Let’s start with the bad news: You’ve had a security incident, and it’s impacted your organization. There certainly can’t be good news, can there? Not so fast. There’s a silver lining here: While security incidents and data breaches are never desired and can have severe consequences, they’re also opportunities to build on the lessons learned and correct deficiencies. Two ways of doing this are by implementing security regression testing and deception technology.
What Is Security Regression Testing?
Security regression testing is essentially re-validating that something has been remediated and indeed remains remediated. Basic examples include verifying that a patch or secure configuration on a system is still in place. While this may seem counterintuitive, it is actually fairly easy for configuration drift to occur and for systems to return to previously vulnerable states. For example, perhaps a malicious actor took advantage of publicly exposed data storage or utilized default credentials. Organizations can create and automate the use of regression tests to verify that these circumstances do not occur again by using information gained during the incident and resolution.
Organizations have increasingly been making use of security regression testing to mitigate these concerns. One popular example is the use of Nuclei, which allows sending requests to targets across an environment using templates that you create. Given it is an open-source software (OSS) tool, Nuclei also boasts a robust portfolio of community-curated templates that organizations can take and start with.
There’s nothing worse than going through the laborious process of incident response and resolution, only to make yourself vulnerable again to the same or similar attacks by failing to ensure your remediation activities stick (and aren’t reverting to the known vulnerable states that led to the compromise to begin with). Organizations also have an opportunity to contribute to the broader community by sharing the security regression testing and/or templates they create. This empowers others to build on and customize them for their own needs.
Another area of security that is growing in popularity is deception technology. This is an area of incident response that utilizes decoy assets to entice malicious actors into interacting with them, which then provides security teams data that can be used to detect and defend against threats. It often includes the use of things such as honeypots, honey users, and honey credentials, all aimed at enticing malicious interaction. Deception integration can also address a variety of threats such as credential theft, lateral movement, and accessing sensitive data.
This gets really interesting when organizations pair deception technology with lessons learned from analysis of the techniques, tactics, and procedures (TTP) implemented in recent security incidents. Armed with this information, security teams can specifically design these deception tools and implementations to align with those TTPs. This makes the deception techniques they use align with known malicious activity in their environment, which helps identify further activities by the same or similar malicious actors.
By combining both security regression testing and deception technology, organizations can verify the circumstances and configurations that caused the incident to begin with, as well as identify any further ongoing malicious activity using behaviors observed earlier in the incident response process. In the vein of collaboration, which we will touch on deeper in other articles on this topic, the organization can also share this information with other organizations directly or through outlets such as Information Sharing and Analysis Centers (ISACs).
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: