The Need for Continuous Security Testing

Combatting commercialized adversaries

Threat actor groups are becoming more and more organized, running their operations like your typical cybersecurity company … but without the good intent. In response to this evolution, the cybersecurity industry is now embracing models of continuous offensive security testing. But philosophy and reality are two different things.

This episode of PlexTrac Friends Friday brings together two long-time proponents of continuous pentesting — Dan DeCloss and Dahvid Schloss — to discuss practical ways to implement a continuous testing strategy regardless of your organization’s size and budget. 

Known as an emulated crime boss of a gang of emulated criminals, Dahvid Schloss is an experienced cybersecurity leader with over 13 years of cyber attack and defense experience in both the military and private sectors. Currently, he is the Hive Red Team Leader, North America at CovertSwarm.

Dahvid and Dan’s conversation on PlexTrac Friends Friday was voted the most popular episode of 2024. Watch the full episode or read on for the highlights.

The industry’s embrace of continuous pentesting

Dan and Dahvid kicked off their conversation by sharing their views on the state of the industry regarding continuous security testing. Dahvid said, “I think we definitely are seeing a shift in the industry as we’ve gotten a little bit more mature over the post-COVID age. I think if you asked me in 2018, what’s the potential of getting people to do more continuous testing? It would have been very hard to convince anybody to do so. But we’re starting to see a shift of the guard, right? We’re getting new executives, younger executives, people who understand technology much to a deeper extent.”

Dan said, “I agree and I think that the barrier to entry to be able to do some form of continuous testing has lowered. The bar has been lowered substantially, and it’s more cost-effective. You may not have a full team of red teamers at your disposal, but the bar is lower to at least have some form of a continuous paradigm.”

The commercialization of criminal organizations 

Dan noted that the need to adopt a paradigm of continuous testing is critical now more than ever due to the increasing sophistication of threat actors. “The threat groups and the threat actors are continuing to advance as well as almost commercialize.”

Dahvid said, “I think the best example of that is if you go back and look at Conti. They split and just released all the data. They released all their internal documents. And if you read the documents, it’s fascinating because they operated exactly how you would expect a consulting firm to operate, right? Just with no morals.

“They had an HR team that did recruiting. They had payroll. They had your equivalency of a CFO, CTO. They’re so well organized, right? And you start to recognize that Conti is not the only group that’s doing this. We have a trillion-dollar industry on the cybercrime side, and the reason why we call it an industry is because they operate just like it.” 

Dan agreed, “They are going to continue to be persistent. If we know anything it’s that that’s the right name for those kinds of groups. They definitely are advanced, right? They have talent, and they’re going to continue to be persistent. So how do we counter that on the defensive side? I’m always a big fan of the saying, ‘One of your best defenses is a good offense.’ So being able to be proactive is key.”

The barrier of entry to continuous pentesting

Being proactive in a continuous paradigm is essential in the current environment; however, maturing a security program to this level is also difficult and expensive. Dahvid addressed the challenge: “So for these small companies, how do you get the ability to do continuous pentesting without spending your entire operating budget for the year? That’s where we get some of these newer tools — the automation systems like Pentera or Horizon 3. That’s a good way to enter depending on your size. 

“So the hardest part is just finding those services and products that can help you do that in a cost-effective manner. The only other way of doing that is hiring your own individuals and building a team that way, which I have seen a pretty big push to start doing.” 

Dan added, “I also think some kind of hybrid model with a partner is a good option. You may have a bigger consulting firm or just an MSSP that can do some of that continuous testing, but maybe not as an every day, every week kind of thing. And then you augment that or supplement that with an internal program. This is much like what we’ve seen in some of our partners and customers — supplementing through the vuln management team.”

Commitment and communication as key to continuous pentesting

In addition to finding the right combination of tools and partners, organizations must commit to the process and clearly communicate the results of continuous testing.  

Dan likened a continuous testing mindset to physical health. “First and foremost you have to treat it like, ‘We’re committing to this and we’re going to dedicate the time.’ Because I think it’s so easy to continue to fall into the reactive mode of security operations and management. It’s like staying healthy physically. One of the first things to go when we get really busy and life hits us is working out, right? You stop going to the gym or stop working out, and that’s the wrong mentality. We need to stay on top of testing.” 

Dahvid said, “The other piece I think is really how you communicate it to the organization. Cybersecurity is a team sport regardless of whether we want to include the finance bros and the HRs and everyone else. At the end of the day, it’s a team sport and we need everyone to buy into it.”

Dan agreed, “Being able to effectively communicate the risk that you’re mitigating and the progress that you’re making over time is critical — being able to benchmark where we were and then how we’ve continuously gotten better because we’ve continued to test these things. It flows into a life cycle around remediation, and you actually see your security posture improving.

“I think what’s encouraging is that we’re starting to see everybody come on board with this mentality and this notion, and I think we’re only going to continue to see more and more products and services out in the market and partners like yourselves that can come alongside companies and help get into this in this mode.”

Follow PlexTrac on LinkedIn for more engaging episodes of PlexTrac Friends Friday, featuring leaders across all aspects of the cybersecurity industry.