the journey from discovery to remediation€¦ · the journey from discovery to remediation...

JUNE 2016

The Journey from Discovery to Remediation

According to the National Institute of Standards and Technology (NIST), “Penetration testing is security testing in which

assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or

network.” Penetration testing, or pen testing, can be performed by internal security personnel, 3rd-party “pen testers”, or a

combination of the two. However, traditional penetration testing engagements are limited in both time and coverage scope,

and “success” is variable— limited by the skills and experience of the resources available.

With a clear emphasis on mimicking real-world attacks, the NIST definition implores penetration testing vendors to adopt

an adversarial mindset. To beat a hacker, you have to think like a hacker, hence adversarial penetration testing is crucial to

discovering the most critical vulnerabilities a malicious hacker seeks to exploit. But gaining access to qualified and scalable

pen testing teams capable of truly emulating the adversary is a serious issue as the information security world struggles with

a well-documented talent shortage/gap.

With adversaries rapidly evolving and attack techniques increasing in complexity, the only way to make sure that the latest

attacker tradecraft is being leveraged for penetration testing is to create a platform wherein real-world ethical hackers

can become the driving force of these new-age penetration testing models. But to further disrupt the penetration testing

market, these new-age models need to move beyond pure vulnerability discovery—to mitigation and resolution. Companies

and vendors, alike, are realizing that discovery is meaningless unless the exploitable vulnerabilities can be mitigated and

subsequently remediated. The longer the process, the more likely that they will lose in the “invisible” race against the true

adversaries—a loss with potentially catastrophic effects.

Discovery

There is often debate on choosing between automated vulnerability scanning and human-driven penetration testing

as the best way to discover vulnerabilities within an organization. Machines lack the creativity and critical thinking of

humans, while humans lack the raw speed of machines, and a hybrid approach that brings the best of man and machine

together is key solving this problem.

Automated scanning technologies can’t incorporate business logic; they take linear testing paths through digital

environments, feeding back dense vulnerability reports with excessive volumes of background noise- with little to no

prioritization or business risk context. Additionally, relying solely on automated scanners to uncover newly published

vulnerabilities doesn’t alleviate the problem since scanners can only leverage known signatures. Even if the latest

signatures are present, scanners can merely indicate known “potential” vulnerabilities, but can’t provide any information

about actual exploitability.


Perceived Security Discovery

96% signal-to-noise ratio

The Synack Advantage

Synack continuously protects your most valuable IT assets by pairing the human ingenuity of the world’s best ethical hackers with

the scalability of an automated vulnerability intelligence platform. For this, Synack uses a private community of highly-curated

security researchers, the Synack Red Team (SRT), all of whom have been vetted for both skill and trust. Acceptance into the SRT

is highly selective (<10% acceptance rate), as Synack admits only the most qualified and ethical security professionals. Essentially,

Synack connects enterprises with a private crowd of the most sought-after skilled and trusted ethical hackers in the world to provide

continuous testing coverage that seamlessly integrates with your development processes.

Additionally, all SRT activities, from reconnaissance through exploitation, are always monitored and logged using Synack’s patented

full capture gateway platform, LaunchPoint. LaunchPoint adds additional layers of transparency and trust, allowing enterprises to

take advantage of bounty-driven application testing for even the most sensitive internal environments and production applications.

Before a vulnerability is seen by a customer, the Synack Mission Ops team will have deemed it to be a valid issue via a rigorous

review process that includes vulnerability reproduction and cross-checking with the engagement scope and existing known

vulnerabilities to eliminate duplicate reports. This allows Synack to deliver a 95% signal-to-noise ratio to customers— when you hear

from Synack, it matters.

An adversarial approach that utilizes the world’s best hacking talent and pairs them with technology should form the

underpinnings of your penetration testing program. By continuously monitoring your applications and infrastructure for

vulnerabilities and confirming exploitability before the report reaches your desk, this approach can help security operations

teams stay ahead of the game, while minimizing risk for the organization.

Other characteristics of this new adversarial penetration testing model should encompass:

A. The latest tools, tactics and procedures that real world malicious adversaries are leveraging so that you can detect the

latest vulnerabilities and prevent them from being exploited.

B. Continuous penetration testing of critical applications that is integrated with your continuous code deployment

strategy—Attack threats don’t revolve around a “9–5” schedule, for a few weeks at a time, real-world adversaries are

relentless and constantly adapting with new attack techniques. For that reason, traditional point-in-time penetrations

tests will always leave a window of exposure during which new vulnerabilities can be exploited. Moreover, with frequent

software updates and increased usage of agile software methodologies, the attack surface keeps evolving and the next

generation of penetration testing solutions need to seamlessly integrate with these processes.

C. Prioritization of ‘exploitable’ vulnerabilities is no longer optional, but rather is non-negotiable. With security operations

teams often fighting multiple fires, resources are scarce and their time is valuable (and costly). Long lists of scanner

results can be filled with false positives and vulnerabilities with low exploitability. In order to scale, security teams

need a better way to separate the wheat from the chaff. The reality of the situation is that there isn’t enough time

or resources to fix all vulnerabilities. The focus needs to be on surfacing exploitable vulnerabilities with meaningful

business impact.


Full packet capture with LaunchPoint

Vetted & Qualified Red Team


Mitigation

Mitigation is a step that is often overlooked when choosing a penetration testing vendor. The reality of the vulnerability

management lifecycle is that it could take between a few days to months to develop, test and patch new vulnerabilities.

In the meantime, the vulnerability and the risk of exploitation continues to exist. During this period, security teams should

identify and implement mitigations in order to prevent these vulnerabilities from being exploited by adversaries. These

countermeasures could vary from establishing Web Application Firewall (WAF) rules to enforcing reduced functionality

of apps. Instant WAF rule mitigations allow the security team to minimize disruption to the normal development cycle—

fixes can be planned out in a rational manner and avoids the dreaded hot fix scrambles. Thus, mitigation can be a crucial

step to maintain business continuity and productivity. However, it’s key that security teams are armed with proper

measures and vulnerability intelligence to effectively assess the situation when deciding between patching a system

versus applying more significant modifications to the overall architecture. A clear understanding of adversarial tradecraft

and with the capability to gather exploitation intelligence from captured web traffic is of paramount importance while

establishing these countermeasures.


Synack has seen that in 19% of the cases, initial mitigation efforts by organizations have failed to stop the exploit. The Synack

Mission Ops Team assists enterprise security teams with conceptualizing, constructing and verifying appropriate mitigation counter-

measures, allowing customers to focus internal efforts more on what matters most to the enterprise—vulnerability remediation and

risk reduction—than on spending countless hours internally theorizing fixes (that may or may not work).

Some patches take longer to implement than others. Rather than leave yourself unprotected while waiting for a critical patch,

in many cases Synack can create plug-and-play WAF rules that help you identify and prevent any further exploitation of the

vulnerability. These WAF rules are fully tested by Synack in advance, so you can be assured that they work as intended.

Before Mitigation After Mitigation

Plug-and-play fully tested WAF rules in instances where its helpful


Remediation

Faced with relentless threats across growing attack surfaces, enterprises must adapt by establishing responsive and

effective processes for patching vulnerabilities as part of their vulnerability management life cycle. However, it doesn’t

end with applying a patch. Security organizations must have the assurance that a patch is effective in truly fixing the

vulnerability. The lack of an independent patch verification process can lead to a false sense of confidence in patch

effectiveness. Worse, poorly implemented patches may even introduce new vulnerabilities with potentially catastrophic

business impact.

Development organizations often engage in code reviews while fixing vulnerabilities. Additionally, security teams may

verify patches independently of the development team to provide additional perspective. Once the patch is reviewed, the

fix is considered complete. While internal reviews are essential, security teams often lack sufficient visibility into how the

patch was implemented. More importantly, security teams do not possess full visibility into the tactics, techniques, and

procedures (TTPs) of the adversaries who are dedicated to the discovery and exploitation of vulnerabilities, including the

one presumed to be fixed.


The Synack Mission Ops team acts as an extension of your internal security teams. Once the Mission Ops team has verified the

exploitability of the vulnerability, it leverages its expertise in understanding your applications and infrastructure, and in many cases

is able to recommended a fix with accompanying remediation guidance steps for the vulnerability. Once this fix moves through your

vulnerability management process and a patch is created, Synack provides customers with a way to confirm the efficacy of the

patch through Synack’s patch verification process.

Patch verification creates a tried and tested find-to-fix model for the enterprise that can be managed and tracked within the

Synack portal. Patch verification gives customers the ability to request an independent review of a vulnerability patch in order

to ensure that the attack vector specified by the vulnerability report has been closed. All patch verifications are performed by

Synack Red Team (SRT) member(s) working in conjunction with the Synack Mission Ops team.

Before Remediation After Remediation

Hacker powered patch verification

About Synack

Synack is pioneering a trusted hacker-powered approach to protecting an organization’s digital surface, arming security teams

with hundreds of the world’s best hackers who want to be your allies, not your adversaries. Our private crowd of skilled and

trusted hackers provide proactive application and penetration testing services from a truly adversarial perspective—detecting

and reporting vulnerabilities within clients’ web and mobile applications, host infrastructure, and connected IoT devices, that

often remain undetected by traditional security solutions.

The Synack Crowd Security Intelligence Solution

To beat a hacker, you have to think like a hacker, and to protect an enterprise against constant, complex threats, you have to ignite

hundreds of the world’s best ethical hackers into rapid action. Synack’s Crowd Security Intelligence™ platform does just that.

The Synack solution combines the human ingenuity of the Synack Red Team (SRT) with the scalability of Hydra, an advanced

vulnerability intelligence platform, to continuously discover exploitable vulnerabilities across web applications, mobile

applications, and host-based infrastructure. Synack takes an adversarial approach to exploitation intelligence to show the

enterprise where their most business-critical vulnerabilities are and how these vulnerabilities can be exploited by the adversaries.

The Synack solution allows the enterprise to initiate an engagement quickly with more time on target, and presents a controlled

and continuous adversarial view of the organization’s application and infrastructure security. Acting as a closely integrated

extension of internal security teams, the Hydra-enabled SRT provides comprehensive testing coverage across large, complex

enterprise assets. The Synack solution delivers exploitation intelligence allowing customers to reduce their window of exposure

and strengthen their security posture.

SRT + Hydra Technology

The SRT, supported by Hydra,

continuously discover vulnerabilities with

high efficacy. Once vulnerabilities are

patched, the SRT even helps verify the fix

LaunchPoint™

All SRT testing activity is routed

through our secure gateway

technology, providing our clients with

full transparency and control

Mission Ops

Synack Mission Ops expertly manages,

triages, and prioritizes ALL vulnerabilities

submitted by the SRT, helping customers

focus their internal efforts on remediation

Synack, Inc.

855.796.2251 | www.synack.com | [email protected]

© 2016 Synack, Inc. All rights reserved. Synack is a registered trademark of Synack, Inc.

Report

10/10 CVSS

Client AssetsLaunchPointTM

Mission Ops

Web ManagementPlatform

Patch Verification

YOU

Hydra Technology

Synack Red Team

the journey from discovery to remediation€¦ · the journey from discovery to remediation...

Documents