What is a Threat Intelligence-Led Penetration Test?

No time to read? Listen to this episode here:


Before we jump into the business of the day, here are the cybersecurity news you might've missed this week:


  • The DOJ is getting serious about the ransomware threat. The US Department of Justice is now treating ransomware attacks with the same priority level as terrorism. As a Martha's Vineyard ferry was the latest service hit by an attack, the DOJ released an internal guidance report, outlining the responsibilities of a recently created task force in Washington. The task force will track all US ransomware cases, the threat actors responsible, as well as their tools, tactics, and procedures.

  • White House warns the private sector to take cybersecurity seriously. The White House has tasked enterprises and small businesses alike to take conscious steps to improve cybersecurity. According to an open letter, Deputy Assistant to the President, Anne Neuberger, noted that the private sector has a vital responsibility to protect itself against these very real threats. This is coming in the wake of brutal ransomware attacks that knocked Colonial Pipeline and JBS out of business for days.

  • New discovery reveals Google PPC is now used to deliver Infostealers. In a recent advisory posted by Morphisec, Google's pay per click (PPC) has been discovered to be the origin of malicious packages. These paid ads directed unsuspecting users to download Dropbox, AnyDesk, and Telegram packages disguised as ISO images.


And now to the topic of the day.


What is a Threat Intelligence-Led Penetration Test?


Threat Intelligence-led penetration testing is, essentially, an approach where the testing team is using cyber threat intelligence to emulate the tactics, techniques and procedures (TTPs) of an adversary against mission-critical systems, also known as "Crown Jewels", in real-time.


A number of frameworks for such testing exist, namely UK’s CREST STAR (Simulated Target Attack and Response) or CBEST, TIBER-EU (Threat Intelligence Based Ethical Red teaming) framework, as well as the Hong Kong-based iCast approach.


This is often contrasted with "traditional" penetration testing, where the testers would disregard threat intelligence and would instead perform the testing solely based on an IT security framework, or in some cases their experience and expert judgment.


Why Does This Matter?


Simply put, "traditional" penetration testing may lack real-world context and can be less applicable to combating actual threat actors.


In general, these days there is an interesting duality to proactive cybersecurity of any kind: on one hand, many public and private companies are obligated to perform certain actions (included, but not limited to penetration testing) to fulfill regulatory obligations or business partner requirements, and on the other hand, there is a growing and well-justified concern within the C-suite that a single successful attack can effectively end not only their respective careers but the organization itself.


While an annual penetration test may be enough for a "checkmark" approach, experienced technical execs understand that, ultimately, cybersecurity is a business support and risk mitigation function, and its main purpose is to predict, prevent, and respond to actual cyber attacks. The degree of regulatory compliance or alignment with a certain security framework, such as ISO27001, or COBIT2019, may not necessarily correspond to the organization's readiness to combat real-world cyber threat actors.


The Penetration Testing Process


Despite their differences, both "traditional", and Threat Intelligence-led penetration tests utilize a fairly similar high-level approach and have a number of phases in common.


Phase 1: Planning and Intelligence Collection


As the name implies, this phase is unique to Threat Intelligence-led testing and deals with defining specific targets (such as particular database servers storing sensitive data, mission-critical systems and processes, and more), high-level attack planning, and researching the relevant real-world cyber threat actors.


As many cybercrime groups use particular and sometimes unique tools, tactics, malware, and methods to compromise their targets, this step is crucial in making the test as lifelike as possible.


To prevent any inadvertent damage to systems or business operations, the team would often discuss the Rules of Engagement with the client organization. These Rules specify which methods of testing should be avoided, how far should the testing team go, and what should be done when the compromise of a particular system is established.


Phase 2: Scanning


Based on findings from the previous phase, the tester then scans your infrastructure to reveal any potential weaknesses. Both testers and actual attackers typically use a combination of scanning tools, as well as some manual hands-on work to discover all possible vulnerabilities.


Phase 3: Exploitation


This step involves launching a direct attack on the target system. The testers would typically make good use of backdoors, SQL injection, cross-site scripting, and other methods to exploit the discovered vulnerabilities. If allowed by the Rules of Engagement, social engineering or even a physical entry into the premises would be attempted.


Once "in", the testers will exploit any discovered lapses via overriding privileges, intercepting traffic to targeted servers, exfiltrating data, and more – in a bid to determine the damage they can cause, and in accordance with the expected behavior of a cyber threat actor.


For example, in cases where mission disruption is the goal, the testers would not necessarily aim to exfiltrate any sensitive data - after all, that's not the point. In some cases, however, the installation of ransomware and/or data exfiltration is a realistic aim for both the testers and the financially motivated cybercriminals.


Phase 4: Analysis and Recommendations


This phase is dedicated to collecting and collating the information regarding the discovered vulnerabilities, the steps that the testers took and their respective results, detailed mitigation recommendations for each of the weaknesses, and more. Some organizations - such as Wembley Partners ;) - would also include a complimentary threat intelligence analysis, strategic cyber risk briefing, and the associated recommendations into their findings.


Phase 5: Reporting


This final phase would typically see the testing team and the client organization sit down for a detailed report walkthrough and Q&A session. Ultimately, the goal of any penetration test is to uncover any and all existing ways in which an organization can be successfully attacked by a well-equipped and motivated cybercriminal, as well as making sure that immediate and realistic measures are taken to prevent them from doing so.


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

Recent Posts

See All