Is traditional penetration testing still fit for purpose?

Author: Ben Stickland, Hive Member at CovertSwarm

Traditional penetration testing, traditionally relied upon and used to identify vulnerabilities by simulating cyberattacks, is losing relevance in today’s cybersecurity landscape.

Businesses are beginning to constantly update their systems and expand into the cloud. In fact, 67% of businesses in the UK and 62% in the US reported an increase in their attack surfaces over the past two years, meaning risks are changing far more dramatically and quickly than they ever have before.

The point-in-time nature of penetration testing means that vulnerabilities identified in a report may no longer exist or may have been superseded by new threats by the time it is delivered, shifting the focus away from developing threats that could be an immediate issue. Businesses need to start adopting ongoing monitoring methods designed to address modern cyber threats if they are not already.

The state of penetration testing today

According to the UK Government’s latest Cyber Security Breaches Survey, out of the 51% of businesses conducting cybersecurity security activity in the last 12 months, 33% of these businesses used specific tools designed for security monitoring, while just 11% conducted penetration testing. During this time, 50% of all businesses experienced some form of cyber attack or breach, up from 32% of businesses in the 12 months previous – an alarming increase.

In the US, penetration testing continues to be a more widely adopted security measure, with 75% of businesses incorporating it into their cybersecurity practices. Despite this, in 2023 nearly 70% of organizations in the United States reported being hit by a ransomware attack, a figure that has continued to rise.

With attacks becoming more common and attack methods changing so dramatically with the expansion of attack surfaces, businesses need to be prepared, aware, and well-equipped to handle emerging threats.

Limitations of penetration testing

Penetration testing is no longer fit for purpose at the scale in which threats are emerging today and can be out of date mere hours after it has been completed.

Traditional penetration testing offers a snapshot of an organization’s security stance at a specific point in time, a method unable to keep up with vulnerabilities that emerge beyond the point at which the test is carried out, leading to issues remaining unaddressed.

It simply cannot keep pace with the expanding attack surface businesses are now experiencing. Modern digital infrastructures, characterized by cloud adoption, mergers, and regional expansions, create a complex and ever-changing environment that traditional tests are unable to adequately cover.

Once a year or even semi-annual penetration tests fail to provide a comprehensive view of an organization’s security status, which may leave businesses vulnerable to attacks that exploit weaknesses that were not at all known or presented during the last test.

Furthermore, the scope of traditional pen-tests is often limited by time and resource constraints, meaning that only a subset of an organization’s assets can be thoroughly tested. This leaves potential blind spots in the security posture, as critical vulnerabilities may exist outside of the defined scope of periodic testing.

The cost of relying on outdated practices

Cyber insurance providers are beginning to recognize that annual penetration tests are proving insufficient for assessing risk. Businesses solely investing in traditional penetration testing are not proactively addressing and remediating issues, and cyber insurance providers are more commonly flagging these businesses as high-risk, inflating the cost of premiums.

Insurers are now offering additional cybersecurity services to their clients. This proactive approach helps businesses strengthen their defenses while also providing insurers with more accurate risk assessments.

Cyber insurance rates rose by 28% in the last quarter of 2022 and another 11% in the first quarter of 2023. Rates have since slowed down and stabilized, but prices are still increasing. This shift further highlights the growing need for more adaptive and modern security measures.

Constant attack surface monitoring is the future

Constant attack surface monitoring (ASM) provides continuous visibility required to adapt to these rapid changes and prevent security gaps that can emerge between scheduled tests.

One of the main advantages of constant ASM is its ability to provide real-time data, allowing organizations to prioritize their responses to the most critical threats.

Unlike penetration testing, continuous ASM optimizes resources by focusing on the areas most likely to be targeted. This is particularly important as organizations face an expanding attack surface while their cybersecurity teams cannot scale at the same pace. By identifying and addressing the most significant risks in real time, businesses can better allocate their resources and stay ahead of potential attackers.

ASM tools detect leaked credentials, vulnerabilities or misconfigurations before they are exploited, allowing organizations to not only reduce their risk of data theft but also to lower the chances of having to pay for high insurance premiums, as they can show providers that they can proactively address and remediate issues, and so are a low-risk to insurers.

With the attack surfaces changing so often today, constant attack surface monitoring is becoming vital for maintaining brand loyalty and trust. Vulnerabilities are often exaggerated in the media, leading to unnecessary panic and eroding brand trust, even if the actual risk has been mitigated. As cyber threats grow in scale, immediate detection and response will become crucial to preventing reputational damage. Constant attack surface monitoring allows organizations to quickly address and clarify their security posture, preventing the spread of misinformation and protecting consumer confidence before the narrative spirals out of control and perceptions alter.

How ASMs can protect businesses

ASM continuously scans an organization’s entire digital infrastructure, identifying vulnerabilities across the attack surface. It also prioritizes and analyzes vulnerabilities depending on their potential impact to the business, enabling organizations to detect vulnerabilities in real-time and focus remediation tactics on the most critical threats first, optimizing resource allocation.

The methodology of ASM aligns closely with the core functions outlined in the NIST Cybersecurity Framework, which is widely recognized as a set of cybersecurity best practices. Adhering to these practices supports businesses in regulatory compliance and positions them to adapt more easily to future regulations.

ASM providers will prioritise applications with a history of significant vulnerabilities, such as SSL VPNs. This targeted focus allows for more comprehensive protection against known high-risk areas, which may not be as thoroughly addressed in traditional penetration testing approaches.

The future of penetration testing

Penetration testing has always been a cornerstone of cybersecurity, but its traditional model is increasingly outpaced by the rapid evolution of digital threats and expanding attack surfaces.

With cyber-attacks increasing by 18% in the last year and attack surfaces increasing, the once-a-year or even semi-annual penetration tests are falling short.

The shift towards continuous attack surface monitoring will eventually replace traditional penetration testing methods, offering real-time visibility and adaptive responses, crucial for an evolving and growing digital world.