Penetration Testing & Threat Intelligence: Enhancing Cybersecurity | Interview with Sasa Jusic
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today my guest is Sasa Jusic and he's the board member of Infigo IS, a company based in Croatia that is focused on organizational and technical security from planning and building information security management systems, specialized security testing to forensic analysis and response to security incidents. The company is very successful.
Dejan Kosutic:It has offices in four countries and clients on three continents and actually around already a 100 employees, which is a very, very big scale already. And Sasa himself has worked as a penetration tester, security consultant, security architect, and implementer. And he says he's equally passionate about both technical and organizational aspects of information security because one actually cannot succeed without the other. And by the way, he's also mentioned that there are not many people who worked on so many different security jobs. Anyway, in today's podcast we'll focus on two topics that are actually very interrelated and these are penetration testing and cyber threat intelligence.
Dejan Kosutic:And of course these two topics are very very important for cybersecurity. So, welcome to the show, Sasa.
Sasa Jusic:Hello, Dejan, and thank you for having me. It's a pleasure to be on this call with you.
Dejan Kosutic:Great to have you here. Yeah. So, can you please explain how are these two things related? I mean, penetration testing and threat intelligence?
Sasa Jusic:Well actually, as you mentioned initially, of course, that both penetration testing and threat intelligence, they're all quite important activities in any cyber security or information security management system. Penetration testing comes more from offensive side. So it's the process in which you test the resilience and security of your system. There are different ways. You have different now variations.
Sasa Jusic:Penetration testing matured over the years. So initially it was like a basic penetration testing, would say without too much formal structure, was just trying to hack, fight to identify vulnerabilities. But through the years now we have even more mature concepts around penetration testing like red teaming, like threat led penetration test, which is very closely related to threat intelligence that you mentioned. So I would say it's a more mature way, more process organized way how you test the resilience of your system. So I would say penetration testing come on your offensive side where you try to engage a professional company which can simulate real life attacks, sophisticated adversaries which can identify the vulnerabilities in your system but also now with DORA and TLTP not just find vulnerabilities, but also test your defense capabilities, how capable you are to timely detect, prevent, contain such attacks.
Sasa Jusic:So I would say penetration test comes on this offensive side, which today everybody needs to do because otherwise you cannot claim or you cannot be sure that your system is resilient. While threat intelligence comes more on the, I would say, defensive side. So today of course none of the companies can afford to be blind, so you need to have detection capabilities. Many companies go for EDR systems, CMs, security operation centers to monitor the environment, what is happening inside. So they monitor alerts, different security events in order to timely detect potential anomalies and attacks.
Sasa Jusic:And Threat Intel comes. Threat Intel monitors more the outside of your organization. It helps you to identify threats not at the moment happening inside your environment, but maybe in the moment they start the planning phase or somebody else is planning the some kind of malicious activity on your network. So it's around your defensive system where you try to see what is happening outside of your organization, who is planning the text, what is happening regarding your domain names, regarding your identities, regarding your brand. Is somebody trying to abuse that to plan certain malicious activities?
Sasa Jusic:So I would say they fit together, one without another. It's always good to have a combination of both while pen testing being more on the offensive side while threat intel being more on defensive side. And maybe just like since you mentioned initially as well, and we discussed about DORA when preparing, DORA is now, I would say, perfect example when there is a connection between red teaming and pen testing and threat intelligence is really made real. So DORA with TLPT basically requires companies perform threat led penetration tests, which mean not just testing your systems in any way which is suitable for the red teamers. It's actually a test which should combine the knowledge and intelligence gathered through intelligence threat intel process and this information should be prepared and investigated from the one team and then delivered to the other team which then performs sophisticated simulation based on these TTPs and intelligence gathered to get the maximum value of the company.
Sasa Jusic:So it's a perfect example how defense and offense can work together to bring the maximum possible value.
Dejan Kosutic:So basically in effect the threat intelligence informs actually the penetration testing on what to focus on and how actually to what actually to test out the most thoroughly, right?
Sasa Jusic:And what is important, what we have realized when you see the latest data breaches and if we consider all these geopolitical situation then companies and regulators got aware that basically it's not just to test the system in any way. It's important to understand who are the adversaries which share motivation to attack your systems. It's important to understand which techniques they use to attack your systems. Like it's not any tool which you can download from the internet, but let's investigate who are the threat actors which attack our geographical region. Croatia has its position in the economy and politics.
Sasa Jusic:So, it's important to understand who are the threats, so you can simulate similar attacks to those ones which you can expect. And that's the value of threat intel.
Dejan Kosutic:Okay, when speaking about DORA, DORA mentioned this, let's say, a wider framework of digital operational resilience testing and how is this wider framework actually different from threat led penetration testing?
Sasa Jusic:DORA, what I like a lot about DORA, although at the beginning when DORA was published I said, come on, why do financial institutions need another regulation? I mean they're so over regulated already and I had this impression why EU wants so much of this compliance pressure on their organizations. But when you read it more carefully then you realize that the DORA has one, I would say not a significant change, but the approach which they took is the term resilience. So the whole DORA is when I talk to our customers they try to fix specific domains of DORA, risk management, third parties, incident handling. He said whatever you do around DORA, have in mind that the word resilience is behind.
Sasa Jusic:So the DORA said that it's not just a matter of testing your systems against cyber attacks, it's any failure, any anomaly in your city. It can be technical failure, it can be inadequate planning of capacities, it can be single point of failure in terms of technical capabilities and technical landscape. So Dora connected the world of IT operations I would say which have their own risks. The systems can fail because of different reasons. One is IT problems, one is security problems and Dora bundled this in one concept.
Sasa Jusic:And regarding threat intelligence, DORA does not mention that much threat intelligence itself. It focuses more on concepts which you need to fulfill. The only way, the only part where they specifically mention threat intelligence is part of resilience testing and this is where threat led penetration testing comes, which requires you actually to use threat intelligence as a planning stage, specifically for the reason to really test your resilience against sophisticated, carefully planned, highly motivated cyber attack, if I understood the question.
Dejan Kosutic:Okay. And when we speak about penetration testing, what type of actually testing are normally performed? And is any of these, let's say, types of testing actually mandatory according to DORA or some other regulations?
Sasa Jusic:As I mentioned initially pen testing three years developed a lot. I remember Infigo started doing pen tests twenty years ago and we celebrated our twentieth anniversary and the first projects in Inphigo where most of them were actually pen testing. And at that time there was not much structure. We knew what penetration testing is, we knew you need to identify vulnerabilities, we tried to do the best possible reporting, but it was basically you got the scope of the engagement and you're starting your reconnaissance activities, identification of vulnerabilities with time it is got I would say more mature. The way how you report, the way how you communicate, the way the methodologies that you use.
Sasa Jusic:So today we have besides common penetration tests, red theming became very popular. So difference between pen test and red theming. In pen test you don't try very much to be hidden in the network, you don't try to, you just test. You go for finding the vulnerabilities. And in red teaming you get a very specific target like capture the flag concept where you are engaged to reach specific target, to enter into very specific high value targets, to maybe exfiltrate some very specific data.
Sasa Jusic:So red teaming is already one, I would say slightly modified version of penetration test. Then you need to be less noisy, you cannot do whatever you want. You need to carefully plan your activities to avoid detection mechanisms, to avoid EDR systems and things like that. And finally for example we have TLTP now with DORA but also you have lighter versions. You have vulnerability scanning, you have, so I would say concepts are a little bit The whole concept got more mature with time.
Sasa Jusic:How you score vulnerabilities, how you But basically the main goal is the same. You try to find as much as possible vulnerabilities and this is the case where the competence of the company doing it becomes really important.
Dejan Kosutic:Okay. And basically, how to prepare for a successful penetration testing? What are the kind of key ingredients to make it successful?
Sasa Jusic:Yeah, very often company just thinks you hire a pen tester, they start, they finish in two days, it's finished, which is not the case unfortunately. So I would say that definitely preparation is quite important. So I would say scoping is the first parameter which must be clear. So you asked previously what kind of pen test you have. Also if we, not just in terms of scope but how you do it.
Sasa Jusic:You have no previous knowledge pen test like so called black box testing, you have pen testing where you get certain level of privileges initially and then you try to escalate, that's lateral movement and things like that. But for preparation I think for scoping you need to carefully understand what is the scope of your test because companies have tendency to pick very critical systems, crown jewels for pen testing. And maybe they're not aware that the hacker can use some supporting, maybe much less valuable component to enter your system. So I think planning of scoping through time is really important. In certain period of time you want to test all possible entry vectors for your company.
Sasa Jusic:I think that in terms of engagement, in terms of permission to attack, what is allowed, what is not allowed. Like I saw the cases where pen testers identified some vulnerability and then expatriated data to the company, which is not really what maybe customer expected to do. So I think it's really important to define the proper scope, to have escalation points if something goes wrong. It has its own risk, especially more sophisticated tests, red teamings and TLPTs. So I think escalation points, all the formal agreements like permissions, terms and conditions, this is everything actually which is really important if you want to have a successful payment.
Sasa Jusic:And at the end I would say reporting. Pen testing is not just about hacking and identifying one another. This is the cool part of the pen testing. But the real value of the pen testing relies actually in the report. And you know, hackers and ethical hackers, how to send pen testers usually don't like reporting that much.
Sasa Jusic:They enjoy much more the part where they I think that the professional companies, decent providers really pay a lot of attention, should pay a lot of attention to the reporting phase.
Dejan Kosutic:Yeah. And in the reporting how do you actually translate these findings which are of course technical, into something that the business part of the company can understand?
Sasa Jusic:That's a very good question because it's not easy. Sometimes you have quite technical findings which are dependent on each other, so it's not easy to explain And that's why we usually provide two reports for the customers. One is the detailed report where you explain everything step by step, reproducing the results identified. You explain everything which needs to be done for the vulnerability to be mitigated. But then you have, I will say, summary, which provide this information in more summarized way.
Sasa Jusic:So, you know, that the management can understand. Because at the end, the management is the one holding the budgets. They should understand the real risk. So I saw many times that technical people have problems of how to explain the risk identified during the test in more business terms to speak the same language. So I think that part of talking to executives is really important to explain them what does it mean in real life.
Sasa Jusic:So I would say that that's really important part. But we try to document both. The technical aspects for technical people because they can learn out of it. Penetration test is a great way to learn how the system should be protected and then for executives more fancy charts which they would understand and to interpret this in more business language.
Dejan Kosutic:And can you give me one example? I mean, how do you normally explain some, let's say, technical, complicated technical thing for a business person to understand?
Sasa Jusic:Yeah, this is something we need also some years to learn. I think to the management the most important part is talk about impact, about business impact. How easy it is to for example, what somebody would be interested, how easy it is to exploit the vulnerability? Can it be done by somebody from the street or some very sophisticated motivated attacker like APT groups or something like that? How efficient your control mechanisms are?
Sasa Jusic:So they want to know, can we block this? Can we detect this? Or something like that. And at the end they need to understand the final impact. I remember in one stage of our pen test development we decided to make videos of exploitation steps for the management to understand how this happens in real life.
Sasa Jusic:Because when you write that you can export your data, it's a completely different story when you show it to somebody data leaving the company in a real time video. So this is the examples which you might use to explain, to demonstrate, to visualize, so then it gets better.
Dejan Kosutic:Okay. Makes sense. Yeah, makes sense. And what is really the best way actually for companies actually to act upon this kind of a report? Right?
Dejan Kosutic:Because reporting is one thing and really changing things is a very different thing. So what do you see as the most important, let's say, way actually to move this into action?
Sasa Jusic:It's a well known thing, you know, pen testing without follow-up doesn't make sense. So the most important part is actually to react upon on these findings. So prioritization, to understand the risks and to prioritize the actions. And of course we very often offer to our customers follow-up testing. It's a process where we, after the penetration test is done, we provide advisory services, we help them to remediate findings and then we usually agree on follow-up testing where we do validation of what they have done.
Sasa Jusic:And of course this is the responsibility of the client at the end. How prepared they are, how much resources they are planning to invest in order to fix these viabilities is their decision. We saw many companies which opened the penetration testing report after six months after they received it because we know there was the password, then we realized because they're asking for the password again how to open the document. Okay, to be honest that's not that frequent anymore. Really companies pay attention to this, but I would say it's a lot about management and how they understand the real risks.
Sasa Jusic:So they need to provide resources, they need to provide support for the team. Okay, focus now on this. This is really important for the company. Please resolve this. And then you can track on this and see the progress and how the remediation goes.
Dejan Kosutic:Okay, great. And you mentioned DORA lots of times, but what about ISO 27,001? What about NIS 2? So how is penetration testing actually relevant for these two frameworks?
Sasa Jusic:I mean penetration testing is basically a control which is mentioned in almost every framework. Like ISO mentioned security testing, NIS2 mentioned security. It's just there is no cyber security or information security governance without such techniques. So they all mention it. I would say ISO is well known.
Sasa Jusic:You did a lot of ISO compliance projects. You know a lot about ISO, your activities regarding ISO. So But in ISO what they see as a problem, ISO leaves you lots of space with this risk acceptance. So ISO will not be very strict on you if you don't perform something. They give you an option, okay, didn't test something so if you accepted the risk it will not be a huge issue regarding that.
Sasa Jusic:So ISO I would say has more soft approach to this. They will suggest the control but you have possibility to decide what you will test and how. NIS2 and DORA now have different, how to say, impact on the company. It's laws and regulations, so it's not an option anymore. So both NIS2 and DORA requires you to do a penetration test.
Sasa Jusic:They don't force you, I mean they don't force you that you must do penetration test on the full scope always. DORA mentions this concept of proportionality, which means you should understand your size, threat landscape, exposure and you can plan your test activities based on that. So it's not the same if you're a huge bank or micro company, it's different requirements. So they give you some space to plan and to do it according to your needs. But basically, it's mandatory or recommended or standard control in any of these frameworks.
Sasa Jusic:NIS2 , DORA, ISO, NIST cybersecurity frameworks, pen testing is basically, I would say, not mandatory always, but really, really important control and recommended to everybody.
Dejan Kosutic:Okay, great. Now, let's switch gears a little bit to threat intelligence. So, what does actually threat intelligence normally involve? What kind of activities, what kind of reports?
Sasa Jusic:Threat intelligence is a little bit, how to say, more intangible in terms of what you're doing, but that's why sometimes it's difficult to explain to the customer return on investment on such services. But what is the threat intel in general? So the idea is, as I mentioned initially in our introduction, so with defensive mechanisms companies usually focus on how to defend their environment, how to defend their systems, they implement SIEM solutions, they implement EDR solutions inside the company. So they have the full visibility what is happening inside, if properly implemented. So if everything is fine, they will see alarms, anomalies, any kind of potential.
Sasa Jusic:What they don't see is what is happening about them outside of the company. You know, if somebody brought up a phishing site which plans to mimic their brand, colors and everything to steal credentials. If somebody registered a domain which is very similar to the domain name of the customer and they plan to do some, I don't know, business email compromise, if they plan to do some phishing attacks, frauds, whatever. Don't see, for example, some, I don't know, due to geopolitical situation, you don't see if some political move or decision in Croatia affected potential threat actors to plan activities against Croatian companies in general. So it may be affected even not being aware about that.
Sasa Jusic:So threat intel should be I would say a great add on to your defensive capabilities so you can understand better what is happening outside so you improve your measures inside. And threat intel reporting is I would say maybe a little bit more easier. You want to provide real findings which must be actionable. Something besides just investigating the dark web, telegram channels or kind of repositories on the internet, ThreatIntel should provide, I mean, as a pen testing as well, actionable steps what to do to improve your defense capabilities. So this is the basic idea around threat intelligence.
Dejan Kosutic:Okay, you mentioned a couple of tools for, let's say, basically finding vulnerabilities and other things internally, but what about tools for actually finding all these potential threats from the outside? So is there some are there, let's say, normally some tools to actually analyze these situations?
Sasa Jusic:Of course, I mean, cybersecurity at the end is always about some tool at the end. I mean, doing things manually doesn't make sense I would say in today's world of huge amount of data and events happening on a daily basis. So you have lots of tools. I would say there is always overlapping between which tool cover what kind of information. So I discussed internally with our team like how do you find the best, because every source of data costs certain resources, either money, either people to go through these resources.
Sasa Jusic:We need to find the right balance of the sources which are relevant for you. So this is why some of the most popular, not to mention the names now, but the most popular platforms which you can purchase today, they offer support for different languages, for dark web crawling, for different telegram channels, for different, I don't know, data available on the internet so which can gather them into one centralized platform and you can use them for purposes that you need. What is the challenge here? I always say, sometimes less is more. Give huge amount of data from all possible sources on the Internet.
Sasa Jusic:Then you have a problem of resources required to go through all this data and somebody needs to get something actionable. So I would say that for threat intel teams, it's really one of the challenges to identify the most important data for them, which are relevant for your organization, which are relevant for you, so you can get the real insight. If you have too much then also it might be a challenge sometimes. But tools are very important part of ThreatIntel.
Dejan Kosutic:And what is really the best way to interpret all of these results? I mean, do you need, let's say, skilled people to interpret all of these results or what is the best way to approach it?
Sasa Jusic:I mean, some kind of, I would say, concept and thinking around that tools can provide some capability but at the end no matter AI, no matter, at least for this moment, you need capable experts to do something with this data, especially for threat intel. I learned a lot from our internal people which are amazing people experience in this intelligence world. So it's not easy to gather everything and to get real intelligence data. You need to understand the context of the organization. You need to understand.
Sasa Jusic:So I would say behind successful defense it's always that behind a security tool you have a successful, skillful, experienced professional which can use this data and do something actionable on top of that. It doesn't need always to be some principal or senior. You can leverage and use less experience, but there needs to be somebody who can manage this team, who understands exactly the goals, objectives and everything so that actually you can act upon this data and that you'll get the real intelligence which you can communicate then to all the key stakeholders in the company.
Dejan Kosutic:Okay, and once you interpret these results from threat intelligence, what is really the best way to incorporate these lessons into your cybersecurity governance?
Sasa Jusic:That's a really good question. I mean, they usually say that threat intel can go in different layers or how to say, like a pyramid from tactical, from strategical to operational threat intelligence. Operational threat intelligence can be very simple that you just embed in your security solution some threat feeds like IOCs, IP addresses, hashes of the processes. So you just, let's say, improve your detections, improve your blocking capabilities by using this operational data while on the higher levels you need to see what is happening around your organization. What are the events, political events, business events, technological events which can impact your organisation and then you need to decide how you can improve.
Sasa Jusic:Whether you need to change something in your concept strategies of defence, whether you need to do some changes towards your third parties, whether you need to maybe change the concept and architecture of some solutions. So it's on you at the end to understand how to modify your internal capabilities, fine tune your protections in a way to be more efficient and to use this. I don't know, if you have some credentials which leaked out, want to understand how they leaked out, why they leaked out, how they were shared. So it's not just blocking one account and preventing for being abused, you want to understand what happened around it so that you prevent the same thing in the future. So it's more, I would say, more complex in terms of really understanding and using this data how to improve your internal mechanisms.
Dejan Kosutic:If I understood well, then this is not only the job of, let's say, security officers, it's also of course on IT teams, but I don't know purchasing teams, anyone that deals with third parties, maybe even marketing teams, top level management. It seems to me that all of them actually need to be involved once this kind of intelligence comes through.
Sasa Jusic:I mean, how it's usually said that security is a responsibility of everyone, and I think that only the companies, when only security officer takes care of security is not really the best possible way. You need support from the upper management, but IT is definitely you need to have good collaboration with the IT. I once said that what I have noticed that companies which when you assess their maturity and their success, it turns out that successful companies in terms of cyber, I'm talking now not in terms of business, that really there could be a correlation between how good the cooperation between IT and security is and what is the final outcome of your maturity and capabilities and everything. Companies which have better cooperation between IT and security, which don't change people that frequently in these positions, from my perspective they are more efficient. They learn how to do things.
Sasa Jusic:They learn how to speak the same language. So I could find some correlations here. Today you have risk departments. DORA for example requires ICT risk managers, so you need to involve that person as well. I mean it's critical to understand.
Sasa Jusic:So I would say that of course it's always about collaboration. Nobody can fix because security itself cannot fix everything. They can initiate, they can follow-up on that, they can suggest, they can also solve some things, but they need a team around.
Dejan Kosutic:Yep, definitely. And what are some, I would say, main misconceptions or simply wrong thoughts about threat intelligence? You know, some people think that this is only for larger enterprises, but what do you really see usually as something that people what are the main myths about threat intelligence?
Sasa Jusic:First of all, what I see is lots of companies see threat intelligence sharing IOCs, like, you know, let's jump and let's connect with some threat feed and that's it. So really I think it's a maturity of the industry in general. Very few companies understand, because intelligence is coming more from military side. And people which worked in military, in secret services, they understand what intelligence is because every government has it. So it's really specific topic.
Sasa Jusic:And the other problem I would say very few companies sees the benefit of threat intel. They cannot see some tangible equipment, they cannot see some tangible because you will not have every day or every month some great findings which you need to react upon. Because if that would be the case you would be in huge problems. So threat intel is something which you need to do continuously that you once when something happens that you can react. So companies are not maybe willing to pay continuously for something which they don't see the real outcome immediately.
Sasa Jusic:And that is something which I see as a big challenge for investment side like the CFOs and the people which hold the bag with money, that it's more and more challenging.
Dejan Kosutic:Okay, but how do they actually present? If you were a security officer, how would you present this kind of potential investment to the CFO or to the board?
Sasa Jusic:That's also a very interesting question for threat intel. Actually I would say it's very lot about at the end how much trust the CEO or CFO has with their security experts. If they see with time that they are investing in a good way, that their company is growing, that you can demonstrate your capabilities, maturity levels, then I think it's a lot about this relationship. And people often explain this to insurance. We had cases where we detected data breaches which happened inside the company, they were not even our customers, which were available on dark web.
Sasa Jusic:The information was going around about how to continue attacks on this company and then you have to explain to the management, look, this is something like insurance, we need to do it. I mean, if we don't do it then some risk is remaining, so we will be blind on certain topics, on certain events. So I would say that it's a lot about explaining the risk if not being implemented. What are the possible outcomes? And I would say long term trust and relationship with the management.
Sasa Jusic:At the end the language you need to speak must be business and they need to trust you on previous projects that you're investing in a reasonable way, not just spending money because it's a trend currently.
Dejan Kosutic:Yep, yep, definitely. Okay, let's speak a little bit about consultants. I mean, consultants that are in this cybersecurity area. So what do you see as the biggest opportunities for, let's say, independent consultants in terms of penetration testing or threat intelligence?
Sasa Jusic:Yeah, usually consultancy was not that it was always even in our company it was separate teams. We had certain collaborations, we collaborate to exchange and to share knowledge, but in terms of consultancy servicing being delivered as a part of pen testing were not that common. What I see for example with DORA that would be more comprehensive and there would be more requirements for consultancy services as well because DORA for example, if you take Tiber framework which is very closely related to DORA, for example they say that I don't know threat led penetration test should have a planning stage of around six to eight weeks, maybe even more, it depends which country adopted Tiber, depends now on the country, on the framework, but there needs some time for that. Then you have threat intelligence phase, which lasts also from six to ten weeks depending on adoption of Tiber. Then you have pen test, for example, for twelve weeks, something like that.
Sasa Jusic:So at the end this lasts for six to eight months maybe. It depends on how you agreed with the regulator. And this test needs to be managed. It's not just you start the test, you finish. So it needs to have planning stage, scoping, evaluation of documents, communication to the proper teams.
Sasa Jusic:It needs to be taken like confidentiality agreements. I see maybe here the role where consultants might help to provide a formal framework around the test itself.
Dejan Kosutic:Yeah. Because it's, I mean, especially DORA, it's a quite complex framework with all this digital operational resilience testing and different types of testing, and as you were saying, with all of these phases. And so, this is a growing market and I can see that some consultants will certainly see there are good markets for them as well.
Sasa Jusic:I know, mean, now from my perspective, cyber is now in the peak of its, how to say, intensity, Like NIS2, DORA, geopolitical situation, number of threats around incidents. We see in the company, I remember when we started it was like very few companies had security projects. Today demand is huge. Number of companies really is growing basically on a monthly basis. So I think there's a huge space for consultancy.
Sasa Jusic:You can easily, I mean easily, it's not easily, but you can purchase technology if you have budgets. But people which will make this work in a structured way with processes around roles and responsibilities, who does what, trainings of people. And now many industries joined these two which never had much focus on security. So I would say it's really lots of space for decent and smart consulting. This is golden era I would say of we are at the peak of this direction.
Dejan Kosutic:Absolutely. And what would you recommend to consultants if they want to work with companies that provide penetration testing services? How actually these consultants should approach these kind of companies and what would be the best model to work together?
Sasa Jusic:It needs to be some kind of win win combination. I think that as I said, as penetration tests grow in maturity and expectations and all this formal framework around penetration testing, consultants can provide formal guidance policies around that, trying to manage the whole process of penetration test, help customers to manage the remediation phase of the pen test, to follow-up on the findings, to communicate, to be I would say a middleman between IT security and the management maybe to explain and to follow-up on and to ensure that the company at the end fixes everything that was identified. So I see consultancy here as a potential space and how to approach? I would say it's a matter of whether you have a win win in business option. Purely technical companies which don't have this formal maybe background or consultancy background would definitely benefit of such cooperation, but it's always at the end of the matter do you have a customer which is willing to pay for that.
Sasa Jusic:So it needs to be discussed between companies if there is some potential which would bring benefits for the both sides. That's the only way the business can succeed.
Dejan Kosutic:Great. So let's wrap up the discussion today and what would be your, let's say, key recommendations to security officers that need to perform penetration or, let's say, use penetration testing and do CTI, so threat intelligence. So what would be your top recommendations to such security officers?
Sasa Jusic:Usually I say to almost all of our customers, if you do whatever you do, don't just make it as a formal activity or checkbox exercise. Try really to get the maximum out of this activity, because if you plan budget, if you've got some budget, try to get maximum out of it. Sometimes it's not easy, sometimes you cannot get the full support from everybody, but really try to find a decent partner which can help you to do this properly. Don't just buy the cheapest and fastest way with some automagical AI solution which will do everything for you. Try to have experts which can provide you, lead you from the beginning to the end, maybe even from consultancy point of view and both technical point of view so that you get the real outcome of the test and please follow-up on your results.
Sasa Jusic:It sounds like amazingly simple and straightforward, but I know how the world works. You finish one project, then the other one comes and you get the checkbox on pen test and then who knows when there will be time for remediation. So I would say in terms of pen testing definitely and maybe don't just jump on the most sophisticated tests immediately if you've never done any security exercise. We got sometimes questions like the companies which never did even vulnerability scan, they want to do red teaming. It doesn't make sense.
Sasa Jusic:We will gain access to the company in maybe two days. We will identify one path which you can use to enter the company, but there's maybe dozens of such paths and entry points. So do the basic hygiene first, do some basic patch management, security hardening, basic vulnerability scanning and then go for the more sophisticated tests. In terms of threat intel, would say it's also part of maturity. Try maybe first with building basic defensive capabilities like EDR systems, have visibility what is happening first inside your organization.
Sasa Jusic:Without that threat intel, I would say it makes sense, but maybe it's not the right moment for that. So build first internally your capabilities to see what is happening inside your organization, to react upon alarms, to have playbooks, to have partners which can support your activities and then on top of that go with threat intelligence as a cherry on top, which will give you a visibility also from outside of the network so you can have the whole picture and that you can build the full defensive system in the company. And always I said, use your budgets wisely. Budget is never indefinite, so don't just buy because it's trendy, don't just buy because your friend bought it as well in the other company. Try still to risk assessment although we sometimes and very often underestimate the risk assessment.
Sasa Jusic:It's usually a formal exercise with some colors and everything, but really try to understand what are the risks and try to fix them with the budgets that you have available.
Dejan Kosutic:Great, thank you for this insight, Sasa. I really learned a lot today.
Sasa Jusic:Thank you, Dejan. It was a pleasure to talk to you.
Dejan Kosutic:Thanks again, Sasa. And thanks everyone for listening or watching this podcast and see you again in two weeks time in our next episode of Secure Simple podcast.
Sasa Jusic:Thank you and have a nice day.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients.
Dejan Kosutic:White label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast please give it a thumbs it helps us with better ranking and I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today, stay safe!
