Offensive Cybersecurity: Why Penetration Tests Aren’t Enough

To ensure the security of data and information systems, it is important to make sure that the measures implemented are effective. For this, it is essential to adopt an offensive approach. Beyond penetration testing, it is recommended to put the entire security system to the test by subjecting it to realistic attack simulation exercises.

In recent years, regulations regarding data protection and IT security have been significantly strengthened. They require organizations to take appropriate measures to prevent risks and respond to incidents. This translates into the implementation of clear security policies, raising team awareness, deploying threat detection systems, and establishing procedures to effectively respond to attacks.

Going on the Offensive 

Once cybersecurity measures are in place, it is important to test them. Investing in the protection of your systems is good. Ensuring that the measures taken are effective and that the implemented elements meet the set objectives in case of an attack or incident is better. For this, an offensive security approach must be adopted.

"Every environment has flaws and vulnerabilities. Therefore, it is important to test the security system by conducting tests. In this regard, several approaches can be considered by organizations. These range from standard penetration testing to simulating a real-world attack," explains Thomas Pianezzola, a member of the Cyberforce Offensive Security team.

"The different approaches are complementary and meet specific objectives. The aim is to identify exploitable vulnerabilities in order to correct them."

Not Limited to Penetration Testing 

To test their security systems, market players most often resort to penetration tests on well-defined perimeters.

"It is not uncommon for the regulations they are subject to require them to regularly test defined and restricted perimeters, such as firewalls, VPNs, or other specific elements of the IT system," comments Anthony Maestre, a member of the Cyberforce Offensive Security team.

"This approach primarily aims to meet compliance requirements, for example in the context of an audit. However, because they are generally very targeted, these tests do not allow for verifying the security of an entire environment or the overall effectiveness of the measures implemented. Limiting oneself to these tests can give a false sense of security."

This type of penetration tests primarily ensures that configurations comply with the defined policy and that the measures taken meet the expected or required standards. They can even prove to be useless depending on the defined scope or the expected results.

Adversary Simulation: Putting the Entire Security System to the Test

Beyond penetration testing, it is equally essential to identify potential vulnerabilities by testing the entire security system.

"For this, we can use an approach called Adversary Simulation," explains Anthony Maestre.

"In this context, an external team like ours is tasked with trying to infiltrate the organization's system, using broader attack vectors similar to those used by real attackers. It is a simulation of a real attack."

The first objective: gaining access from the outside 

In the context of such an exercise (which generally lasts for two weeks), the Cyberforce Offensive Security team at POST looks for directly exploitable vulnerabilities by using techniques employed by attackers. For this, they may conduct phishing campaigns, use social engineering approaches, attempt to reach exposed servers, or, if necessary, try to access physical infrastructures.

"The first objective is to obtain elements such as vulnerabilities, emails, credentials, or passwords that will allow us to infiltrate the company's systems," explains Thomas Pianezzola.

"Once these accesses are obtained, we will seek to persist in the system and then elevate our privileges as much as possible by exploiting existing security flaws."

This offensive approach allows for the identification of vulnerabilities that permit access from the outside and tests the entire internal infrastructure to find points to correct in order to strengthen the organization's overall posture.

What is an Assume Breach?

"Despite our efforts, it is not always possible to infiltrate the client's system from the outside," explains Thomas Pianezzola.

"However, this does not mean that a third party would not succeed. Given enough time and resources, any system can be compromised."

If, after two or three days of attempts, the POST team has not succeeded in accessing the systems, they can propose an alternative to still test the robustness of the company's information system.

"We can then conduct a test using an approach called Assume Breach. In this case, the organization gives us access to its systems via a remote access solution such as Citrix or a VPN, for example, which allows us to simulate a compromise through a successful phishing attack, or deploy a backdoor on an exposed server, thus simulating its compromise," explains Anthony Maestre.

"Our mission is then to try to progress within the system from this access, with the aim of obtaining the highest levels of authorization possible. This objective generally requires going through various stages such as reconnaissance, establishing persistence, or compromising multiple systems through lateral movement attacks. This allows us to verify whether the security measures in place—such as segregation, incident detection and response systems, role and permission configurations, etc.—ensure optimal protection."

Discovering Vulnerabilities to Remedy Them 

Each offensive security exercise results in a documented report, demonstrating how the "attacking" team was able to infiltrate and progress within the system. The objective is to enable the organization to address the identified vulnerabilities.

Discover all our cybersecurity solutions.