa. This is because vendors that started in the automated penetration testing market were initially only doing automated network penetration testing and not external testing. Technologies such as EASM, DRPS, BAS and automated penetration testing can collectively provide organizations with a realistic view of the full attack surface within their environment. This lets organizations test what they can or cannot prevent and detect, as well as determine how they would respond in the event of an attack. Therefore, the convergence of these technologies can better support organizations in their CTEM program.”

Manage Your Growing Attack Surface with NetSPI ASM 

NetSPI is recognized as a Sample Vendor in the Security Testing category offering EASM. We believe NetSPI Attack Surface Management solution combines cutting-edge technology with extensive proactive security expertise to provide the richest insight into the attack surface. Our team and tools empower security staff to protect an ever-expanding number of assets and address vulnerabilities with prioritized remediation actions. By making the external attack surface as difficult to penetrate as possible, companies prevent more attacks before they even start, further improving the effectiveness of security teams. 

Ready to bring proactive insights to your attack surface? Learn more about advancing your security program by talking with our team.

Gartner Objectivity Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post NetSPI’s View on the 2023 Gartner® Competitive Landscape: External Attack Surface Management Report  appeared first on NetSPI.