One of the most frequent questions my team and I get asked is: “Can you help us build a test plan?” In fact, 59% of security practitioners cite a “lack of systematic approach to defining testing (e.g., lack of testing plan) as one of the top barriers to assessing control effectiveness,” according to a recent SANS Institute poll.
Since testing the effectiveness of your controls is imperative to knowing your true security posture and assessing your preparedness for a cyber-attack, we have set out below a few high-level guidelines to help you get started with building your own cybersecurity testing plan.
Step One: Select Your Approach
With so much to test against, it can be overwhelming to know where to start. The important thing is to start somewhere, and then continue with your approach until you’ve covered all your bases. Here are five methodologies to choose from:
Attack vectors: From pre-exploitation (attack delivery via email, web or app), to exploitation (system compromise) to post-exploitation (e.g. lateral movement and data exfiltration) – challenging defenses deployed against each vector of the cyber-kill chain ensures you can defend against sophisticated cyber-attacks, such as advanced persistent threats (APTs).
MITRE ATT&CK™ framework: By methodically challenging your current security controls with over 290 techniques mapped to the enterprise ATT&CK matrix, you can ensure you have covered all the basics.
Threat types: If your top concern is defending against ransomware, spear-phishing, Trojans, cryptominers or cryptostealers, then challenging your defenses with simulations of these threats can help alleviate your topmost concerns.
In the wild: Can your controls detect the very latest threats currently disseminated in the wild? By challenging them with the Indicators of Compromise (IoCs) and techniques of the newest strains, you can ascertain your organization’s defensibility. Note that this approach can safely be utilized alongside the others, as it specifically covers the newest strains.
APT groups: State-sponsored cybercrime groups are known to target specific industries and specific countries. By mimicking the techniques, tactics and procedures (TTPs) distilled from these groups’ attacks, you can start addressing any geopolitical concerns.
Step Two: Automate What You Can Repeat
Security risk assessments should not slow you down, but rather enhance what you already do. To avoid incurring extra overhead, consider doing the following:
Build test templates: Choose what to test in advance and create your own test templates, so you can be methodic about what you test. Gain consistency by challenging controls, tweaking them, and then run the same set of tests again.
Schedule tests in advance: Define cyber-attack simulations to run on an hourly, daily or weekly basis.
Automate reporting: Set technical and executive-level reports to run and be delivered to the appropriate people as soon as an assessment is completed.
Automate alerting: Get notifications when you’re off your target baseline with regards to your cyber-exposure score.
Integrate test results: Incorporate test results and mitigation guidelines into your current workflows via your SIEM and/or SOAR. This way, remediation can be prioritized, IoCs updated and configurations changed – all as part of your everyday activities.
Step Three: Measure Results
Until not long ago, measuring the effectiveness of your cybersecurity was impossible. Today, you can set KPIs and objectively quantify your:
- Overall cyber-exposure, aka risk posture
- Level of risk across vectors
- Vulnerability to specific threat types
- Security performance over time
- Industry-specific benchmark
- Deviation from target baseline
Armed with these metrics, you can start investing your resources where your exposure is highest.
Step Four: Choose Your Testing Tool(s)
Tools that simulate threat actor IoCs, techniques and behaviors may be open source or proprietary. When evaluating attack simulation tools, check for the presence of these functions:
Objective metrics: Does the tool provide metrics on your security posture overall or across vectors? This is imperative for prioritizing remediation efforts and allocating budget where it’s needed most.
Mitigation guidelines: To help your team close identified gaps, are the appropriative mitigation steps provided?
Automation: Are there wizard-based templates to support prescheduled assessments? Can you set the tool to run assessments at predefined intervals? Does it automate functions such as alerting and reporting?
Ease of use: Does the tool require some knowledge in scripting, for example, when testing controls across the kill chain? Or can anyone on the team use it?
Integration and maintenance: How many components will you require to run the tool? If it requires an agent, will you need to install a single agent or multiple agents to run the different attack simulations?