When grappling with today’s daunting cybersecurity threats, there’s checking the boxes, and there’s blasting right through the boxes to an effective solution.
Regulatory requirements and client demands have forced companies across industries to make cybersecurity a board-level concern. But given last year’s staggering cybercrime losses — the FBI’s 2022 Internet Crime Report pegged them at more than $10.2 billion, up from $6.9 billion in 2021 and $4.2 billion in 2020 — companies going on the offensive against the threat are seeking help from skilled hackers.
“It’s coming out of the shadows of technical IT areas,” JT Gaietto, chief security officer for Digital Silence, said on a recent PlexTrac webinar. “There’s much more interest in getting a comprehensive look at what the threat profile looks like and getting value out of an end-testing engagement.”
More tailored and realistic tests
What’s key, Gaietto said, is that companies understand what they’re getting in a cybersecurity test. A true penetration test does much more than scan for vulnerabilities —humans attempt to exploit any discovered vulnerabilities to offer a representation of what a real threat actor could accomplish.
But clients increasingly want even more: interactive, tailored, realistic tests of whether their controls and systems offer the expected protections. In response, Digital Silence has begun offering what it calls heliotropic testing, which costs about 20 percent more than a typical engagement.
“So it’s not a massive cost increase, but the amount of value that comes along with an engagement like this is massive,” Gaietto said.
The results can be true difference makers, even by simply helping companies make the most of their existing resources.
Digital Silence recently worked with a client to assess roughly 4 million lines of code written in the late-1990s, said Victor Teissler, Digital Silence’s penetration practice lead. Although the code was riddled with vulnerabilities, many standard tools to assess the massive, complex application came up empty.
Digital Silence testers tried various methods, learning extensively about the application in the process. Through their testing, they realized that the company had some relatively expensive static analyzers — which are supposed to analyze source code for security vulnerabilities — that were providing no value. Digital Silence got those working correctly. Examination of the application from different perspectives also identified vulnerable programming patterns, and Digital Silence offered recommendations about removing the most vulnerabilities with the fewest code changes.
“This garnered interest from the higher levels at the company and started a discussion about the secure software life cycles,” Teissler said.
The conversation that evolved extended from high-level to low-level considerations, putting Digital Silence in a position to bolster the company’s internal efforts.
“Leadership of that organization started saying, ‘Wait a minute, not only did we have this point-in-time test, but we’re getting a lot more value from this collaboration,’” Gaietto said. “It really did accelerate their program overall.”
Starting from the bottom up
Not every company is ready for a comprehensive pen test. If its cybersecurity has been rudimentary, it may need to start with the basics and slowly advance. For example, security patches — basically, updates to fix vulnerabilities — have been a topic since the mid-1990s, but they remain important, Gaietto said.
“The organizations that aren’t doing anything at all are the most at risk,” he said.
But as companies’ cybersecurity measures mature, they can’t rest on their laurels. Threat actors have extensive resources and sometimes large teams, and automated cybersecurity solutions have limits.
“When those tools are deployed to the best of their ability, they do a great job,” Gaietto said. “I’m not trying to be derogatory. But threat actors are still winning.”
Another client approached Digital Silence after making big network changes and heavy investments in monitoring, Teissler said.
For the first third of the engagement, Digital Silence tried to penetrate the client’s system as quietly as possible, taking notes on all its actions. Eventually, the client discovered them — but it took four or five days. The exercise allowed the client to fine-tune its systems against the stealthy attacks associated with modern criminals, Teissler said.
Articulating the issues
But sometimes, the final hurdle is communication.
Cybersecurity testing can’t become results without actionable reports that make sense to the layperson. Digital Silence emphasizes clear communication; it now uses PlexTrac’s solutions to make that process more efficient. In a world suddenly overwhelmed by cybersecurity needs, that 50 percent time savings is significant.
“You could be a great hacker or investigator, but if you can’t document it — if you can’t articulate the issue and deliver it to the customer — it doesn’t mean anything,” Gaietto said. “That is a huge piece of what we do on a daily basis for everybody.”