If you are not familiar with NetSPI we should start there. I have to be honest, before I received the email asking if I wanted to meet with them, they were not a company I was familiar with. However, after some research I was certainly intrigued with what I saw. I have written, talked, and even ranted about how cybersecurity needs to change their methodology. This is especially true when it comes to testing an environment. All too often a “pen test” is little more than a vulnerability scan. Know vulnerabilities come back and someone works to get a shell on a system. If a shell is established, it is documented, and a report is generated. Wash, Rinse, Repeat. The company requesting the pen test, checks the box and everyone is happy, especially attackers.
The challenge lies in the value gained from these tests. Having read a number of these tests, there is limited value in terms of understanding why these should be concerning. Many times, it is one of “oh noes! The pent tester was able to get a shell and dump AD! Ok thanks, see you next year.” The test is done, the checkbox, checked and things go back to normal. The next pen test usually uncovers the same vulnerabilities etc.. You can see how this type of testing methodology and reception does nothing to improve cybersecurity.
So how is NetSPI different? For one thing they not only perform the test, but also provide visibility all the way through the test and into remediation completion. They are not just telling you that you are “vulnerable” they are taking you along on the journey from identification of the exposure through the attack path and then to removing that opening from attackers. This is a much more visual method that creates a better understanding of “why this is important and how do I fix it?” which is missing in far too many testing work products.
To accomplish this, you need a different type of interaction with the client. I have worked with some amazing pen testers in my career. Some of them love the work so much that they want to be part of the conversation about how they were able to get in. I have also worked with some that would rather sit in their space and just get shells. You need the former to build trust in the process and illustrate how the attack path applies to the client you are working with. If there is no context there is no understanding of why all of this matters. NetSPI brings this into their offering along with a platform that gives the client visibility into the engagement. If you want to get someone to understand a thing, you take them along with you on the journey.
NetSPI also maintains an open framework, meaning that their clients can see how things work. This also leads to greater trust in the product since it is open to review and input. When you combine this with the right subject matter experts and allow your product to be informed by a combination of client needs, technical expertise (subject matter experts) and the problem you are solving for, you can build something that trend towards unique in the market.
I have said it before, and I will say it again. The industry needs to change, and it must change at a core level. The routine of pen testing, check the box, write a risk statement, file an attestation letter etc. will not longer work in the modern threat landscape. A good place to start is with education and making existing offensive security products more understandable in terms of risk and exposure. NetSPI seems to be moving things in that direction with their service offerings. They do not just want to test and send over a report. They want to take you on the journey with them, show you the exposure you have and then explain its importance to you (and your organization). From there they have the value add of taking you through the remediation journey so that you can take away a potential attack vector. All of this is wrapped into NetSPI’s definition of offensive security, they leverage realistic attack patterns, with context-based explanation of exposure, and real remediation paths to improve overall security. This is backed up with hiring the right people to ensure a good work product. Sounds a bit like a win/win to me.