I wanted to explain some of the challenges with penetration testing in this article, but first, you must know a little bit about my background. I’m an ex-Royal Navy Communications Technician – my old branch is now labeled as Cryptologic Technician (In my day we couldn’t even say the name “cryptographic” – still a CT nonetheless). I left as a Chief Petty Officer CT analyst over 20 years ago. I didn’t realize it back then, but what I learned was to set me up to really understand how to think logically and critically. It may sound silly, but it really is a skillset. So, regardless of the wonders of AI – critical and creative thinking is still going to be important in life.
We had some very smart women in my CT qualifying class, and one girl changed my way of thinking and learning for life. We had to learn long lists, sometimes very long lists. She taught me word association and other remembering and learning techniques to memorize lists. I was never taught how to learn – so that moment changed a lot of my thinking. At that time in my life, I was told repetition was the only way to learn. Spoiler alert – it’s not. We really should teach people how to learn not just what to learn.
Enter the world of penetration testing where not so much long lists, but logical and often out-of-the-box thinking is required. If you like puzzles you will enjoy penetration testing. Pentesting is mimicking bad actors’ cyber-attacks on companies’ IT infrastructure and people. It often involves various stages like recon, enumeration, exploitation, and pos exploitation.
Later, I was told there are two types of Penetration Testers similar to two types of gamers. There are the ones that rush through the games to get to the end and the ones that collect all the tokens and points along the way. A good Penetration tester has to be both.
So now we get to the first problem. A pentester often has a specific DNA – rarely do they operate in very large teams – way too expensive and not always better – so the tactics, techniques, tools, and procedures they often use are the fingerprint, their unique DNA. Whether rushing to get to the end or collecting everything along the way, the tester will have a unique fingerprint. I mean, pentesters rarely have time to keep doing courses or learning the next new shiny tool that comes along (often attending conferences, reading blogs, etc to find that out and keep current) so a tester tends to keep to what they know best.
So, problem one – The results of the test will be dependent upon the DNA of the tester. You hope the tester uses specific methodologies etc. But is it the case that more testers will equal more DNA? Not always the case. But there is a growing trend of crowdsourcing testing. When setting up RedSpy365 I knew that it had to be a combination of multiple testers DNA.
It is why I’m building the marketplace for RedSpy365. (And why we added the Tool Access Portals – TAP – for RedSpy365). The idea of the marketplace and TAP’s is to collect the DNA of hundreds if not thousands of testers. Think of it as flipping crowdsourcing on its head – instead of asking a thousand testers to attack one IP, we ask those same thousand testers to tell us how, via our orchestrator (which extracts the DNA in a format RedSpy365 can use), they would attack the IP. In effect adding to the DNA of RedSpy365. There may be some duplicates – but the content creator can see the duplication and perhaps alter the technique.
Also think of the TAP and Market place as the “App Store” for RedSpy365.
So that solves problem one. Via the RedSpy365 ecosystem, we can now be an army of testers. The marketplace/TAP’s has other unique aspects to it as well, for example, it has its own cryptocurrency, a crypto fabric, and can package up the DNA collected via the orchestrator in an NFT. We won’t delve too deep into all of that, but it’s exciting and enables content created by content creators to keep inside the ecosystem and rewards those same content creators for their work. We will explain more in a later article at some point.
The other problem was time. We solved this early on in RedSpy365 by moving penetration testing from the traditional photograph to the movie. By continuously testing and highlighting the deltas (i.e. the differences, perhaps a new port, service, risk IP, FQDN etc.) we are able to move from a photograph to a movie. Also, in doing this we can remove the mundane tasks to automated tasks, freeing the tester to be creative – and if that creativity is captured via the orchestrator in RedSpy365 it can be replicated and shared to all clients. – again, another force multiplier.
The move to continuous removes the time barrier. To me, and why it’s important to know a little bit about my background, the value of intelligence diminishes over time. We need to note a new risk, test its impact, and identify remediation and detection as soon as it is discovered. The more time ticks by the less valuable that information becomes and the more likely that some bad actor can take advantage of it. The value lies in getting the information to the right people as soon as possible so that the decisions being made are made with the most accurate data available. It’s why a move to continuous penetration testing makes sense.
For Penetration Testing as a Service (PTaaS) to be effective and therefore valuable, it must deliver a constant stream of new content in a timely fashion. That content must be packaged in way, formatted and securely, so that the new content can be ingested and used immediately.
Again, think of the ecosystem of the iPhone and App store, except with its own crypto fabric. It’s what we are striving for in RedSpy365. In another article, I will delve into how we ingest institutional knowledge into RedSpy365 so context can be applied to testing. Offensive Security will change, as does everything, and hopefully, you can come along on that journey with us. I think most people are excited by the end results, but often it’s the journey and what we learn along the way that is just as important.