Cybersecurity incidents provide responders with valuable cybercrime threat intelligence. Unlike penetration (pen) testers who only do testing, testers with incident response experience are familiar with trending attack tactics, and this real-world experience is invaluable.
Traditionally, incident response and penetration testing utilize two different skill sets. Typically, cyber experts specialize in either red team (role of the attacker) or blue team (role of the defender). Purple team (people who can do both) are rare and very special. Think of it like chess: those who can see both sides of the board can anticipate the next move. They know where their opponent is going and can formulate strategies to mitigate an attack.
Skills gained during incident response
Hands-on knowledge of attack techniques
Access to developing and trending attack techniques is one of the most useful skills of incident responders. This information gathered in real-time is an advantage that pen testers only studying theory don’t have. A responder can learn and mitigate a tactic in a few hours, while regular testers must wait for the tactics to be released. Responders understand how cyber criminals think and use this information to anticipate exploits and respond to attacks.
Forensic and malware analysis
Incident responders learn how to identify indicators of compromise (IOCs) and other forensic data. They also get experience with malware analysis, i.e., how the code bypassed various defense mechanisms like antivirus software or email security and how it tricked the user into clicking on it.
Incident response methodology
The necessary steps to return a company to operations after an attack provide valuable leadership and communication skills to responders. These include:
- What are the company’s priorities?
- Who are the stakeholders?
- What systems need to be brought online first?
- How to recover backups?
By completing these steps, responders learn to communicate with various stakeholders, present executive briefings, think under pressure, make quick decisions, write reports and work with law enforcement and legal departments.
Theory vs. practice
A good penetration test will use all the modern tactics, techniques, and procedures (TTPs) because it’s crucial to test what attackers do in real life. Working in IR teaches what TTPs are being used, and testers then simulate them in a pen test.
Pen testers should develop a strategy for their test that identifies areas of risk:
- Where is a victim most likely to be targeted?
- How would the attacker get in?
- What is their initial attack vector?
- What exploit will they use?
After enough experience responding to incidents, responders will be able to identify potential weaknesses they learned about or recall from a previous incident. Then, they can recommend solutions to prevent attacks they’ve seen before.
Without this dual knowledge, the success of pen tests relies on information sharing between blue and red teams. New vulnerabilities and TTPs are identified daily, but the information is not usually released to the public promptly.
Benefits of incident response trained pen testers
The most significant advantage of responders working as pen testers is their experience. Not only do they have a greater awareness of techniques, but they’re also more efficient. Due to their background, these testers don’t need to ask as many questions and can quickly acclimate to new environments. Customers can be confident their penetration test will be comprehensive, resulting in a better security posture.
By choosing incident responders who pen test, you are skipping the expense of hiring a purple team and are still getting that dual expertise. Even more, the recommendations given will be the most up-to-date based on recent and relevant attacks.
The point of penetration testing is prevention. Well-executed pen tests can prevent security situations from arising, reduce risk and remove vulnerabilities. Using the test results, these individuals can provide insight into potential recovery strategies. This combination of benefits can be a strong return on investment (ROI) for your organization. Annual penetration testing is a solid use of security funds and has the potential to save money over time.
Why you should choose Blue Team Alpha
Our penetration testers are composed of incident responders, expert-level operators, and former chief information security officers (CISOs) who are certified, educated and experienced. Our blue team members are actively defending companies and have each handled hundreds of incidents. They are also experienced with offensive situations.
We use realistic techniques paired with the latest tools to provide testing that is modern and comprehensive. Our detailed reports contain a thorough explanation of the results and include recommendations on how to improve your security. Based on the test results, Blue Team Alpha has a wide range of services to fill the gaps of each customer. Contact us today to receive a first-class pen test.