Why Attack Surface Discovery and Penetration Testing Need to Be Combined

BreachLock Attack Surface Discovery Blog Series (1 of 6)

Guest Author: Edward Amoroso
Chief Executive Officer, TAG Infosphere
Research Professor, NYU

The modern enterprise security team has many different tools at their disposal, and this can be both a blessing and a curse. Certainly, it is helpful for teams to have many different technology-based options for reducing risk, especially for complex targets such as the attack surface. But when multiple tools are used, perhaps poorly integrated and with minimal coordination, the resulting deployment can include gaps and seams in coverage.

For this reason, we believe that it is helpful for practitioners and vendors to move toward a more integrated approach to two essential defensive methods in use across many different types of organizations. Specifically, we propose that attack surface discovery and penetration testing be combined more commonly into a unified cyber defensive approach, with the goal of minimizing any vulnerabilities that might slip through these two methods.

Current Attack Surface Discovery

Most security teams have already moved their prior references to corporate perimeters to the more accurate designation of attack surface as a description of how they might draw the line between enterprise assets and external actors. Zero trust has emerged as an effective design paradigm that supports how external actors, both trusted and untrusted, are allowed (or disallowed) access to assets accessible across the attack surface.

Discovering an attack surface is easier said than done. Our observation is that defensive controls, while excellent at collecting data to perform analysis and then drive mitigation, are generally weak at discovering the specifics of an attack surface. Scanning, for example, is notoriously prone to missing large swaths of an attack surface that might be less well known, unmanaged, or even undocumented.

Current Penetration Testing

We believe the solution to this discovery gap involves adopting a more offensive approach to cybersecurity, in general, and attack surface management, in particular. One of the most powerful means for implementing offensive methods including both brute force and heuristic attack surface discovery, involves the familiar technique known as penetration testing or alternatively ethical hacking.

Despite the prevalence of manual penetration testing in most environments, emphasis on offensive cybersecurity remains less than optimal. When analyzing the return in investment from defensive versus offensive investments, the TAG team routinely observes that offensive security produces superior results. Automated penetration tests not only pinpoint the existence of subtle vulnerabilities but also proactively closes found entry points in an attack surface.

Combining the Approaches

CISOs are thus advised to explore the integration of their existing defensive controls with advanced penetration testing. This is important because penetration testing has always been one of the most effective means for driving an offensive approach to cyber risk management. In our estimation, combination of offensive and defensive controls might be one of the most effective strategies for closing the gap in current cyber threat management.

We expect that this integrated approach should not only be viewed as a best practice, but that will soon become a more mandatory requirement in the context of important frameworks. The compliance process for public companies to protect investors, for example, can and should include greater focus on whether than company is suitably using offensive testing to identify weaknesses in the attack surface.

How BreachLock Supports a Combined Approach

The commercial BreachLock platform focuses specifically on continuous attack surface discovery and advanced penetration testing. The platform uses collected data to help in-house penetration testing experts make well-informed decisions around vulnerability identification, prioritization, and mitigation. The result is an excellent means for integrating offensive and defensive controls into a more unified defense.

This is good news because buyers of the BreachLock platform should not have to introduce major initiatives to drive integration of offensive and defensive controls. Such integration is native to the continuous, automated platform and should help with both threat reduction and security compliance. We strongly recommend that security teams seriously consider increasing or accelerating such focus.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!

About TAG

TAG is a trusted next generation research and advisory company that utilizes an AI-powered SaaS platform to deliver on-demand insights, guidance, and recommendations to enterprise teams, government agencies, and commercial vendors in cybersecurity, artificial intelligence, and climate science/sustainability.