Unlock the State of Pentesting 2023! Explore 3,100 pentests with expert insights on vulnerabilities, security challenges, & maximizing pentest value.

Penetration Testing and the Inequality of Time

Attackers have infinitely more time to breach a system than we do to defend it. Learn how to minimize the gap.

I know it’s hard to believe but I was once a technical person. I spent the early part of my career as an offensive security person focused on penetration testing everything from applications, to infrastructure, wireless, and compiled code. I loved the work. I learned a ton and made some of the best friends I could ever ask for. Back when I was a pentester (insert old man jokes here) the bulk of what we did was manual in nature. Occasionally we wrote some perl scripts or shell code to execute repetitive tasks, but penetration was a manual process conducted by highly skilled individuals.

At some point we realized that executing security assessments in a fully manual black box assessment methodology was highly inefficient. One of the ways to fix the problem was to use more and more tools of automation - and we did. But another way to fix it was to solve what I call the “inequality of time” problem.

The Problem: Inequality of Time

The inequality of time problem stems from the fact that there is a mismatch between the time available to an assessment team and the time available to the attackers. When conducting a penetration test or security assessment, companies are always limited on the amount of resources they can throw at the problem. They either have a finite number of people available, time for those people, or money to contract with the right people.

When I was working offensively, the running joke was that our firm could do any project in two weeks with two people for $20,000. The catch was that we would just scope the problem down to a level of assessment that we could achieve in that time-boxed approach. Attackers, on the other hand, have the luxury of infinite time. If they are dedicated and focused, they can take all the time that they need to penetrate your defenses. This inequality of time makes it nearly impossible to keep up with the amount of resources required to win the battle against a dedicated attacker.

Leveling the Playing Field

One of the things that the best security assessment firms do really well is attempt to manage the “inequality of time” by finding ways to make the time disparity closer to equal. It can never be truly equal, and we know that. However, the closer we can get to equal, the better our chances of stopping an attack. The most effective way to close the time gap is to convert from a traditional blind penetration assessment model to a highly informed and programmatic approach.

Part of the time conducting an assessment is simply focused on understanding the lay of the land. Discovery of the attack landscape takes a significant portion of a tester's time. What if we could completely do away with that requirement?

In the past we did this by lifting the curtain and giving the testing team access to everything and anything needed to speed up the process. We would give them full details including architecture diagrams, application code, workload details, process specifics, and even logins to all systems being tested. This did a great job of getting the test team up to speed much faster and able to find a higher percentage of issues at a rapid rate. Assuming we had up-to-date information to provide to them, the offensive team could use those details to get up to speed faster with our infrastructure, thus uncovering more of our outstanding risks.

In addition to a constantly updating view of your cyber assets, it’s also important to understand the relationships that exist between the assets. For example, knowing that you have workloads running specific code, that was committed by a certain person, and the training level of that person goes a long way to tracking down problems and issues within the environment. From an assessment vantage point, knowing the relationships between assets helps the team understand process flows, logical points of attack, as well as determining where trust boundaries exist that may be exploited to maximum efficiency.

Cyber Asset Management and Security Assessment Join Forces

Documentation always seems to come last. I’m rarely in a situation where I am told that everything has been properly documented and is available in a consumable format. That almost never happens. With cyber asset management and governance tooling, the collection, documentation, and tracking of your global infrastructure can be fully automated, making it easier to engage security assessment teams.

Cyber asset management and governance solutions focus on continuous discovery, visibility, and security of the cyber assets that exist in your technology universe. Discovery and collection of pertinent metadata from your systems and tools is exactly what an assessment team needs to approach the problem in the most informed and efficient way possible.

When you augment your assessment processes with in-depth, detailed visibility into the current state of your environment, you get way more out of the testing team. JupiterOne and Cobalt are coming together to help both groups of users increase their ability to get their jobs done on a daily basis.

So that’s my secret to cybersecurity: automate with purpose and context. Close the gap. And stay ahead of the curve. If you're looking for practical steps on how to achieve that, join the upcoming webinar "Pair Cyber Asset Visibility with Pentesting to Fight the Clock Against Hackers" on November 16th.



Back to Blog
About Tyler Shields
Tyler is Chief Marketing Officer at JupiterOne. He's a former Forrester analyst, engineer, product manager, and marketing executive. Prior experience includes starting, leading, and growing companies such as CA Technologies, Sonatype, Signal Sciences, Veracode, Symantec, LURHQ, Secureworks, and @Stake. He is a well known expert in entrepreneurship and innovation in the cyber security market, having spoken at many major industry conferences. His expert commentary has been referenced online and in print by publishers such as Rolling Stone, Bloomberg, Forbes, Reuters, and the LA Times. Additionally, Tyler has contributed to multiple television and radio interviews for both National Public Radio and the BBC. More By Tyler Shields