Aaron Shilts

Aaron is a proven cyber security leader focused on creating strong teams that deliver an exceptional client experience. In his 20+ years of industry leadership, Aaron has a track record of building innovative and high-performing organizations. Before NetSPI, Aaron was EVP of Worldwide Services at Optiv where he led one of the industry’s largest mergers. He is also co-founder of “Change Starts With Me,” a Minneapolis non-profit, and advises several global firms. Aaron earned his B.S. from St. Cloud State University and proudly served in the Army National Guard.
More by Aaron Shilts
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "66"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "66"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "66"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "66"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 
            [update_post_term_cache] => 1
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "66"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "66"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "66"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "66"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.* FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{c019bb2c502fc70854adb906558543160969fd3c4c78f70214457ce46c49fa92}\"66\"{c019bb2c502fc70854adb906558543160969fd3c4c78f70214457ce46c49fa92}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{c019bb2c502fc70854adb906558543160969fd3c4c78f70214457ce46c49fa92}\"66\"{c019bb2c502fc70854adb906558543160969fd3c4c78f70214457ce46c49fa92}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish')) GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 25805
                    [post_author] => 66
                    [post_date] => 2021-06-29 15:00:00
                    [post_date_gmt] => 2021-06-29 20:00:00
                    [post_content] => 

On June 29, 2021, NetSPI President and CEO Aaron Shilts was featured in an article from Minne Inno and Minneapolis/St. Paul Business Journal:

 

Ransomware attacks have recently made headlines as everything from meat suppliers to schools and hospitals are falling prey to the unforgiving data breaches.

Minneapolis-based NetSPI, a network security firm, is now offering a ransomware attack simulation service to help companies protect themselves.

The service works by emulating real-world ransomware attacks to find and fix vulnerabilities in a companies cybersecurity defenses.

"The DNA and the way we deliver our work lends itself well to helping companies with ransomware," said NetSPI CEO Aaron Shilts." … We act as a ransomware attacker, using the same attacks, same tools and show them where their weakness would be." 

Shilts said the simulation not only illuminates where a breach can be made, but how the companies systems responded to the attack.

"That's a big part of it. If you can detect something soon, you can usually protect it before they take out the entire network," he said. "If you don't have the detection capabilities, it will spread very quickly. 

With tens of millions of dollars funneling towards the attackers, many of whom are backed by foreign governments, it seems like a daunting task to stay on pace with the attackers.

However, out of NetSPI's 225 employees, 150 of them are cyber security experts that research and familiarize themselves with the latest attack patterns.

Shilts said the team is incredibly sharp and "lives and breathes" cybersecurity.

As far as who would benefit the most from the company's service, Shilts said any operating business is a target to the attacks. 

NetSPI's work gravitates more towards heavily regulated financial services that store personally identifiable data. But less regulated industries such as K-12, state and local government are high targets because they're easier to pick-off.

 

To learn more, read the full article here: https://www.bizjournals.com/twincities/inno/stories/news/2021/06/29/netspi-ransom-ware-attack-simulation.html

[post_title] => Minne Inno & MSP Business Journal: NetSPI adds ransomware attack simulation to its penetration testing portfolio [post_excerpt] => On June 29, 2021, NetSPI President and CEO Aaron Shilts was featured in an article from Minne Inno and Minneapolis/St. Paul Business Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minne-inno-msp-business-journal-netspi-adds-ransomware-attack-simulation-to-its-penetration-testing-portfolio [to_ping] => [pinged] => [post_modified] => 2021-06-30 12:00:27 [post_modified_gmt] => 2021-06-30 17:00:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25805 [menu_order] => 10 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 25421 [post_author] => 66 [post_date] => 2021-05-17 07:00:37 [post_date_gmt] => 2021-05-17 07:00:37 [post_content] =>

On May 17, 2021, NetSPI President and CEO Aaron Shilts was featured in a Forbes article.

So it is perhaps not a coincidence that, just five days after the Colonial attack, KKR led a $90 million growth investment in a cybersecurity company called NetSPI. “The reality is that cyber security attacks today are inevitable and put organizations at grave risk,” the company’s CEO, Aaron Shilts, said in a statement. “At NetSPI, we strive to stay one step ahead of hackers, breaches and bad actors.”

In the years to come, NetSPI will have plenty of changes to prove its worth—and hopefully help prevent other instances of infrastructure-crippling bitcoin blackmail.

Now, onto the rest of the things you need to know from the past week in private equity, M&A and beyond…

Read the full article here: https://www.forbes.com/sites/kevindowd/2021/05/17/how-private-equity-factors-in-to-the-colonial-pipeline-hack/?sh=2725b64f5262

[post_title] => Forbes: How Private Equity Factors In To The Colonial Pipeline Hack [post_excerpt] => On May 17, 2021, NetSPI President and CEO Aaron Shilts was featured in a Forbes article. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => forbes-how-private-equity-factors-in-to-the-colonial-pipeline-hack [to_ping] => [pinged] => [post_modified] => 2021-05-21 15:02:37 [post_modified_gmt] => 2021-05-21 15:02:37 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25421 [menu_order] => 24 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 25364 [post_author] => 66 [post_date] => 2021-05-13 06:00:35 [post_date_gmt] => 2021-05-13 06:00:35 [post_content] =>

On May 13, 2021, NetSPI President and CEO Aaron Shilts was featured in the Minneapolis/St. Paul Business Journal.

Cybersecurity company NetSPI has raised $90 million in growth funding, it announced Wednesday.

The round was led by New York City-based investment firm KKR. Cybersecurity-focused venture capital firm Ten Eleven Ventures also participated.

Read the full article here: https://www.bizjournals.com/twincities/news/2021/05/13/netspi-raises-90-million-cbersecurity.html

[post_title] => Minneapolis/St. Paul Business Journal: Cybersecurity company NetSPI raises $90 million from KKR, Ten Eleven [post_excerpt] => On May 13, 2021, NetSPI President and CEO Aaron Shilts was featured in the Minneapolis/St. Paul Business Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minneapolis-st-paul-business-journal-netspi-raises-90-million-from-kkr-ten-eleven [to_ping] => [pinged] => [post_modified] => 2021-05-13 15:15:18 [post_modified_gmt] => 2021-05-13 15:15:18 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25364 [menu_order] => 26 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 25356 [post_author] => 66 [post_date] => 2021-05-12 06:00:56 [post_date_gmt] => 2021-05-12 06:00:56 [post_content] =>

On May 12, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune.

NetSPI, which works with companies to thwart cyberattacks, has raised $90 million in minority investments from KKR and Ten Eleven Ventures.

The new infusion of capital will help the 225-employee software firm develop and improve products, add clients and hire more people, NetSPI CEO Aaron Shilts said in an interview Wednesday.

Read the full article here: https://www.startribune.com/netspi-a-minneapolis-cyber-security-firm-raises-90-million-new-investors/600056465/

[post_title] => Star Tribune: NetSPI, a Minneapolis cyber security firm, raises $90 million from new investors [post_excerpt] => On May 12, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => star-tribune-netspi-raises-90-million-from-new-investors [to_ping] => [pinged] => [post_modified] => 2021-05-13 14:38:30 [post_modified_gmt] => 2021-05-13 14:38:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25356 [menu_order] => 28 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 21948 [post_author] => 66 [post_date] => 2021-02-14 07:00:03 [post_date_gmt] => 2021-02-14 07:00:03 [post_content] => On February 14, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune.
Many cybersecurity firms hit the brakes quickly and laid off workers when the pandemic hit last year, throwing the country into recession. Their revenue was disrupted as corporate and government customers put off spending decisions and adjusted to new ways of work, with most employees logged in from home. But the work-from-home model just as quickly presented them new opportunities, and many were staffing up by summer to stay ahead of demand. "Our business ended up growing and we did great," said CEO Aaron Shilts of Minneapolis-based NetSPI. "Some of our smaller customers slowed. But our Fortune 1000 [clients] never stopped growing. "In some ways it accelerated our business," he added. "We used to have wait a month for a sales meeting. Now everybody can jump on a telemeeting. I do worry about long-term effects on collaboration. Humans need to work together to maximize the results." NetSPI, an enterprise-security tester and system-vulnerability manager, said it grew sales 35% for a fourth year in a row and is approaching revenue of $50 million. Its employs more than 200 workers around the country and expects to add up to 50 more this year. The firm works with large banks and several units of the Department of Defense. Like its clients, NetSPI had to adjust to remote work. "Internally, we try to over-communicate and stay in touch," Shilts said. "People do lose energy when they're just on Zoom. Most would like to be in the office some. But they mostly got the job done from home. I think the future is probably more flexibility." Read the full article here: https://m.startribune.com/growth-accelerates-for-twin-cities-cybersecurity-businesses/600023160/
[post_title] => Star Tribune: Growth accelerates for Twin Cities cybersecurity businesses [post_excerpt] => On February 14, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => star-tribune-growth-accelerates-for-twin-cities-cybersecurity-businesses [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:27:59 [post_modified_gmt] => 2021-04-14 05:27:59 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=21315 [menu_order] => 49 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 20805 [post_author] => 66 [post_date] => 2021-01-05 07:00:36 [post_date_gmt] => 2021-01-05 07:00:36 [post_content] => On January 5, 2021, NetSPI President and COO Aaron Shilts was featured on the podcast, One Take CEO Interviews with Dale Kurschner. Cybersecurity business leader Aaron Shilts discusses how he is leading his employees through the stresses and changes brought on by Covid-19, organic growth and a recent acquisition. He also shares three things your business should do if it hasn’t already done so to avoid a devastating cyberattack. Shilts is president and COO of Minneapolis-based NetSPI, the industry leader in enterprise security testing and vulnerability management. NetSPI works with eight of the top 10 U.S. banks, three of the world’s five largest health care companies and the largest cloud providers. In December, it acquired Utah-based Silent Break Security to create a complete package for offensive cyber security and attack surface management. Other points covered in this One Take CEO Interview interview include:
  • How Covid-19 affected NetSPI's workforce
  • Nothing connected to the Internet is safe, so what can you do?
  • How much cyber security can affect mergers and acquisitions
  • What he anticipates his greatest challenge will be in 2021
  • The upsides of working through a pandemic
Listen or watch the full interview on Spotify or YouTube - or visit the MN Perspectives website. [post_title] => One Take CEO Interviews: How NetSPI is Growing Despite Covid-19, PLUS 3 Things to Do Now to Protect Your Data [post_excerpt] => On January 5, 2021, NetSPI President and COO Aaron Shilts was featured on the podcast, One Take CEO Interviews with Dale Kurschner. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => one-take-ceo-interviews-how-netspi-is-growing-despite-covid-19-plus-3-things-to-do-now-to-protect-your-data [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:28:26 [post_modified_gmt] => 2021-04-14 05:28:26 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20805 [menu_order] => 60 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 20716 [post_author] => 91 [post_date] => 2020-12-15 09:41:57 [post_date_gmt] => 2020-12-15 09:41:57 [post_content] =>

As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week. We know now the breaches have been linked back to a supply chain attack on the SolarWinds Orion Platform, a software platform that manages IT operations and products for over 300,000 organizations, including over 425 of the Fortune 500, all ten of the top U.S. telecommunications companies, all five branches of the U.S. Military, all five of the top U.S. accounting firms, and many, many more.

While FireEye, the U.S. Treasury, and National Telecommunications and Information Administration (NTIA) were the first to report a security breach, the breadth of SolarWinds’ customer base is an indicator that the breaches are seemingly the tip of the iceberg.

For the sake of information sharing, here is an overview of the attacks, immediate steps you can take to identify whether you have fallen victim, and tips for protecting your organization as communicated by FireEye, SolarWinds, and NetSPI. For the full technical deep-dive, we highly recommend the FireEye blog post.

Overview: SolarWinds Orion Manual Supply Chain Attack

On December 13, SolarWinds issued a security advisory alerting to a manual supply chain attack on its Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.

FireEye discovered the attack and suggests it is a state-sponsored global intrusion campaign by a group named UNC2452 - though many industry experts are attributing the attack to APT29, a group of hackers associated with the Russian Foreign Intelligence Service.

  • Attack Origin: UNC2452 gained access to victims via trojan-based updates to SolarWinds’ Orion IT monitoring and management software, distributing malware called SUNBURST. Multiple trojanized updates were digitally signed and subsequently deployed via this URL: hxxps://downloads.solarwinds[.]com/solarwinds/CatalogResources/Core/2019.4/2019.4.5220.20574 /SolarWinds-Core-v2019.4.5220-Hotfix5.msp. The downloaded file is a standard Windows Installer Patch file, which includes the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component.
  • How It Works: The digitally signed SolarWinds.Orion.Core.BusinessLayer.dll file is a component of the Orion Improvement Program (OIP) software framework that contains a backdoor that communicates with third party servers via the HTTP protocol. The malicious DLL gets loaded into the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe executables and can run dormant for up to two weeks before beaconing to a subdomain of avsvmcloud[.]com. To avoid possible detection, the C2 traffic between the beaconing server and the victim is made to resemble legitimate SolarWinds communications. This includes HTTP GET, HEAD, POST and PUT requests with JSON payloads in their bodies. The HTTP responses from the C2 server communicating with the victim contain XML data that resembles .NET assembly data used for normal SolarWinds operations. Within the XML, however, is obfuscated command information that is deobfuscated and then executed by the SolarWinds process on the victim’s system.
  • Impact/Result: Following the initial compromise and deployment of SUNBURST, a variety of more capable payloads can be deployed to facilitate lateral movement and data theft. Common payloads include TEARDROP and Cobalt Strike BEACON, both of which can be loaded into memory to improve stealth of operations.

Known breaches include:

FireEye: On December 8, FireEye communicated a state-sponsored security breach through which the attackers accessed FireEye’s Red Team assessment tools used to test customers’ security. Following the breach, the company made its list of countermeasures public. FireEye has now confirmed that this attack was a result of the SolarWinds Orion supply chain attack.

U.S. Treasury and the National Telecommunications and Information Administration (NTIA): On December 13, Reuters reported that Russian-associated hackers broke into the U.S. Treasury and Commerce department’s Microsoft 365 software and have been monitoring internal email traffic. Following a National Security Council meeting at the White House over the weekend, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive for all federal agencies to power down SolarWinds Orion.

Organizations are frantically working to figure out if they have been a victim of the attack and how to protect themselves. Here are the immediate steps to take, according to SolarWinds, FireEye, and NetSPI’s team of offensive security experts:

  1. First, determine if SolarWinds Orion is deployed within your environment. If unsure, NetSPI recommends performing a network scan to identify the Orion agent. For example, this can be performed with Nmap by running: nmap --open -sT -p 17778,17790 x.x.x.x/xx, where x.x.x.x is the network address and xx is the subnet mask. If the Orion agent is found, follow SolarWinds’ recommendations.
  2. SolarWinds recommends customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. It also asks customers with any of the products listed on the security advisory for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6. Additional suggestions can be found in the security advisory. While upgrading Orion will prevent future backdoored deployments from occurring, it will not remediate the potentially infected deployments that have already taken place via the Orion Platform.
  3. Additionally, FireEye provides a list of recommendations including its signatures to detect this threat actor and supply chain attack. Specific details on the YARA, Snort, and ClamAV signatures can be found on FireEye’s public GitHub page.

Get in Touch: To connect with NetSPI for support with testing efforts related to the SolarWinds Orion attack, email info@NetSPI.com.

[post_title] => FireEye, SolarWinds, U.S. Treasury: What’s Happening in the Cyber Security World Right Now? [post_excerpt] => As we write this post, you’ve likely heard about the FireEye and U.S. government agency breaches that occurred over the past week [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => fireeye-solarwinds-us-treasury-whats-happening-in-the-cyber-security-world-right-now [to_ping] => [pinged] => [post_modified] => 2021-05-04 17:03:39 [post_modified_gmt] => 2021-05-04 17:03:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=20716 [menu_order] => 65 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 18904 [post_author] => 66 [post_date] => 2020-09-22 07:00:06 [post_date_gmt] => 2020-09-22 07:00:06 [post_content] =>

You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. And you’ve committed to building an ongoing and continuous vulnerability management program to guard against the potential threats to your assets. Now what?

Putting a successful vulnerability management program in place needs careful consideration up-front to ensure your organization is set up for success to remediate vulnerabilities for each application and system you have. For a quick overview of the process, our Best Practices for Your Vulnerability Management Program tip sheet can be used as a guide. The following checklist breaks the best practices process down and provides you with a planning roadmap to getting the most value out of a penetration testing and vulnerability management program.

Penetration Testing Program Plan of Attack

Deliverable

Elements of Success

Requirements

Step One:
The Plan

Develop a plan that puts structure and strength around cybersecurity to include continuous vulnerability testing and patching, incident response plans, and training and security awareness programs. The ultimate goal? Decrease time to remediation and to close security gaps in your network.

Clearly define the scope, objectives, identification of testing, and the order in which they are to be performed.

Build a vulnerability management team. This could include both in-house talent as well as industry analysts or consultants. When choosing a pentesting service provider, ask about the credentials of their pentesting team, beyond technical competencies. Will your team be comprised of a dedicated work group or an outsourced group who haven’t previously worked together, for example. Team structure has implications on streamlined communications and in knowing who is inside your network.

Augment with careful preliminary risk planning with contingency plans should any services be unintentionally disrupted.

Types of penetration testing:

□  Develop a high-level vulnerability management plan – be sure to include non-negotiables such as scalability and continuous testing

□  Present your case to business leadership; gain agreement on budge

□  Refine plan and define ownership and scope of your program to include personnel and their roles and responsibilities

□  Develop policies, standards, and procedures

□  Determine merchandising strategy – to bring visibility to the program’s successes

Step Two: Scanning and Assessment

Layer in automated scanning functions that deliver results that can be easily sorted and acted upon with human capital to find and fix vulnerabilities.

Create an enumeration (list and count) of suspected vulnerabilities that are enumerated only after using multiple automated tools over time, not just one single tool.

Build in further analysis of suspected vulnerabilities using specialized tools and manual techniques as required.

□  Identify all assets you want to scan

□  Define vulnerability landscape:

  • Common vulnerabilities and exposures (CVEs)
  • Common configuration and enumeration (CCEs)
  • Architecture
  • Design

□  Define actionable reporting structure of vulnerabilities

□  Deploy automated vulnerability scanning, use authenticated mode to scan high-value resources

□  Prioritize pentesting cadence, beginning with an external network penetration test followed by internal network testing

□  Commence manual pentesting

Step Three: Preparing for Risk-Based Remediation

Develop a risk-based remediation plan commensurate with your program’s maturity level and appetite for business risk.

Employ a comprehensive verification of high-risk vulnerabilities including but not limited to safe exploitation of these vulnerabilities using both automated and manual processes, including the injection of malicious code when called for.

□  Rank vulnerabilities through an established remediation timeline. For example:

  • Critical = 7 days
  • High = 2 weeks
  • Medium = 1 month
  • Low = Patch driven updates

□  Assign application and system remediation owner

□  Build in business leadership approvals for long lead remediations

Step Four: Ongoing Reporting and Improvement

Automate your vulnerability management program as much as possible: spreadsheets, emails, and document sharing portals are insufficient for most organizations, large ones in particular. Automation enables 24/7 pentest report visibility with business leadership and continuous improvement.

Find a penetration testing reporting platform that is engaging and customizable to showcase what is most important to your business, one that can track and compare data over time.

Learn about the NetSPI Resolve™ platform.

□  Build a reporting framework – for the pentesting team and for business leadership

□  Identify continual improvement opportunities

□  Use comparison data to showcase progress over time and highlight successes

All organizations should aspire to have the people, processes, and tools necessary to effectively execute an ongoing vulnerability management program. Failure to do so may result in poor tool selections, testing mistakes, and faulty interpretation of vulnerability scanner and pentest results that often lead to a false sense of security and could put the enterprise at risk. By building out a vulnerability management plan, as depicted above, you can dramatically increase the security of your enterprise and can be better assured to reach your ultimate goal: to decrease time to remediation and close any security gaps in your network.

[post_title] => Checklist: Getting the Most Value Out of Penetration Testing and Vulnerability Management [post_excerpt] => You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => checklist-getting-the-most-value-out-of-penetration-testing-and-vulnerability-management [to_ping] => [pinged] => [post_modified] => 2021-04-14 10:36:43 [post_modified_gmt] => 2021-04-14 10:36:43 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18904 [menu_order] => 92 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 19475 [post_author] => 66 [post_date] => 2020-09-08 07:00:16 [post_date_gmt] => 2020-09-08 07:00:16 [post_content] =>

The term ‘red teaming’ is said to be overly used in the cyber security industry, which is why the concept is often misunderstood and unclear. But for the right cyber security pro, red teaming can be an exciting profession. Red teaming assessments are objective based assessments of an organization’s security posture. Assessors are allowed to use any technique that they deem appropriate to try and determine if the objectives, defined upfront, can be accomplished. Typically, a red team’s goal is to gain unauthorized access to an organization’s environment while avoiding detection and then maintaining access for a pre-determined period of time to test an incident response team’s ability to identify and respond to threats.

Red teaming is not a job for the faint of heart as it involves travel and many hours, even days, of thinking strategically and reacting quickly to the situation at hand. Nevertheless, it’s a critical component of every vulnerability testing strategy and can help organizations accurately assess threats to IT assets, benchmark current security capabilities, justify security investments, sharpen the skills of the team and improve detective controls. Given the importance of red teaming engagements, the industry should also understand the people behind the engagements and how they operate in order to get the most value out of the engagement. I talked with NetSPI Managing Director Nabil Hannan for an inside look at red teaming culture.

Aaron Shilts (AS): Who is drawn to red teaming work?

Nabil Hannan (NH): Although having solid technical skills to be able to circumvent security controls in the software, network or infrastructure may be an important skill to have, ultimately, the personalities who are most attracted to this type of work, and end up being most successful at red teaming engagements, are people who are clever and can think outside the box. Having the ability to think quickly on one’s feet and solve problems on the fly are important attributes for people who perform these assessments.

AS: Penetration tests and red teaming assignments can cause stress and anxiety, how does this affect professionals?

NH: Although red teaming engagements can be stressful, typically the personalities who do these engagements enjoy, and even thrive on, doing this type of work, and – from my experience – rarely consider this as true “stress.” Red teaming engagements really allow assessors to go above and beyond and truly think outside the box on how to circumvent security controls in creative ways to successfully complete objectives. These creative methods can range from being able to create phishing emails (that generate excitement and make victims fall for the attack and click/respond to the phishing attack) all the way to physical security attacks where you can use condensed air cans or even something as simple as a balloon to trigger motion sensors and get access to parts of a building which require special access or clearance.

AS: What kind of tools do red teams have at their disposal?

NH: Red Teaming assessments can leverage any existing information they have at their disposal regarding vulnerabilities and weaknesses in the systems and environments they are trying to compromise. This may include penetration testing reports, automated scan reports (e.g. static application security testing (SAST), dynamic analysis security testing (DAST), interactive application security testing (IAST), network scanning), video surveillance feeds, user guides, documentation around access controls, and more. There are also many tools and gadgets that can be purchased for fairly low cost to do reconnaissance and exploits with things like WiFi antennas with extended range, RFID sniffers, and USB mice with flash storage inside them.

AS: How can leaders help balance the demands of the job while creating a sense of camaraderie among their teams?

NH: Most red teaming engagements are performed in teams of two or more. It’s important for the team to work cohesively together and help complement each other’s strengths. Building a team with a good mix of both technical and non-technical skills is important for success. Successful leaders will assign specific roles for each team member focused on harnessing their strengths, and also ensure that the team works together to brainstorm and create plans and strategies on how to accomplish specific objectives outlined in the engagement.

AS: What background or qualifications are beneficial for a red team professional?

NH: Professionals with military and law enforcement backgrounds are a valuable addition to a team because they can help navigate the legal and physical security aspects of an engagement. And it’s critical to have professionals on the team who have the resources and technical expertise to be able to identify and exploit vulnerabilities in software systems to find ways to circumvent security controls and accomplish the objectives of the engagement.

AS: Is there risk for red teams to get in trouble with the law while participating in an engagement?

NH: There have been some incidents, but they are very rare. Typically, during Red Teaming assessments, the assessors are provided with a “get out of jail free” letter that they are required to carry throughout the engagement. These letters have details provided regarding the engagement, who the sponsor is, and contact information of the client to call and confirm the rules of engagement and scope of the assessment by law enforcement. The cyber security community typically isn’t worried about their assessors getting arrested and facing criminal charges, because they were performing the work on behalf of an organization, and they have contractual languages that protect them.

Red teaming professionals certainly have their work cut out for them, as cyber security adversaries continue to evolve and find new ways to access sensitive systems and data. Let this article be a reminder to thank red team assessors next time you see them – and talk with them about how IT and security leaders can better enable them to work collaboratively, use all available resources, and use their creative, yet technical, minds to help organizations assess security threats and ultimately improve their security posture.

click here to read our technical blog
[post_title] => Q&A with Nabil Hannan: An Inside Look at Red Teaming Culture [post_excerpt] => The term ‘red teaming’ is said to be overly used in the cyber security industry, which is why the concept is often misunderstood and unclear. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => qa-nabil-hannan-inside-look-at-culture [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:51:01 [post_modified_gmt] => 2021-04-14 00:51:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=19475 [menu_order] => 94 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 18984 [post_author] => 66 [post_date] => 2020-08-18 07:00:45 [post_date_gmt] => 2020-08-18 07:00:45 [post_content] =>

No industry is safe from a cyberattack and last year’s long list of breach victims is testament to that. Within the first six months of 2019, 3,800 breaches were reported, exposing 4.1 billion records. The impact of a breach continues to grow, and the wide-ranging threat landscape continues to shift – thus, our network security testing strategies should evolve in tandem.

Penetration testing has been around for decades and has remained at the foundation of vulnerability testing and management programs. But as the modern enterprise continues to evolve, and attack surfaces become much more complex, pentesting has remained relatively unchanged. Following a pentest, security and IT teams are typically left with an immense amount of vulnerability data that ends up in PDFs with limited context, making it challenging to process and collaborate with development teams for vulnerability remediation. In addition, many organizations struggle with the breadth of their security testing coverage and lack the time or financial resources to adequately pentest all of the applications and systems in their environment – and they can’t remediate all the vulnerabilities from each test. According to Gartner, once a company discloses a vulnerability and releases a patch, it takes 15 days before an exploit appears in the wild.

To ensure critical assets are secure and their entire attack surface has some level of pentesting coverage, today’s modern enterprise requires a more continuous and comprehensive penetration testing process.

Enter Penetration Testing as a Service, or PTaaS: a hybrid approach to security testing that combines manual and automated ethical hacking attempts with 24/7 scanning, consultation and streamlined communication and reporting delivered through a single platform. By delivering pentesting “as a service,” organizations receive a broader, more thorough vulnerability audit year-round instead of relying on point-in-time pentests, which are typically executed just once a year.

Point-in-Time Pentesting Versus PTaaS

While an important starting point, point-in-time penetration testing has its limitations. Once a test has been completed, how can one be sure that no new vulnerabilities arise during the remaining 364 days of the year? To better understand the impact of PTaaS, here are four core differences between point-in-time penetration testing and PTaaS. PTaaS gives organizations:

  1. Visibility and control. Through PTaaS, organizations are put in control of the pentest. Security teams gain the ability to request and scope new engagements, see the progress and status of all open engagements, easily parse the vulnerability trends, and work to understand and verify the effectiveness of remediations, all within a single online platform.
  2. Paths to quicker remediation. The penetration testing reports, often static PDFs, created after a standard pentest leave much to be desired when it comes to vulnerability remediation. On average, it takes 67 days to remediate critical vulnerabilities. PTaaS platforms allow findings to be actionable as they can be sorted, searched, filtered, and audited. As the vulnerability or exploit evolves over time, the data related to it will be updated, not remain unchanged in a document. Additionally, PTaaS provides development teams with the most up-to-date and relevant information for remediation, with assistance and consultation from the team of pentesters who found the vulnerability.
  3. More security testing possibilities. Due to both the cost savings of automation and the efficiency provided for remediating vulnerabilities, companies are able to do more with their budgets and internal resources. The faster vulnerabilities are found and remediated, the quicker the company can move on to protect itself from the next vulnerability.
  4. Prioritized, actionable results. PTaaS platforms, like NetSPI’s Resolve will aggregate and correlate the findings, eliminating manual administrative tasks while providing a result set that drives the right set of actions in an efficient manner for all organizations. According to Gartner, one of the most common ways to fail at vulnerability management is by sending a report with thousands of vulnerabilities for the operations team to fix. Successful vulnerability management programs leverage advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.

What’s fueling the desire for an “as a Service” model for penetration testing?

Businesses, no matter the industry, are constantly changing and are on the lookout for technology that can scale with them. Because of the constant flux that businesses remain in today, whether from engaging in a merger or acquisition or integrating a new software program, there is a desire to uncover the most efficient way to maintain an always-on vulnerability testing strategy, while also ensuring capacity to remediate. PTaaS is scalable, so that organizations of all sizes and maturity can use it to maintain a small part of their security testing program – or the entire program.

Further, heavily regulated industries – such as financial services, healthcare, and government – benefit greatly from an “as a Service” model, given the level of sensitive data stored and pressures of maintaining compliance. With PTaaS, organizations can consume their data, on-demand, in many formats for their various regulatory bodies and gain the visibility to know what is happening in their security testing program, and what actions need to be taken.

PTaaS is the new standard for vulnerability testing and remediation as security teams recognize that annual testing does not enable a proactive security strategy. Pentesting engagements are no longer a once-a-year tool for compliance and have evolved into a critical part of day-to-day security efforts.

[post_title] => Four Ways Pentesting is Shifting to an “Always On” Approach [post_excerpt] => No industry is safe from a cyberattack and last year’s long list of breach victims is testament to that. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => four-ways-pentesting-is-shifting-to-an-always-on-approach [to_ping] => [pinged] => [post_modified] => 2021-04-14 09:59:18 [post_modified_gmt] => 2021-04-14 09:59:18 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18984 [menu_order] => 97 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 18896 [post_author] => 66 [post_date] => 2020-07-28 07:00:27 [post_date_gmt] => 2020-07-28 07:00:27 [post_content] =>

Let’s face it. The chefs in our lives were right when preaching the “clean as you go” philosophy while cooking. Keeping counters and utensils washed and put back in place helps thwart the influx of bacteria and spread of cross contamination that could make us sick. Shouldn’t that same philosophy apply to cyber security, too? Foregoing a “clean as you go” program and conducting a penetration test just once each year may check a compliance box, but ultimately prove to be unsuccessful when it comes to protecting your network and assets from the potential “bacteria” that can enter at any time.

Systems and applications in any organization become alarmingly vulnerable if monitored under a one-and-done scenario. An ongoing and continuous vulnerability management program or penetration testing program is an important guard against the potential threat to your technology assets that hackers pose nearly every second of the day. In fact, a University of Maryland study says that hackers attack every 39 seconds (on average 2,244 times a day). Think of how vulnerable your technology assets are in this environment if only penetration tested once a year.

As an aid to help put structure around a continuous penetration testing program, here are four core considerations that should be a key part of an always-on security program.

1. Prevent Breaches with an ‘Always On’ Testing Mentality

There’s no doubt about it: attack surfaces grow and evolve around the clock. With network configurations, new tools and applications, and third-party integrations coming online constantly, an atmosphere is created that opens the possibility of unidentified security gaps. This white paper points to the fact that cyber-attacks can affect your business and are almost as prevalent as natural disasters and extreme weather events. And we know from our own NetSPI research that nearly 70 percent of CISO security leaders are concerned about network vulnerabilities after implementing new security tools.

And those CISOs’ concerns are valid: take the recent announcement from the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). CISA published security advice for organizations that may have rushed out Office 365 deployments to support remote working during the coronavirus pandemic. A ZDNet article says that CISA warns it continues to see organizations that have failed to implement security best practices for their Office 365 implementation. CISA is concerned that hurried deployments may have led to important security configuration oversights that could be exploited by attackers. With continuous penetration testing in place, security leaders can identify high risk vulnerabilities in real-time and close those security gaps faster.

2. Automation Is a Tool; Human Logic Is Critical

Good pentesters use automated scanning tools (ideally from many different sources) and run frequent vulnerability discovery and assessment scans in the overall pentesting process. Vulnerability scanning is generally considered an addition to manual, deep-dive pentests conducted by an ethical hacker. Manual pentesting leverages the findings from automated vulnerability and risk assessment scanning tools to pick critical targets for experienced human pentesters to: 1) verify as high-fidelity rather than chasing false-positives, and then 2) to consider exploiting as possible incremental steps in an effort to eventually gain privileged access somewhere important on the network.

Purely automated tools and highly automated testing activities cannot adequately test the business logic baked into an application. While some tools claim to perform complete testing, no automated technology solution on the market today can perform true business logic testing. The process requires the human element that goes well beyond the capabilities of even the most sophisticated automated tools.

3. Penetration Testing Reports Don’t Have to Be Mundane

We can all agree that there isn’t much enjoyment in reading pages and pages of pentesting data presented in static excel or PDF documents. Now picture what the paperwork for a once-a-year penetration testing report. Gulp! Much like many of us consume the daily news headlines, so too should CISOs view the daily “headlines” of their vulnerability management programming through the display of live pentest report results.

Under this scenario, less time is spent analyzing penetration testing report data, opening valuable time to give to the important work of remediation. Insist on the following pentest report deliverables in your penetration testing program:

  1. Actionable, consumable discovery results to automatically correlate and normalize all of the data collected from multiple open source and proprietary tools.
  2. High quality documentation and reports related to all work delivered, including step-by-step screen-capture details and tester commentary for every successful manual attack.

4. Stay Ahead of the Attacks Through Remediation

To stay ahead of the every 39-second hacks every day, it’s important to enable fast and continuous remediation efforts to keep a threat actor at bay. This goes hand in hand with testing, analyzing, and reporting: if you’re not continuously testing for vulnerabilities, it’s highly probable that the issues remain unresolved. Layer in these remediation best practices into your pentesting program:

  1. Industry standard and expert specific mitigation recommendations for all identified vulnerabilities.
  2. Traceability and archiving of all of the work done to make each subsequent round of testing for your organization more efficient and effective.

Factoring these considerations—always on testing, manual testing, real-time reporting, and remediation—into the planning and design of penetration testing programs will significantly minimize the risk of damage or disruption that could occur in an organization, and dramatically boost the security of your cyber assets.

[post_title] => Four Must-Have Elements of an Always-On Cyber Security Program [post_excerpt] => Let’s face it. The chefs in our lives were right when preaching the “clean as you go” philosophy while cooking. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => four-must-have-elements-of-an-always-on-cyber-security-program [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:52:31 [post_modified_gmt] => 2021-04-14 00:52:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18896 [menu_order] => 106 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 18867 [post_author] => 66 [post_date] => 2020-06-09 07:00:41 [post_date_gmt] => 2020-06-09 07:00:41 [post_content] =>

Proactive or preventative cyber security testing continues to be an afterthought in today’s conversations around breach preparedness. In this Forbes article, for example, the author suggests establishing an incident response plan, defining recovery objectives and more, all of which are necessary – but there’s no mention of investing in enterprise security testing tools and penetration testing services that boost your cyber security posture in the first place.

Sure, it can be difficult to make a business case for the C-suite to invest in an intangible that doesn’t directly result in new revenue streams. Historically, though, breaches cost companies millions and sometimes billions of dollars, proving that a ‘dollars and sense’ case can be made for preventative cyber security testing.

Even when a case is made to the board and funding is available, enterprise security teams struggle to be proactive because they are constantly reacting to the threats already looming in their network, lack adequate staffing, and the pace of vulnerabilities continues to outpace the business. So, how can the C-suite and security teams come together to prioritize the urgency of implementing a proactive cyber security testing program? How can we communicate that the upfront planning and set up is a proactive investment that will help eliminate the financial and time strain of a reactive-forward cyber security program?

The reality is that cyber security breaches today are inevitable and put organizations at grave risk. To help your security team make the case for prevention-based security investments, such as penetration testing and adversarial simulation, here are three recommendations that will get the attention of C-suite executives and help your security team remain proactive:

Translate the Impact of a Breach into Dollars and Sense that the C-Suite Understands

In today’s digital world, data is more valuable than ever and more vulnerable. So, how can you best communicate this heightened value of data security and risk to your leadership team? By speaking a language they understand. First, shift your mindset from talking about “cyber security and compliance” to “customer safety and quality services;” these terms will resonate better with the C-suite.

Next, be prepared to talk financial risk. Annually, IBM and Ponemon Institute release the Cost of a Data Breach Report, which includes a calculator based on industry and cost factors – such as board-level involvement, compliance failures, and insurance – to determine the potential financial impact of a breach. Use this resource to calculate your own organization’s estimated cost of a data breach.

A simple calculation case study: In the United States, if an attacker compromises just 5,000 records, it could cost your organization over $1 million (based on the average cost of $242 per lost record). This case demonstrates the cost of a smaller-scale breach – in fact, the average size of a data breach in the United States in 2019 is 25,575 records, resulting in an average cost of $8.2 million per breach. Compare that to the average cost of a vulnerability management or penetration testing program, and your case to the executive team is pretty simple. Notably, loss of customer trust and loss of business are the largest of the major cost categories, according to the report. The study finds that breaches caused a customer turnover of 3.9 percent – and heaps of reputational damage.

Lastly, use examples in your respective industry as proof points. For example, if you’re in the financial services industry, reference other breaches in the sector and their associated cost. It’s important to clearly communicate the reality of what happens when your organization is breached to get the C-suite on board for more cyber security spend. Sharing concerning results of reactive cyber security strategies helps executives see the benefit of investing in proactive security measures to prevent a breach from happening in the first place.

Help Leaders Understand Cyber Security Testing’s Role in a Crisis Preparedness Plan

A data breach is a common crisis scenario for which every business should plan. It should be discussed in tandem with other risk scenarios like natural disasters, product recalls, employee misconduct, and conflict with interest groups, to name a few. As with any disaster preparedness program, documentation and reporting are critical. Specifically, documentation of your vulnerability testing results and remediation efforts should be viewed as a tool to inform leaders about the organization’s exposure to risk, as well as its ability to prevent breach attempts from being successful. Cyber security weaknesses to look for from an organizational standpoint include lack of continuous vulnerability testing and patching, untested incident response plans, and limited training and security awareness programs. These three key areas can turn into the “Achilles heel” of any organization’s security posture if not addressed and implemented properly.

Position Your Pentest Team as an Extension of Your Own Security/IT Team

According to a survey we conducted earlier this year, over 80 percent of security leaders say lack of resources keeps them up at night. And for some time now, the cyber security industry has suffered a skills shortage. While companies are eager to hire cyber security experts to address the ever-evolving threat landscape and avoid the high costs of a breach, there aren’t enough people who can fill these roles. According to the latest data from non-profit (ISC)², the shortage of skilled security professionals in the U.S. is nearly 500,000.

Hiring outside cyber security resources is one solution to this demand conundrum. Time is invaluable, so if you propose to hire new vendors, it’s important from the start to position the white hat testers to your executives as an extension of your own team. It is the responsibility of both corporate security practitioners and vendors to find ways to work collaboratively as one team.

Pentesting is a great example of the importance of collaboration in cyber security. Traditionally, pentesters complete their engagement, hand off a PDF and send the internal team off to remediate. With the emergence of Penetration Testing as a Service (PTaaS), pentesters not only perform an engagement, they also conduct more deep-dive manual tests, continuously scan for vulnerabilities to deliver ongoing pentest reports in an interactive digital platform that separates critical vulnerabilities from false positives (a time-consuming activity for your in-house team) and serve as remediation consultants for your organization. Make it clear to your C-suite that vendor relationships are changing and cyber security testing vendors can serve as a solution for current cyber security skills gaps within the business.

When the C-suite and IT and security departments are disconnected on priorities, the risk of a data breach increases. Learn to speak the language of your executive leaders and communicate the true value of proactive security measures. Effective communication around the potential financial impact of a breach, where vulnerability testing fits in a crisis preparedness plan, and ways to solve cyber security talent shortages, can result in additional budget for proactive cyber security testing and other security initiatives.

[post_title] => Making the Case for Investing in Proactive Cyber Security Testing [post_excerpt] => Proactive or preventative cyber security testing continues to be an afterthought in today’s conversations around breach preparedness. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => making-the-case-for-investing-in-proactive-cyber-security-testing [to_ping] => [pinged] => [post_modified] => 2021-04-14 10:02:30 [post_modified_gmt] => 2021-04-14 10:02:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18867 [menu_order] => 121 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 18813 [post_author] => 66 [post_date] => 2020-05-14 07:00:12 [post_date_gmt] => 2020-05-14 07:00:12 [post_content] =>

On May 13, 2020, NetSPI President and COO Aaron Shilts was featured in Dark Reading.

Aaron Shilts, president and chief operating officer at security testing firm NetSPI, says faster software development life cycles and inefficiencies in manual deep-dive penetration testing programs are driving interest in PTaaS.

Organizations are overloaded with traditional pen-test PDF deliverables, many of which can contain a mountain of findings, he says. This has made it difficult for organizations to prioritize, correlate, and drive remediation activities.

"PTaaS is essentially an enriched delivery model, making it easier for customers to consume testing services, from initial scoping to reporting," he says. "It ultimately helps to accelerate the remediation process."

Read the full article here.

[post_title] => Dark Reading: Organizations Conduct App Penetration Tests More Frequently – and Broadly [post_excerpt] => On May 13, 2020, NetSPI President and COO Aaron Shilts was featured in Dark Reading. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => dark-reading-organizations-conduct-app-penetration-tests-more-frequently-and-broadly [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:31:54 [post_modified_gmt] => 2021-04-14 05:31:54 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=18813 [menu_order] => 127 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 17718 [post_author] => 66 [post_date] => 2020-03-09 07:00:00 [post_date_gmt] => 2020-03-09 07:00:00 [post_content] => On Mar. 9, 2020, NetSPI President and COO Aaron Shilts was featured in Banking Dive. The next level of self-hack is conducted at a more enterprise level, called red team testing. There are a few variations of the approach. In one, red-team testers adopt the tactics of a specific, known threat actor and try to achieve a specific objective against a chosen target. Red teaming is typically done by banks that are at a higher level of security maturity overall, said Wong. The value of penetration testing over simply using scanning software is that you’re adding humans to the mix, said Aaron Shilts, president and COO of vulnerability assessment firm NetSPI. "If we were bad guys, you know, what would we use to get in?" Shilts told ABA. "How could we get in? What do their defenses really look like? With limited information, it’s kind of a good way to simulate how accessible the crown jewels are from the outside." Read the full article here. [post_title] => Banking Dive: Banks engage in self-hacks to keep defenses sharp [post_excerpt] => On March 9, 2020, NetSPI President and COO Aaron Shilts was featured in Banking Dive. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => banking-dive-banks-engage-in-self-hacks-to-keep-defenses-sharp [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:15 [post_modified_gmt] => 2021-04-14 05:32:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17718 [menu_order] => 156 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 17402 [post_author] => 66 [post_date] => 2020-03-04 07:00:13 [post_date_gmt] => 2020-03-04 07:00:13 [post_content] =>

We just returned from RSA Conference, and like every year, it did not disappoint in meeting its charter: “to be a driving force behind the world’s cybersecurity agenda… the place that provides a forum for innovation and partnership… as cybersecurity has become more relevant across all aspects of our daily lives.”

While there was much talk about automation, artificial intelligence and of course, technology, Rohit Ghai, president of RSA, emphasized in his keynote address a point that we, at NetSPI, support day in and day out — valuing the critical importance of people in this complicated and ever-evolving world of vulnerability management.

From the stage, Ghai asked the audience if humans in cybersecurity will matter once technology advances. He argued that, yes, the human element will always matter and what differentiates humans from machines is our ability to tell a story. “We, as cybersecurity professionals, need to change the story of cybersecurity and turn the narrative toward 'cyber-resilience,'” Ghai said. Bob Keaveney, managing editor of BizTech concurs. He wrote, “Human activity will continue to be the indispensable difference between successful and foiled hacks.”

Considering the importance of the human touch in cybersecurity, we observed these three prevalent themes during RSA:

Takeaway 1: CISO Leadership Must Be in the Boardroom

We are confident that no organization wants to impede its infosec programs, yet as we pointed out in this blog post, many problems can be traced back to miscommunication and misunderstanding of a technical topic by people who do not have technical expertise. As such, planning for communication and collaboration in the early stages of building out your infosec program is critical — starting in the boardroom.

As the individual most responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected, the Chief Information Security Officer (CISO) will serve as the bridge between the highly technical language inherent in infosec, vulnerability, and data security management programs to other C-suite executives and board members who are more financially, operationally or innovation focused.

Speaking of the human touch in cybersecurity, read this short case study about how Equifax faces a new day in cybersecurity by emphasizing cultural change as a solution.

Takeaway 2: Intelligence Sharing and Cyber Defense Go Hand in Hand

Infosec experts are creative thinkers. They are constantly coming up with new ways to “break things” in a dogged determination to stay ahead of the vulnerabilities their company may face from hackers and manage the remediation of potential (or actual) breaches.

At NetSPI, this new thinking manifests in our commitment to developing open-source tools that strengthen the infosec community. We publish our open source projects and write a blog specific to best practices and information sharing.

Fortunately, we aren’t alone in our belief in the importance of supporting the entire infosec community. In fact, BankInfoSecurity coined threat intelligence and sharing a top theme of the show. Further, when analyzing the abstracts from would-be speakers at RSA, event organizers noted, "We saw an increase in submissions that documented the inherent weaknesses and challenges of machines, with some deeply technical and wonderfully detailed submissions digging into the specifics and providing guidance and best practice considerations," says Britta Glade, the RSA Conference's director of content and curation.

Takeaway 3: Automation as a Tool, Not the Be All and End All

Automation has a clear role in helping organizations with pentesting for enterprise security management. In fact, as this BizTech article states, closing the cybersecurity skills gap is a perennial problem that automation may help solve. Our concern? Automation alone only exacerbates the plethora of information that CISOs are inundated with daily without, as RSA noted, “the human element – the experts who can turn those stacks of static reports into real-time accessible reporting as vulnerabilities are found.”

And we aren’t alone in this thinking. In its RSA coverage, CRN.com associate editor Michael Novison advocates for a more pragmatic approach to handling risk than traditional vulnerability management, one that would place both automation and remediation front and center. Unisys CTO Vishal Gupta concurs: “Being presented with a list of hundreds of thousands of problems doesn’t do a CISO much good given the amount of digital assets and software in an organization. Continuously telling businesses what’s wrong is more of a risk identification strategy than a risk mitigation strategy and doesn’t provide them with any better handle on the problem.”

Organizations with a mature security program understand that moving past just a point-in-time vulnerability management program to a continuous model delivers results around the clock, enabling infosec professionals the ability to manage vulnerabilities more easily and efficiently. In fact, the concept of continuous monitoring should be baked into the development process from the start. In its RSA coverage, TechBeacon notes that in the DevSecOps model, infrastructure as code allows continuous code and security scanning to handle infrastructure configurations, and that removes the security team from potentially blocking development with time-consuming tests.

In an interview with NCC Group’ Research Director Clint Gibler, TechBeacon writes that infrastructure as code is essential. “For developers, a key advance is the increasing use of infrastructure as code and continuous deployment. When networking and server configuration are part of the application configuration, the settings can be checked for weaknesses in the same way as other application components,” said Gibler. "You can run security checks on your infrastructure code before it is even deployed. And it makes it easy to avoid any drift over time, and get back to a pristine state.”

Continuous Pentesting Coupled with “the Human Element”

In the spirit of these three RSA takeaways, NetSPI introduced its new Penetration Testing as a Service (PTaaS) powered by the Resolve platform at the conference. PTaaS puts our customers in control of their pentests and their data, enabling them to simplify the scoping of new engagements, view their testing results in real time, and orchestrate quicker remediation, with the added ability to perform always-on continuous testing. We believe that key to its success is the integration of our team of expert, deep-dive manual pentesting employees who use enhanced automation to uncover an organization’s vulnerabilities. We believe that while automation creates efficiencies, the human touch is also necessary to identify potentially high and critical severity threats that can only be discovered by manual testing.

Want to read more about the future of cybersecurity? Read RSA’s 2020 trend report here.

[post_title] => RSA 2020: Three Takeaways from the Halls of the Moscone Center [post_excerpt] => We just returned from RSA Conference, and like every year, it did not disappoint in meeting its charter: “to be a driving force behind the world’s cybersecurity agenda [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => rsa-2020-three-takeaways-from-the-halls-of-the-moscone-center [to_ping] => [pinged] => [post_modified] => 2021-04-14 00:56:01 [post_modified_gmt] => 2021-04-14 00:56:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17402 [menu_order] => 157 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 17538 [post_author] => 66 [post_date] => 2020-03-02 07:00:21 [post_date_gmt] => 2020-03-02 07:00:21 [post_content] => On Mar. 2, 2020, NetSPI President and COO Aaron Shilts was featured in ABA Banking Journal. Aaron Shilts, president and COO of NetSPI, a vulnerability assessment firm based in Minneapolis that works with large financial firms, says the value of penetration testing over scanning software is “that you’re adding humans to the mix,” he says. “With red teaming you act as an outside adversary.” In designing a test for a client, Shilts asks some basic questions. “If we were bad guys, you know, what would we use to get in?” he asks. “How could we get in? What do their defenses really look like? With limited information, it’s kind of a good way to simulate how accessible the crown jewels are from the outside.” Red team projects with NetSPI typically would last about a month, Shilts says. Read the full article here. [post_title] => ABA Banking Journal: Go Hack Yourself [post_excerpt] => On Mar. 2, 2020, NetSPI President and COO Aaron Shilts was featured in ABA Banking Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => aba-banking-journal-go-hack-yourself [to_ping] => [pinged] => [post_modified] => 2021-04-14 05:32:19 [post_modified_gmt] => 2021-04-14 05:32:19 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=17538 [menu_order] => 159 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 16 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 25805 [post_author] => 66 [post_date] => 2021-06-29 15:00:00 [post_date_gmt] => 2021-06-29 20:00:00 [post_content] =>

On June 29, 2021, NetSPI President and CEO Aaron Shilts was featured in an article from Minne Inno and Minneapolis/St. Paul Business Journal:

 

Ransomware attacks have recently made headlines as everything from meat suppliers to schools and hospitals are falling prey to the unforgiving data breaches.

Minneapolis-based NetSPI, a network security firm, is now offering a ransomware attack simulation service to help companies protect themselves.

The service works by emulating real-world ransomware attacks to find and fix vulnerabilities in a companies cybersecurity defenses.

"The DNA and the way we deliver our work lends itself well to helping companies with ransomware," said NetSPI CEO Aaron Shilts." … We act as a ransomware attacker, using the same attacks, same tools and show them where their weakness would be." 

Shilts said the simulation not only illuminates where a breach can be made, but how the companies systems responded to the attack.

"That's a big part of it. If you can detect something soon, you can usually protect it before they take out the entire network," he said. "If you don't have the detection capabilities, it will spread very quickly. 

With tens of millions of dollars funneling towards the attackers, many of whom are backed by foreign governments, it seems like a daunting task to stay on pace with the attackers.

However, out of NetSPI's 225 employees, 150 of them are cyber security experts that research and familiarize themselves with the latest attack patterns.

Shilts said the team is incredibly sharp and "lives and breathes" cybersecurity.

As far as who would benefit the most from the company's service, Shilts said any operating business is a target to the attacks. 

NetSPI's work gravitates more towards heavily regulated financial services that store personally identifiable data. But less regulated industries such as K-12, state and local government are high targets because they're easier to pick-off.

 

To learn more, read the full article here: https://www.bizjournals.com/twincities/inno/stories/news/2021/06/29/netspi-ransom-ware-attack-simulation.html

[post_title] => Minne Inno & MSP Business Journal: NetSPI adds ransomware attack simulation to its penetration testing portfolio [post_excerpt] => On June 29, 2021, NetSPI President and CEO Aaron Shilts was featured in an article from Minne Inno and Minneapolis/St. Paul Business Journal. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => minne-inno-msp-business-journal-netspi-adds-ransomware-attack-simulation-to-its-penetration-testing-portfolio [to_ping] => [pinged] => [post_modified] => 2021-06-30 12:00:27 [post_modified_gmt] => 2021-06-30 17:00:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25805 [menu_order] => 10 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 16 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => c3da325729bd2c00dff139143f70813b [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )