Can You Rely on MDR For Penetration Testing?

Penetration testing (pentesting) simulates an attack directed at a specific target. The goal is to help an organization identify exploitable security weaknesses and vulnerabilities and provide recommendations for remediation. It is a proactive approach to security that initiates remediation efforts before waiting for an attack to occur.

Penetration testing simulates attacks in a controlled manner to help achieve specific objectives. It can help test various security aspects, including:

• Assess the procedures, teamwork, and readiness of internal security personnel.
• Check the coordination between outsourced security and in-house staff.
• Look for vulnerabilities and security gaps.
• Validate the defenses of various security tools.
• Determine the viability of incident response processes.

A penetration test typically covers two main aspects—finding and helping remediate security issues and ensuring security personnel and their tools are prepared for attacks. Here are the three main types of penetration testing:

• Internal penetration test—a simulated attack initiated from inside the network.
• External penetration test—a simulated attack initiated outside the perimeter.
• Physical penetration test—a simulated attack initiated that uses various techniques, such as social engineering, to gain physical access to the target.

What is Managed Detection and Response (MDR)?

Managed detection and response (MDR) services offer 24/7 threat monitoring, detection, and response. Typically, MDR services leverage a combination of expert security personnel with advanced technologies, such as threat intelligence and advanced analytics. 

MDR involves deploying the service provider’s technology at the organization’s host and network layers. It enables the service to achieve continuous monitoring and provide lightweight remote incident response and investigation services, such as:

• Incident validation
• Threat containment
• Restoring the environment to a “known good” configuration

Do MDR Services have Penetrating Testing Capabilities?

MDR services give customers the remotely delivered functions of the modern security operations center (MSOC). Basic capabilities of MDR services include:

• Technology stack—an integrated set of technologies owned and managed by the provider enables real-time threat monitoring, detection, investigation, and active response. The technology stack typically uses APIs to integrate with an organization’s internal systems.
• Staff—using skills and expertise in threat monitoring, hunting, detection, threat intelligence (TI), and incident response, the MDR’s security staff engages daily with customer data.
• Processes and detection—standard playbooks of workflows, procedures, and analytics that are predefined, pre-tuned processes for attack detection and mitigation.
• Remote response mitigation—beyond alerting and notification, MDR service providers offer remote response mitigation, investigation, and containment capabilities.

In addition, many MDRs offer value added services including:

• Security operations—functions like exposure management, digital forensics and incident response (DFIR). Typically new clients begin with threat detection and response capabilities and then expand provider services to improve other areas of security operations (SecOps).
• Exposure management—MDRs can prevent attacks by limiting the exposures in the customer’s environment, user accounts, and cloud applications. They can prepare processes, incident playbooks, and quick responses that follow specific compliance requirements.
• Cloud infrastructure and platform monitoring—MDRs can monitor complex hybrid cloud infrastructure and platform services, including the ability to monitor Software as a Service (SaaS) applications like Microsoft 365, Google Workspace, Workday, Salesforce, and Box.
• Testing and simulating—customers can use breach and attack simulation (BAS) and penetration testing as a service (PTaaS) as a proactive approach to testing and validating threat scenarios. Some MDR providers offer continuous penetration testing, which approach differs from traditional one-time or annual pentesting.
• Sharing data with in-house teams—multisource data investigation tools enable internal security staff to use the data collected by the service provider to do custom searches and carry out threat hunting.

Using MDR for Continuous Penetration Testing

Depending on your MDR provider, you may be able to get continuous penetration testing for your systems and applications as part of your service model. MDR providers typically provide three types of security testing services:

• Vulnerability assessment—systematically scanning and testing both internal and public-facing systems for vulnerabilities and misconfigurations. The vendor can provide a report showing unpatched software systems and providing specific remediation instructions.
• Automated penetration testing—leveraging automated tools to scan websites or applications, identify vulnerabilities, automatically attempt to exploit them and report on findings.
• Penetration testing—manual penetration testers who perform reconnaissance on your systems, identify viable attack vectors, and execute an attack to identify how real attackers can exploit your systems.

All three types of tests end with a detailed report that lists vulnerabilities and specific recommendations you can use to remediate your systems. In some cases, these penetration tests can also help you meet compliance requirements.

Conclusion

In this article, I explained the basics of penetration testing and MDR services, and explored value added services offered by MDR providers. In particular, I covered several ways MDR providers offer security testing—including vulnerability assessments, automated pentesting, and manual pentesting. 

I hope this will be useful as you evaluate the use of outsourced security services to complement your organization’s existing defensive measures.