So you’ve been pentested. Congrats! It might not feel like it, but this will eventually leave you more confident about your security, not less. The real question is – why might it not feel like it? Pentest findings can be broken down many ways, of course – the obvious one being by severity – but I would like to propose another category: information value, or, a more straightforward term, surprise.
When you first read your pentest report, there’s a good chance there will be things on there you didn’t expect – vulnerabilities or misconfigurations that you had no idea were such a problem, or even existed at all. This is surprising, and your brain doesn’t always like surprise – but in this case, surprise is good. Surprise is the process of, as Rumsfeld would say, turning unknowns into knowns.
There are still different amounts of surprise, though, and the information value that I’m proposing can also be looked at as which box in this Rumsfeld Matrix the finding lived in before you learned about it on the report.
The first option is that you already had some sense of these vulnerabilities. Say, for instance, that you had a box externally facing that you had never scanned, but suspected might be insecure. Finding vulnerabilities on this box might move the box from a “known unknown” to a “known known.” This is useful! But – it’s still something that you likely could have done on your own, with a vulnerability scanner or the like, since you knew where to look. A known unknown is not usually very surprising when it becomes a known known.
On the other hand, there are the really surprising findings – the ones you didn’t expect to crop up. This, I think, is where the real value of a pentest comes from. Getting a report back that says “all of your Windows XP boxes are unsupported” is probably not terribly useful to you, because it’s no surprise to learn that XP is unsupported (at least, I hope not) and there’s likely some business reason those machines are still up. The report can be useful when briefing management to try to convince them to finally get rid of the XP machines, but that value is generally limited. On the other hand, a report that says “we were able to pivot using RDP to a box you didn’t know existed, then elevate from there to domain administrator using mimikatz” might be a genuine shock – and therefore, extremely valuable!
This isn’t to say that only extremely complex findings live as unknown unknowns – this all depends on what the blue team knows going into the test. For some companies, finding out that your boxes are vulnerable because they’re unpatched might be fairly surprising, while others might have their network so well locked down that only extremely advanced techniques come as a surprise to them. This is ok! Every company is in a different place, and wherever you start, as long as the test moves things into the known knowns box, it reduces your risk at the end of the day.
When you’re thinking about getting a test, or evaluating the results, spend a minute or two thinking about what you know that you don’t know, and how to find out what you don’t know you don’t know with the help of the pentest. Giving your testers a narrow scope is well and good for avoiding surprise, but – even though it’s unpleasant – maybe surprise isn’t so bad after all.