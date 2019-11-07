One of the most frequent questions my team and I get asked is: “Can you help us build a test plan?” In fact, 59% of security practitioners cite a “lack of systematic approach to defining testing (e.g., lack of testing plan) as one of the top barriers to assessing control effectiveness,” according to a recent SANS Institute poll.

Since testing the effectiveness of your controls is imperative to knowing your true security posture and assessing your preparedness for a cyber-attack, we have set out below a few high-level guidelines to help you get started with building your own cybersecurity testing plan.

Step One: Select Your Approach

With so much to test against, it can be overwhelming to know where to start. The important thing is to start somewhere, and then continue with your approach until you’ve covered all your bases. Here are five methodologies to choose from:

Attack vectors: From pre-exploitation (attack delivery via email, web or app), to exploitation (system compromise) to post-exploitation (e.g. lateral movement and data exfiltration) – challenging defenses deployed against each vector of the cyber-kill chain ensures you can defend against sophisticated cyber-attacks, such as advanced persistent threats (APTs).

MITRE ATT&CK™ framework: By methodically challenging your current security controls with over 290 techniques mapped to the enterprise ATT&CK matrix, you can ensure you have covered all the basics.

Threat types: If your top concern is defending against ransomware, spear-phishing, Trojans, cryptominers or cryptostealers, then challenging your defenses with simulations of these threats can help alleviate your topmost concerns.

In the wild: Can your controls detect the very latest threats currently disseminated in the wild? By challenging them with the Indicators of Compromise (IoCs) and techniques of the newest strains, you can ascertain your organization’s defensibility. Note that this approach can safely be utilized alongside the others, as it specifically covers the newest strains.

APT groups: State-sponsored cybercrime groups are known to target specific industries and specific countries. By mimicking the techniques, tactics and procedures (TTPs) distilled from these groups’ attacks, you can start addressing any geopolitical concerns.