Penetration testing—lovingly known as “pen testing” or even ethical hacking—is the practice of proactively pushing the boundaries of your own security protocols to see if you can get past them. It’s a crucial part of a proactive security program, because it helps teams identify their own vulnerabilities and patch them—before they can be targeted by actual bad actors.
In today’s episode, Security Sandbox heads across the globe for a special takeover episode by Relativity's Marcin Święty and Bart Czyż, for a dialed in conversation with offensive cybersecurity and pen tester extraordinaire Julio Cesar Fort, on the intricacies of modern-day penetration testing and how you can elevate the everyday skills of your team to help them excel in offensive cybersecurity techniques.
Listen to the full episode right here on The Relativity Blog, and scroll down for a partial transcript of the conversation.
Marcin Święty: Bart, let's start with cutting to the chase. What is a successful pen test?
Bart Czyż: For me, as a blue teamer, a successful pen test is the one that actually results in improving the security posture of a company. I don't really care about, for example, how far a pen test goes. Are pen testers able to achieve the crown jewels? From my perspective, it's more important to actually make the security posture better as a result of pen test engagement.
Marcin: In our industry, there is a saying that “nothing brings better awareness to our decision-makers than a breach.” Julio, your company, Blaze, is doing offensive security efforts across the globe. Have you seen a successful pen test bring that awareness before a real-time breach? Or do you ever feel that your work might just end up a paper in a drawer?
Julio Cesar Fort: The latter happens more often than not, unfortunately. I think that there are two big drivers when it comes to cybersecurity in an organization; maybe three if you stretch it a bit. The main drive is engineering. That's what you guys are doing at Relativity, with a strong security program, product security team, and so on. A lot of the engineering is driving security and vice versa.
But from a commercial standpoint, a lot of the driver is actually compliance, especially with SOC 2 becoming very ubiquitous across Europe and the States, as well as other regulations like GDPR and so on. They’re pushing organizations to perform cybersecurity assurance services, such as penetration testing. And a lot of it is actually driven by compliance, which can be just a kind of a tick box. They want to check that box and please the auditor, whenever he comes. And they sometimes don't care so much whether the results are good. Sometimes they care about the results because they want to look good in front of a business partner, like, for example, when you have to do third-party security assessments. But unfortunately, I would say that half the time, people just want that paper. They just want that rubber stamp from an auditor and off you go. Obviously this is kind of a bummer in many, many aspects.
But one of the things that I have seen bring a lot of awareness and actually change things was internal audit teams. They usually have the ears of the board, of the C-levels. I have seen serious changes, within a year, when a team like that sees the storytelling of vulnerabilities discovered. A lot of extra budget appeared for the security team, some of the right tooling, some of the right mitigations fell into place.
Marcin: Do you feel a pen tester needs to be good at client-interfacing activities? Is it an important part of the job?
Julio: At the end of the day, this is professional service, just like anything else. This is like accounting or being a lawyer or anything else. It's like consulting. It's true that some guys want to be left alone, doing their thing, and that's fine. But at the end of the day, the people who truly progress in their careers are the ones who are not only technically capable and gifted, but also put in the effort to be good at client interactions. This is actually tough to learn, but I truly believe that, yeah, if you want to properly progress in a career, knowing how to write really well, write good reports, explain things properly, and be client facing is super important.
Marcin: Bart, how do you make sure that you and your team keep up with the evolving threat landscape?
Bart: Pay attention to all the available threat intelligence. See what's used in the world, what the new techniques are, and try to emulate them in your environment. It's an internal red team assessment or internal adversary assessment or so-called adversary evaluation, and it's a great way to not only improve your offensive security skill set, but also one of the best ways to improve your defensive posture. You know exactly what visibility you're going to have whenever a true adversary attacks your organization. An adversary attacking your organization is—it's not a question if it happens, but when it happens. So you have to stay on top of it.