Penetration Testing – Use Caution When Selecting a Provider

While penetration tests (pentests) are a valuable tool in the cyber-quiver to find network vulnerabilities before the bad guys do, a lack of standards contribute to questionable practices that expose sensitive client data in publicly available repositories. In a recent report published by cybersecurity firm Cylance, the BlackBerry Cylance Threat Intelligence Team expresses concern that some penetration testers (pentesters) have adopted tactics, techniques, and procedures (TTPs) used by real advanced persistent threat (APT) actors, thus blurring the line between nefarious and legitimate pentest engagements and exposing sensitive client data. Further confounding the issue is the use of open source and off-the-shelf tools, such as  Mimikatz, Metasploit, PowerShell, and PSExec by both pentest practitioners and threat actors. The report, Thin Red Line – Penetration Testing Practices, also points out that some standards exist but lack consistency, thus resulting in the absence of defined best practices and no formal standards or ethics framework. Until such standards are developed and universally accepted, members are encouraged to use the research to ask questions of potential pentest engagements on their practices and safeguarding/handling of data (and provide this report as food for thought to your favorite pentester). Download the report at Cylance