In the contemporary interpretation of deterrence theory, maintaining high-level resilience against cyber attacks is one of two pillars of cyber deterrence posture. Penetration testing activities constitute the technical foundation of improving overall cyber resilience posture, apart from known vulnerabilities and threats. Their results are the major asset that the other cyber defence / cyber security activities interpret (usually as threats, depending on the context) and direct their focus upon. Therefore, the credibility and success of a given actor’s cyber resilience efforts for its critical infrastructure and military systems are closely correlated with the quality level of its penetration testing.
In practice, it is tremendously difficult to cover penetration testing requirements of the whole spectrum of many military systems. It is usually not possible to conduct complete penetration tests on the systems before their production phase, nor to call any system invulnerable. Therefore, the usual practice is to perform penetration tests according to a risk-assessment plan before and regularly during the system’s life cycle while accepting the risks resulting from any missed points.
The variety of alike systems used by different entities, existing partnerships and collaboration mechanisms between actors, and the lessons from previous similar challenges, present an opportunity in this regard. The researchers at the NATO CCDCOE have found that developing an environment in which different actors share the findings and results of their own penetration testing activities with their partners to improve their overall resilience appears to be a promising attempt.
In this paper NATO CCDCOE researchers Ihsan Burak Tolga and Gunnar Faith-Ell present an overview of the current situation regarding this sharing and aims to investigate whether it is possible to benefit from sharing information about penetration testing, examining the potential gains and associated costs. The paper tracks the likely challenges and possible remedies, drawing a scope with respect to legal constraints, and will suggest some draft standards as the first step towards an operative penetration testing platform. The criterion of success for the platform is that its stakeholders benefit by developing robust cyber resilience postures. The final goal of the multiple-stage project is constructing an environment that contains not only the platform, but also common understanding, standards and procedures, an agreed common toolset and eventually a robust cooperation among subject-matter experts working towards a common goal. As such, this paper serves as a valuable resource for allied nations’ militaries, whose aim is to enhance their cyber resilience posture. This aim, which requires extensive resources for penetration testing activities, can benefit from a collaboration framework to reduce overlapping efforts.
This research paper is an independent product of the CCDCOE and does not represent the official policy or position of NATO or any of the CCDCOE´s Sponsoring Nations.
The NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE) is a NATO-accredited knowledge hub, research institution, and training and exercise facility. The Tallinn-based international military organisation focuses on interdisciplinary applied research, as well as consultations, training and exercises in the field of cyber security.