Security Test Plan: One of several frequently asked questions that, “Will you be able to put together a Security Test Plan?” To point of fact, 59 percent of security specialists keep quoting an “inadequacy of consistent approach to classifying testing (e.g. complete lack of Security Test Plan) to be one of the tops of the scale barriers to evaluating viability of control,” as per a recent survey from the SANS Institute.
Since testing the effectiveness of your controls is imperative to knowing your true security posture and assessing your preparedness for a cyber-attack, we have set out below a few high-level guidelines to help you get started with building your own cybersecurity or security test plan.
Assembling Security Test Plan Step One: Select Your Approach
With so much to test against, it can be overwhelming to know where to start. The important thing is to start somewhere, and then continue with your approach until you’ve covered all your bases. Here are five methodologies to choose from:
Attack Vectors: From pre-exploitation (attack delivery via email, the web or app), to exploitation (system compromise) to post-exploitation (e.g. lateral movement and data exfiltration) – challenging defenses deployed against each vector of the cyber-kill chain ensures you can defend against sophisticated cyber-attacks, such as advanced persistent threats (APTs).
MITRE ATT&CK™ Framework: By methodically challenging your current security controls with over 290 techniques mapped in the enterprise ATT&CK matrix, you can ensure you have covered all the basics.
Threat Types: If your top concern is defending against ransomware, spear-phishing, Trojans, cryptominers or cryptostealers, then challenging your defenses with simulations of these threats can help alleviate your topmost concerns.
Into The Wild: Can your controls detect the very latest threats currently disseminated in the wild? By challenging them with the Indicators of Compromise (IoCs) and techniques of the new strains, you can ascertain your organization’s defensibility. Note that this approach can safely be utilized alongside the others, as it specifically covers the newest strains.
APT Groups: State-sponsored cybercrime groups are known to target specific industries and specific countries. By mimicking the techniques, tactics and procedures (TTPs) distilled from these groups’ attacks, you can start addressing any geopolitical concerns.
Assembling Security Test Plan Step Two: Automate What You Can Repeat
Security risk assessments should not slow you down, but rather enhance what you already do. To avoid incurring extra overhead, consider doing the following:
Assemble Test Templates: Choose what to test in advance and create your own test templates, so you can be methodical about what you test. Gain consistency by challenging controls, tweaking them, and then run the same set of tests again.
Schedule Tests In Advance: Define cyber-attack simulations to run on an hourly, daily or weekly basis.
Automate Reporting: Set technical and executive-level reports to run and be delivered to the appropriate people as soon as an assessment is completed.
Automate Alerting: Get notifications when you’re off your target baseline with regards to your cyber-exposure score.
Integrate Test Results: Incorporate test results and mitigation guidelines into your current workflows via your SIEM and/or SOAR. This way, remediation can be prioritized, IoCs updated and configurations changed – all as part of your everyday activities.
Assembling Security Test Plan Step Three: Measure The Results
Until not long ago, measuring the effectiveness of your cybersecurity was impossible. Today, you can set KPIs and objectively quantify your:
- Overall cyber-exposure, aka risk posture
- Level of risk across vectors
- Vulnerability to specific threat types
- Security performance over time
- Industry-specific benchmark
- Deviation from target baseline
Armed with these metrics, you can start investing your resources where your exposure is higher.
Assembling Security Test Plan Step Four: Choose Your Testing Tool(s)
Tools that simulate threat actor IoCs, techniques and behaviors may be open source or proprietary. When evaluating attack simulation tools, check for the presence of these functions:
Objective Metrics: Does the tool provide metrics on your security posture overall or across vectors? This is imperative for prioritizing remediation efforts and allocating budget where it’s needed most.
Mitigation Guidelines: To help your team close identified gaps, are the appropriate mitigation steps provided?
Automation: Are there wizard-based templates to support prescheduled assessments? Can you set the tool to run assessments at predefined intervals? Does it automate functions such as alerting and reporting?
Ease Of Use: Does the tool require some knowledge in scripting, for example, when testing controls across the kill chain? Or can anyone on the team use it?
Integration And Maintenance: How all those modules are you going to need to run the tool? So when an agent is required, would you need to deploy a single agent or multiple agents to run the multiple different simulations of the attack?