Under Attack? Contact Us Start a Free Demo

Compromise Assessments vs. Penetration Testing: Which Is Best for My Organization?

By Inno Eroraha, Founder & Chief Strategist, NetSecurity Corporation

In this document, I want to share some thoughts on whether organizations should conduct penetration testing, compromise assessment, or both.

Penetration Testing
Penetration testing is typically conducted by organizations to gauge the vulnerability of the target business against adversarial threats, often from nation-states, competitors, insider threats, and lone-wolf cyber criminal operators. Another impetus for organizations to conduct penetration testing exercises is to satisfy regulatory requirements, or perhaps the organization simply wants to “check-the-box” as part of annual requirements or external/third-party due diligence. This exercise is often performed during a defined window to provide the cyber risk “snapshot” of the target infrastructure at a point in time.

The scope of penetration testing often includes physical penetration, social engineering, wireless assessment, operations technology (OT) and Internet-of-Things (IoT) testing, web/mobile applications, and network testing. While most penetration engagements seek to exploit vulnerabilities, another common use case for pen testing is to determine the incident response (IR) capabilities of the target entity – i.e., the extent to which the IR or security operations center (SOC) capabilities can detect and report adversarial threats simulated as part of the testing.

After defined rules of engagement (ROE) have been signed and the testing conducted, detailed documentation (such as Executive Summary and Technical Report) is produced for respective audiences. These reports detail key vulnerabilities or risk areas and recommendations for mitigating or reducing the risk to the organization.

In my experience, some of our clients opt to perform “remediation testing,” in which a validation test is conducted weeks after the report is delivered and the target organization’s engineers have had the opportunity to mitigate the risks identified during the initial testing. Often, the residual risk is minimal, which demonstrates the organization’s proactiveness in risk remediation. A majority of other organizations do not bother with re-testing, leaving risk mitigation up to the engineers to “do the right thing.” In other words, the organization assumes that the risk has been addressed, until the following year when the same vulnerabilities are uncovered. So while some target companies (or agencies) perform their due diligence and learn from the result of penetration testing and mitigating the vulnerabilities discovered, others just are not as proactive. This raises the question: Why even bother with penetration testing when vulnerabilities would not be fixed as soon as possible?

Results of Penetration Testing
The outcome of penetration testing is either compromised assets of the enterprise or non-compromise of the network. A well-implemented threat protection platform such as NetSecurity’s ThreatResponder Platform makes the compromise of endpoints impossible or at least gives a successful adversary a run for their money, such as when leveraging malware-less or fileless or lateral movements. Even if the target enterprise is not compromised during the penetration testing engagement, that does not mean there is no adversary on the wire or that a nation-state adversary is not “living off the land.” Some of these adversaries' tactics, techniques and procedures (TTPs) are defined in the MITRE ATT@CK framework.

You may be wondering how penetration testing can be leveraged to identify and kick out the adversary. Penetration testing typically would not uncover the fact that an attacker has been dwelling on your network for several months. Put simply, penetration testing is not typically designed to identify and evict the adversary.

Compromise Assessment
Unlike penetration testing, compromise assessments are often executed against a target organization to determine whether the enterprise has been compromised by nation-state threat actors or insider operators, either through malicious software, data exfiltration, unauthorized access, or other security breaches or exploitation. Compromise assessment is often done by having a complete inventory of all the organization’s assets, including devices, systems, and services, regardless of their locations – cloud, remote, or on-premises environments. Compromise assessment involves accounting for the inventory, collecting audit logs and trails centrally over a period of time, and leveraging automation and (internal and external) threat intelligence to enrich the data. Compromise assessment also involves leveraging endpoint threat detection, prevention, response, and hunting platforms like NetSecurity’s ThreatResponder to sweep the enterprise for threat operations. Network-level devices may help to collect traffic and data that may be analyzed to detect network-level threats, anomalies, and outliers. Leveraging automation and threat hunting techniques may reveal a potential breach. Below are some examples of threat hunting scenarios that may be executed based on the environment in question:

• “Show all connections to {RU,CN,FR} that occurred between 2:04 AM and 5:07 AM that did not leverage a browser or signed executable and that resulted in the transmission of > 2MB of data”
• “Show all systems that received successful inbound RDP or VPN connection from foreign IP addresses during non-business hours and the amount of data transferred each day”
• “Show all users who uploaded > 2GB of data through {web post, webmail, email, printing, USB, network shares} over the past week”

The Outcome of Compromise Assessment
The result of a compromise assessment is to identify malicious activities (network connection, rogue process, or data movement) that may not have been flagged by existing security and network technologies. A compromise assessment report should show the list of connections and data exfiltration, whether there is an adversary and possible dwell time, and strategies to evict the adversaries. Reports should provide actionable threat activities, including user contexts, processes, network connection, data transfers, and timelines.

Penetration Test or Compromise Assessment
So which one of the two activities—penetration testing or compromise assessment—should your organization perform? My suggestion is to always do both. Whether or not your organization requires that penetration testing be conducted annually, I would suggest conducting a compromise assessment at least once annually as well in a staggered format – for example, conducting pen testing in March and then compromise assessment in September. Of course, to have a mature security program, executing these activities should complement other proactive security processes – viable security policies, procedures, and processes that help mature your organization’s security program. The best of all worlds is to deploy an endpoint threat detection and response (EDR) platform, such as ThreatResponder, with capabilities for data loss prevention (DLP) and user behavior analytics (UBA).



The page's content shall be deemed as proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).  

Author image
About Inno Eroraha
Dulles, Virginia Website
Inno Eroraha is the Founder & Chief Strategist of NetSecurity Corporation, a cybersecurity products and services company based in Dulles, VA. NetSecurity is the developer of ThreatResponder Platform.
You've successfully subscribed to NetSecurity Blog
Great! Next, complete checkout for full access to NetSecurity Blog
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.