Effective Penetration Testing: Aligning with Threat Intelligence to Raise Cyber Resilience

Author: Paul Pols, Lead Ransomware Resilience at Secura/Bureau Veritas

Modern Penetration Testing Challenges

A penetration test is only as effective as its ability to accurately emulate the complex and evolving cyber threats targeting organizations. Traditionally, penetration testing often remains narrowly focused on systems that organizations identify as the most valuable: their “crown jewels”. This limited focus may not fully align with the tactics and techniques of actual threat actors, who frequently exploit vulnerabilities in supporting systems to navigate through an IT infrastructure.

Modern cyberattacks often start with seemingly minor breaches that can significantly escalate. For instance, attackers could compromise an employee’s or supplier’s endpoint device or steal credentials for external interfaces. They could use these initial footholds to further penetrate the network through tactics such as privilege escalation and lateral movement. This enables them to access the crown jewels directly, with administrative privileges acquired elsewhere. Moreover, threat actors may target other systems within the organization that, while not considered “crown jewels”, are nonetheless crucial to the organization's operations.

This discrepancy underscores the need for a shift in how penetration tests are scoped and conducted, ensuring they cover broader and more realistic threat scenarios based on the latest threat intelligence about the tactics of relevant threat actors.

The Crucial Role of Threat Modeling

Threat modeling is a structured process that identifies potential threats within an organization's network, to understand the infrastructure from an attacker’s perspective and to develop robust defenses. Here’s a streamlined overview of the process:

1. Continuous Threat Intelligence Analysis: It is important to continuously monitor and analyze threat actors and their tactics, techniques, and procedures (TTPs). This intelligence helps identify which threats are the most relevant to specific organizations, typically influenced by the sectors in which they operate. We use this approach to tailor our threat models to better reflect the unique risks and challenges faced by each organization.
2. Threat Modeling on Infastructure and Assets: Understanding the infrastructure and identifying critical assets that attract potential attackers help pinpoint relevant threats and likely attack paths. This analysis is crucial for mapping out where an organization is most susceptible to attacks based on the operational context and relevant TTPs. We typically perform this step through a threat modeling workshop with key stakeholders. The end result of threat modeling can often be a strategic roadmap or detailed penetration testing calendar, aligning future security testing with identified threats.
3. Validation and Risk Assessment Through Penetration Testing: By simulating real-world attacks through penetration testing, we validate and complement identified threats and assess their potential impact and likelihood to determine their risk. This step is integral for prioritizing which threats need immediate attention and determining the effectiveness of current defenses. The results of penetration testing can guide strategies for risk mitigation, ensuring that security efforts are concentrated where they are most needed.

Frameworks such as STRIDE, the Unified Kill Chain, and MITRE ATT&CK™ provide structured methodologies for identifying and simulating the tactics an attacker might employ. Applying these frameworks ensures comprehensive assessments beyond obvious vulnerabilities, covering all aspects of organizational security.

This article was originally published in our Cyber Vision Series on LinkedIn about the changing nature of cybersecurity, and the future of cyber resilience.