6 arguments for pen testing, red teaming and proactive defense

By Jorg von der Heydt

Many cybersecurity experts have recognized that simply reacting to IT security is no longer enough. They go on the offensive: Penetration tests, red teaming and proactive threat hunting complement the classic strategy by identifying vulnerabilities and possible entry points at an early stage, as well as global or regional and industry-specific hacker activities. Both offense and defense have their place in a comprehensive approach to cyber resilience. Such an approach offers advantages, but also creates obligations.

Traditionally, large organizations have relied primarily on defensive cybersecurity strategies for several reasons. First, defense most directly reduces risk by reducing the likelihood of successful cyberattacks and minimizing potential damage to data and systems. Second, general and industry-specific legal regulations often require a greater focus on defensive measures to protect sensitive information, leaving no resources other than data protection for an offensive. Thirdly, for many decision-makers, protecting a company’s good reputation is a priority. Cyber ​​attacks can undermine trust in the company through data disclosure, so defending against possible attacks is a priority. In this respect, the defense requires a lot of resources for itself.

Anyone who just runs after them will be too late

However, constantly changing cyber risks and competent hackers make it necessary to go beyond a purely defensive cybersecurity strategy. In particular, attackers are increasingly using evasive and adaptive techniques to bypass traditional defenses. For example, after infiltration via an endpoint, they often disguise their lateral movements as legitimate traffic or “normal” behavior.

Offensive concepts can improve an organization’s ability to detect, respond to, and effectively defend against cyber threats. However, it is important to carefully plan offensive strategies while also considering the legal and ethical consequences. Offensive measures must also be consistent with a company’s general security goals.

A contemporary cybersecurity strategy uses various tactics to detect or combat cyber threats:

– Penetration testing: Controlled tests to find vulnerabilities with defined objectives;

– Red teaming: Comprehensive attack simulations to check general security;

– Proactive Threat Hunting: Proactively search for signs of malicious activity in specific regions or industries or on specific targets (applications, systems);

– Active Defense: Proactive measures to disrupt attackers (e.g. honeypots);

– Cyber ​​deception: generating false information to mislead attackers;

– Offensive countermeasures: actions to counter attackers;

– Vulnerability analysis: finding unknown security gaps in applications;

– Digital forensics: collecting evidence related to cyber incidents;

– Cyber ​​deterrence: deter attackers by demonstrating a powerful response.

An aggressive cybersecurity strategy offers six benefits:

1. Reduce the attack surface and identify risks earlier and better: Penetration tests, red teaming and proactive threat hunting as well as continuous active testing and questioning of your own IT security help to identify weak points and vulnerabilities that attackers could exploit.

2. Improved defense posture: An offensive approach also improves the ability to respond to incidents by optimizing emergency response plans and processes and enabling cost savings (e.g. IR teams, disaster recovery plans – and their regular testing).

3. Greater empathy: Understanding how attackers think helps cybersecurity teams anticipate attacks and next steps, better identify risks, use effective deception tactics, develop targeted countermeasures, and support behavioral analysis.

4. Share information: Sharing information about the risks also helps. Such information increases risk awareness, enables more effective training and facilitates analysis. In addition, security experts can attribute cyber incidents more accurately.

5. Increased compliance:  An aggressive cybersecurity strategy helps comply with regulations. It is also further evidence of proactive security measures, data security and due diligence – and thus of the company’s commitment to complying with legal requirements – such as ISO 27001, SOC 2 Type 2, GDPR, PCI-DSS or HIPAA.

6. Securing business relationships: In addition, business customers, potential buyers and investors also require such protection.

Stay on the right page

Anyone who simulates attacks can quickly become criminals themselves or harm others. These ethical concerns should be a consideration for any red team or penetration testing service. Interested companies must select reputable providers and have the test scope expressly approved, taking data protection laws into account and minimizing unavoidable negative consequences. Transparency and clear reporting are essential. Proof of appropriate certifications from the testers must be required to ensure their integrity. Training employees is also a central and essential component. Cross-departmental cooperation in resolving vulnerabilities after the test is also essential. Accountability and open communication with stakeholders complete the ethical framework to ensure testing is conducted responsibly and within legal boundaries.