In order to protect valuable corporate assets and prove due diligence, security assessments and validation of controls are required on a regular basis. To adhere to regulatory compliance, these tasks are generally scheduled in advance and involve the repeated use of a single person or group of professional penetration testers. In this established routine lies a potential problem.
Penetration Testing is an art based on well-trained and highly creative individuals. Their most important task is to replicate attack strategies that many adversarial groups would launch against the corporate assets, defined as Physical Infrastructure or Intellectual Property. Threat Actors use widely different methods of attack plans, with an even more diverse range of tools, making it impossible to develop a “one size fits all” defense plan.
One threat actor might emphasize the attacks on Web Portals, while another might be more biased towards Social Engineering, all very creative and different in design and strategy.
This brings me to my primary point. It is highly unlikely that a single person or group can know all things about security and infrastructure. Therefore, corporations should consider revolving through a set of known trusted professionals, be it with the same organization or sourced from different groups. This will allow for a more diverse approach to testing and assessing the security controls of the corporate infrastructure. Adopting this approach provides more creativity and the additional experience brings about the possibility of greater and more extensible security.
Adopting portions of the NIST “Guide to Cyber Threat Information Sharing (Draft)”, would allow all groups to effectively and efficiently share notes from the previous engagements, which leveraged properly, would provide a far more secure platform and provide additional assurances to all parties involved.