Let me be frank. Developing and maintaining a cybersecurity strategy is not easy but it’s totally attainable.
One of the biggest issues I’m seeing with MSP stack offerings right now is making sure configurations are set and working properly. Even after following detailed instructions from vendors, there are often issues in how a tool may respond to an attack—far from the expectation you may have.
Penetration testing helps MSPs evaluate and discover these issues before they become any bigger. They can also validate and communicate the effectiveness of measures and solutions you’ve put in place to protect and overcome past vulnerabilities.
I know there has a been a lot of chatter about what is and what isn’t a pen test in recent weeks. As a recap to our approach, here is what we define the Galactic Pen Test to be:
A simulated attack—first and foremost, a penetration test needs to simulate how a hacker would get into a network. Hackers typically (1) identify vulnerabilities and then (2) exploit those vulnerabilities. The Galactic Pen Test identifies and exploits vulnerabilities hackers are actively exploiting in the wild. This gives your MSP more effective talking points when discussing security risks than simply listing out vulnerabilities that might not really have any impact.
A defined scope—as you work with your client or prospect to test their system, you are defining what you are looking for and getting your client to understand what they are concerned about. During your 20-Minute phone call, you are honing in on the scope of the pen test. You will be asking them questions and getting their buy-in to evaluate their M365 platform, their browser data and key individuals’ machines to identify how much risk they hold in the event of a ransomware attack or data breach.
Consists of 5 stages—the Galactic Pen Test consists of 5 stages, similar to a typical pen test methodology.
Scope of work—the goals and scope of work are defined prior to initiating the project. For example, if you are seeing how your cyber stack responds to our simulated attack, the scope of the work is a cyber stack evaluation. If testing a client or prospect environment, you are probably getting your client to see what data is impacted when someone clicks a link. If you are testing M365, firewall response, remote work infrastructure, you essentially are defining the scope and goal of the pen test prior to running the tools.
Approval to pen test—like any pen test, Galactic requires authorization by the client prior to running any analyses. Running pen testing tools on a client or prospect WITHOUT getting their approval is dangerous and can be a way for you to open liability on your own organization if the client or prospect responds poorly to your findings. It is much better to establish a pen test analysis based on trust. We recommend signing an NDA with your client and defining the scope of work prior to any pen testing.
Automated vulnerability analysis—like most pen tests, Galactic Pen Test first identifies vulnerabilities present in the environment. It enumerates the network, snatches information it can find—including any open patches or other vulnerabilities and security tools in place, from which it will decide how to proceed. Vulnerability analyses comprise of both external and internal vulnerabilities.
Exploitation—when a vulnerability is found, the implications of that vulnerability will be assessed. Galactic Pen Test uses information on recent and historical attacks in the wild to inform it on what and how to exploit chosen vulnerabilities. Testing vulnerabilities on a system that have previously been exploited—either by our pen testing team or in the wild—are vulnerabilities we will want to focus on in the report of results.
Analysis and reporting—Galactic Pen Test ranks specific vulnerabilities by criticality. We also identify the implication of a specific exploitable vulnerability on the network and provide stories of why an exploit is problematic. Serious issues on the network will have been vulnerabilities that were successfully exploited. The most serious are ones impacting your client’s ability to continue to work in lieu of the exploit. The summary report clearly communicates WHY action needs to be taken and the detailed report provides supporting evidence as to the extent of the problem.
Now after your penetration test and presentation are done, what are your next steps?
Get them to consider the pen test results—when you read out the results with your client or prospect get them to make decisions based on results and recommendations in the report. Remember, your report is third-party generated. You can lean on this to persuade them to take action and wrap their heads around the importance of acting now.
Remediate any findings—if you are working with a client, you can always evaluate their network before presenting to them to double check that your t’s are crossed. What ever you do, make sure that you are presenting a plan to remediate any findings from the report. Simply pointing out problems—whether you’re with a client or prospect—will NOT fly. Get them to think about if a specific issue were to be exploited, what systems would be impacted? How would it impact their continuity?
Repeat the pen test process—cybersecurity is CONSTANTLY changing. You can easily communicate this to your clients. Would they want an on-going analysis to help them understand their risks? This is something you can certainly add to your offering list. Get them on board with seeing and communicating their cyber risk. Get them aware of current issues and how their network might be impacted in light of recent events.
Pen testing is NOT a static one and done. Even if they were safe at one point, doesn’t mean they will be always. If you are able to get them on board with looking under the hood periodically—we recommend quarterly—you will help them see progress in their cyber program and get them willing to do more as more issues pop up. Getting them involved as part of the conversation will go way farther than simply presenting them a list of issues or problems.
Want to see how a pen test might go? Consider helping us protect a Million People by getting a free cyber stack evaluation.
