Why Open Security Loves Assume Breach Penetration Testing: A Deep Dive

Whether this is your first time considering a penetration test or you’re just looking for a refresher on the latest techniques, Open Security has you covered. Today, we want to dive into why we love Assume Breach Penetration Testing and why it’s our go-to method. Let’s break down what Assume Breach testing is, how it compares to traditional methods, and why it’s the best approach for truly understanding your security posture.

What is Assume Breach Penetration Testing? 

Before diving into Assume Breach Penetration Testing, it’s important to understand the landscape of security assessments: 

1. Vulnerability Assessment: This engagement focuses on detecting vulnerabilities using automated tools and techniques. It’s best for regular, periodic risk assessments. Think of it as walking around your house and noting weaknesses like open windows or doors without locks. 
2. Penetration Test: Here, we ramp up the intensity and exploit identified vulnerabilities to gain access to new information and attack surfaces. It’s like walking through an unlocked door and exploring other rooms, potentially breaking into a weak safe to steal information. 
3. Red Team: While Penetration Tests and Vulnerability Assessments focus on systems, Red Team exercises test your defensive staff’s response mechanisms. This is typically an unannounced test, so only a few people in your organization know about it beforehand. Imagine testing the security system of your house, noting if there is motion tracking in each room, which windows have alarms, and how fast the response time from the security company is when an alarm is tripped.

Assume Breach Penetration Testing starts at the point of a breach to determine your organization’s risk if a breach occurs. The scenario could be through compromised user credentials, a VPN breach, or even a rogue device with stolen credentials. The goal is to see how well your network is hardened against lateral movement and modern exploitation tactics. 

Comparing “Regular” and “Assume Breach” Penetration Tests 

For the purposes of this discussion, we’ll focus on Network Penetration Testing: 

• Traditional Penetration Test: Here, testers start from the perspective of a rogue device on the network with no credentials. This setup simulates a scenario where an attacker physically plugs into your network. While not bad, it’s fairly unlikely and doesn’t account for more common attack vectors like social engineering. According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches occur from non-malicious human action, such as a social engineering attack compromising a user’s credentials. 

• • • Assume Breach Penetration Test: This test assumes that an attack has already landed on a domain-joined device or uses stolen credentials through a VPN (such as the infamous Colonial Pipeline hack in 2021). This approach is more realistic because the Assume Breach Penetration Test: This test assumes that an attack has already landed on a domain-joined device or uses stolen credentials through a VPN (such as the infamous Colonial Pipeline hack in 2021). This approach is more realistic because the attack surface is significantly larger with credentialed access. It allows us to explore domain misconfigurations, sensitive data on shared drives, coercion attacks, internal web application security, and role-based access controls.`
      

Why Should I Assume I’ll Be Breached? 

To understand this, let’s talk about “Defense in Depth”: 

1. Military Roots: The term “Defense in Depth” comes from the military and base defense. Open Security has deep military roots, and we think Defense in Depth is an excellent way to approach Cybersecurity. The concept is about delaying your opponent with multiple layers of defense. Instead of a single strong line (boundary Network Firewall), you create bottlenecks and engage in different methods to slow down the attacker. 
2. Cybersecurity Application: A strong internet-facing security posture is crucial. According to the Verizon 2024 Data Breach Investigations Report, only 14% of breaches are due to exploitation of vulnerabilities. Eliminating these is important, but what about the other 86%? You need multiple layers of defense to cover all bases. 
3. Human Element: 68% of breaches involve a non-malicious human element, like social engineering or re-used passwords that were compromised from a different breach. People make mistakes, and no one is immune to a well-crafted social engineering attack. Thus, a multi-layered defense strategy is key: 

• First Line of Defense: Use a quality security stack, including email security, endpoint detection and response, and network firewalls. Ideally, the non-malicious humans never even *get* socially engineered. We have opinions on what we think a quality security stack looks like, if you’d like to chat with us about it. 

• Second Line of Defense: Train your humans to reduce the success rate of social engineering. Implement effective phishing simulations and ongoing education. There are many ways to poorly implement a phishing simulation program (and we have opinions on this one too), but training your people is the next line of defense. You want your users to be suspicious by nature to reduce the rate at which potentially breaches occur (second line of defense). Training people is also a core part of Open Security’s DNA – our CIO, Matthew Toussain, is a long-time SANS Instructor, course author, and developer of the Voltaire training tool. We have exciting developments planned in this space later in 2024 if you want to talk to us about it. 

• Third Line of Defense: When bad actors get in, can they move laterally, compromise services, escalate privileges, or exfiltrate data? Assume Breach Penetration Testing answers these questions and informs your additional layers of defense. Want to discuss more with a human?

Why Assume Breach is Open Security’s Favorite Method 

At Open Security, we never assume defensive perfection because it’s unrealistic. Starting a Network Penetration Test without access to user credentials overlooks a significant portion of potential breaches. Most attacks will land on an internal system with credentials, and ignoring this leaves your Defense in Depth posture misaligned. We believe in testing for the most likely scenarios to ensure your defenses are truly robust. 

Conclusion 

Assume Breach Penetration Testing offers a realistic and comprehensive approach to understanding your security posture. By starting with the assumption that a breach has occurred, we can more accurately assess your network’s resilience against real-world threats. At Open Security, we believe this method provides the most value, helping you identify and address vulnerabilities that could otherwise go unnoticed. 

Ready to take your security to the next level? Reach out to Open Security to discuss how Assume Breach Penetration Testing can benefit your organization. We’re here to ensure your defenses are as strong as possible, providing you with peace of mind and actionable insights.

JOSHUA CHRISTMAN | OSCP, OSCE | CHIEF OPERATIONS OFFICER  

Josh Christman graduated from the Air Force Academy in 2013 with a BS in Computer Engineering and Computer Science with a focus on Cyberwarfare. Following USAFA, he proceeded to get his Master of Science in Computer Engineering from the Air Force Institute of Technology, focusing on Artificial Intelligence and publishing a paper at the at the 14th International Conference on Machine Learning and Applications. His Air Force career then continued into Offensive Cyber Operations, working for the premier offensive cyber unit in the Air Force. Since transitioning out of the Air Force he has run Red Teams, Application Security Teams, and Vulnerability Management Programs in the fintech industry. He is now responsible for all security engineering efforts at Open Security.