Continuous Testing for Infrastructure Methodology

1. Introduction

The Continuous Testing for Infrastructure (CTI) methodology based on PTES is designed to provide organisations with a robust, ongoing approach to identifying and managing vulnerabilities within their IT infrastructure. Unlike traditional point-in-time assessments, CTI offers a dynamic and responsive framework that aligns with the rapid pace of modern IT environments and emerging threats.

This methodology recognises that infrastructure security is not a static goal, but a continuous process of improvement, adaptation, and vigilance. By implementing CTI, organisations can maintain a current and comprehensive view of their security posture, enabling them to make informed decisions about risk management and resource allocation.

The CTI methodology is built upon seven core components, each playing a crucial role in the continuous security lifecycle. These components are designed to work in harmony, creating a seamless flow of information and action that keeps pace with the organisation’s evolving infrastructure.

2. Preparation and Scoping

The foundation of effective continuous testing lies in thorough preparation and precise scoping. This initial phase sets the stage for all subsequent activities and is critical to the success of the CTI program.

In this phase, organisations will establish a comprehensive inventory of their infrastructure assets, clearly define the boundaries of testing, and configure the necessary tools and systems. This is also the time to establish baselines and set thresholds that will guide future assessments and alerts.

Proper preparation ensures that the continuous testing efforts are focused, efficient, and aligned with the organisation’s specific needs and risk profile. It also helps in managing resources effectively and avoiding potential disruptions to critical systems.

2.1. Legal & Administrative Setup

• Finalise Non-Disclosure Agreements (NDAs) and the Scope of Work (SOW).
• Confirm communication channels, reporting frequency, and escalation paths for critical vulnerabilities.

2.2. Asset Inventory

• Maintain a comprehensive inventory of all infrastructure assets.
• Regularly update the inventory to reflect changes in the environment.
• Categorise assets based on criticality and sensitivity.

2.3. Scope Definition

• Clearly define the boundaries of testing.
• Identify target assets (web applications, external/infrastructure components, internal systems) and associated environments.
• Identify any systems or networks that are out of scope.
• Document any testing limitations or restrictions.
• Specify scanning intervals, clarify internal/external coverage, and align with compliance frameworks or client specific requirements.

2.4. Tool Configuration

• Select and configure appropriate scanning and testing tools.
• Ensure tools are kept up to date with the latest vulnerability definitions.
• Calibrate tools to minimise false positives and negatives.

2.5. Technical Setup & Integration

• Deploy a customised, hardened virtual machine (VM) internally where required, potentially including client-mandated security agents (e.g., XDR solutions).
• Integrate with client asset management or change control systems if available.

2.6. Baseline Establishment

• Conduct initial comprehensive scans to establish a baseline.
• Document known vulnerabilities and acceptable risks.
• Set thresholds for alerting and escalation.

3. Automated Continuous Scanning

At the heart of the CTI methodology is the concept of automated, ongoing scanning. This component leverages technology to maintain constant vigilance over the infrastructure, identifying vulnerabilities, changes, and potential threats as they emerge.

Automated scanning provides the raw data that feeds into the entire CTI process. It offers broad coverage and consistency that would be impossible to achieve through manual efforts alone. However, it’s important to note that automation is a tool, not a replacement for human expertise. The configuration and interpretation of these scans require skilled professionals to ensure accuracy and relevance.

3.1. Vulnerability Scanning

• Implement regular automated vulnerability scans
• Utilise a combination of authenticated and unauthenticated scans
• Ensure coverage across all in-scope assets

3.2. Port and Service Enumeration

• Regularly scan for open ports and active services
• Identify changes in the network topology and service availability
• Flag any newly opened ports or unexpected services for review

3.3. Configuration Auditing (Optional)

• Automate checks for secure configurations and hardening
• Compare current configurations against established baselines
• Identify drift from security best practices

3.4. Credential Testing (Optional)

• If approved, periodically test for weak or default credentials
• Implement controls to prevent account lockouts
• Rotate test credentials regularly to maintain security

4. Results Analysis and Prioritisation

The large volume of data generated by continuous scanning necessitates a structured approach to analysis and prioritisation. This component focuses on transforming raw scan data into actionable intelligence, enabling organisations to focus their efforts where they will have the greatest impact.

Effective analysis and prioritisation are key to managing the ‘noise’ often associated with vulnerability scanning. By implementing smart filtering, contextualised risk scoring, and trend analysis, organisations can cut through the clutter and focus on the issues that truly matter to their security posture.

4.1. Automated Result Processing

• Implement systems to automatically collect and centralise scan results
• Utilise scripts or tools to parse and categorise findings
• Apply consistent severity ratings across different scanning tools

4.2. Vulnerability Prioritisation

• Utilise the CVSS ratings for prioritisation
• Focus on high and critical vulnerabilities for immediate attention

4.3. False Positive Reduction

• Implement automated filters to reduce known false positives
• Maintain a database of confirmed false positives for future reference for specific environments
• Regularly review and update false positive criteria

5. Targeted Investigation

While automation drives much of the CTI process, the human element remains crucial, particularly when it comes to investigating high-priority issues. This component introduces a layer of expert analysis and deeper probing into significant findings.

Targeted investigation allows for the contextualisation of vulnerabilities within the specific environment of the organisation. It helps validate the real-world impact of identified issues and can uncover complex vulnerabilities that automated tools might miss. This phase is where the true value of security expertise shines, turning data into genuine security insights.

5.1. Manual Verification

• Manually verify high and critical vulnerabilities to confirm their validity
• Investigate the potential impact and exploitability of significant findings
• Document any additional context or mitigating factors

5.2. Expanded Testing

• Conduct deeper analysis on components affected by high-risk vulnerabilities
• Investigate potential lateral movement or escalation paths
• Assess the broader impact on connected systems or networks

5.3. Selective Medium/Low Testing

• Periodically review a sample of medium and low vulnerabilities
• Investigate any low/medium vulnerabilities that could compound to create higher risk
• Assess the cumulative effect of multiple lower-severity issues

6. Reporting and Metrics

Clear, actionable reporting is essential for translating the outputs of the CTI process into tangible security improvements. This component focuses on creating a variety of reports tailored to different stakeholders, from technical teams to executive management.

Beyond just listing vulnerabilities, effective reporting in a CTI context provides trend analysis, risk scoring, and progress tracking. This approach not only highlights current issues but also demonstrates the ongoing value of the CTI program and guides future security investments.

6.1. Regular Reporting

• Generate automated weekly summary reports of new findings
• Produce monthly detailed reports on the overall security posture
• Tailor reports for different stakeholders (e.g., technical teams, management)

6.2. Key Performance Indicators

• Track metrics such as:
• Total number of vulnerabilities by severity
• Average time to remediation
• Visualise trends and progress over time

6.3. Risk Scoring

• Implement a consistent risk scoring methodology by using CVSS
• Provide an overall risk score for the infrastructure
• Highlight changes in risk posture between reporting periods

7. Continuous Improvement

This component emphasises the need for ongoing refinement and enhancement of the entire methodology.

Continuous improvement touches every aspect of the CTI process, from scanning configurations to stakeholder communications. It ensures that the methodology remains relevant, efficient, and aligned with the organisation’s evolving needs and the broader threat landscape.

7.1. Scanning Optimisation

• Regularly review and optimise scanning configurations
• Balance scanning frequency and depth with performance impact
• Incorporate feedback to improve scan accuracy and coverage

7.2. Asset Management Integration

• Integrate CTI processes with asset management systems
• Ensure new assets are automatically included in the scanning scope
• Retire scanning for decommissioned assets

7.3. Threat Intelligence Integration

• Incorporate current threat intelligence into vulnerability prioritisation
• Adjust testing focus based on emerging threats and attack trends
• Update testing methodologies to cover new attack vectors

7.4. Automation Enhancement

• Continuously seek opportunities to automate manual processes
• Develop and refine scripts for result analysis and reporting
• Implement automated ticketing and workflow for vulnerability management

8. Communication and Collaboration

Effective security is a collaborative effort. This final component recognises the importance of clear communication and cooperation among various individuals in the organisation.

By establishing robust communication channels and collaborative platforms, organisations can ensure that the insights generated by the CTI process translate into concrete security improvements. This component bridges the gap between identification and remediation, crucial for the ultimate success of any security program.

8.1. Alerting Mechanisms

• Establish criteria and processes for real-time alerts on critical findings
• Ensure alerts reach the appropriate teams or individuals
• Implement escalation procedures for high-priority issues

8.2. Remediation Guidance

• Provide clear, actionable remediation steps for identified vulnerabilities
• Offer context-specific advice tailored to the organisation’s environment
• Maintain a knowledge base of common vulnerabilities and their solutions

8.3. Collaboration Platforms

• Utilise ticketing systems or vulnerability management platforms to track issues via Razors Edge integrations
• Facilitate communication between security teams
• Provide a centralised platform for discussing and coordinating remediation efforts

The Continuous Testing for Infrastructure methodology provides a comprehensive framework for organisations to maintain ongoing visibility and control over their infrastructure security. By implementing this methodology, organisations can move away from periodic, point-in-time assessments to a more dynamic and responsive security posture.

CTI is not just a technical process, but a holistic approach that combines technology, expertise, and organisational collaboration. It recognises that true security is a continuous journey of improvement, rather than a destination.

As cyber threats continue to evolve in complexity and scale, methodologies like CTI will become increasingly crucial. Organisations that embrace this approach will be better positioned to navigate the challenges of securing modern infrastructure, ultimately leading to more resilient and secure IT environments.

9. Razorthorn Security’s Internal Infrastructure and Tooling Overview

9.1. Hosting & Reliability

• The core platform and supporting systems are hosted with Blackbox, a secure and reliable hosting provider.
• Blackbox’s infrastructure has been internally audited to ensure it meets stringent security and availability standards.

9.2. Platform & Tool Integration

• The Razor’s Edge platform functions as a central hub, where both proprietary and open- source scanners are integrated.
• Commercial scanners (e.g., Nessus, Burp Suite Enterprise) and open-source tools (e.g., OpenVAS, Nuclei) are orchestrated through Razor’s Edge, enabling efficient scheduling, results aggregation, and streamlined analysis.
• The platform also hosts internal databases and web interfaces that securely store scan results, vulnerability data, and client reports.

9.3. Security Considerations

• Access to Razor’s Edge and the underlying infrastructure is tightly controlled, with strict authentication, authorisation, and monitoring in place.
• Regular internal security reviews and audits ensure that our infrastructure maintains a strong security posture.

9.4. Continuous Scanning

Perform automated, periodic or near-continuous reconnaissance and vulnerability scanning across in-scope assets.

9.4.1. Automated Tooling & Scheduling

• Commercial Scanners: Nessus for infrastructure, Burp Suite Enterprise for web applications.
• Open-Source & Supplementary Tools: OpenVAS, Nuclei, and other scanners as needed.
• Integrate scans into Razor’s Edge for centralised management and automated scheduling.

9.4.2. Coverage Areas

• External Infrastructure: Publicly accessible IP addresses, web interfaces, and services.
• Internal Infrastructure: Systems reachable via the deployed VM, including internal web applications, APIs, and network services.
• Web Applications (Internal & External): URL endpoints, APIs, and authentication workflows – scanned via Burp Suite Enterprise and supplemented by custom scripts or Nuclei templates as required.

9.5. Initial Analysis & Triage

Rapidly review automated scan results for critical or high-severity issues, identifying items for immediate manual investigation.

9.5.1. Operator Review

• Razor’s Edge operators analyse scanner outputs to confirm the validity and severity of flagged vulnerabilities.
• Results are filtered for critical and high-impact issues, with false positives removed.

9.5.2. Critical Alerts & Escalation

• High-severity vulnerabilities trigger immediate alerts to the client.
• Initiate a rapid-response workflow for confirmed critical findings.

9.6. Manual Investigation & Verification

For every high or critical vulnerability, conduct deeper manual examinations, ensuring no related or secondary issues are overlooked.

9.6.1. Contextual Exploration

• Validate the vulnerability with manual tests, including controlled exploitation attempts within agreed parameters.
• Examine related assets or services for similar misconfigurations or vulnerabilities.

9.6.2. Tooling & Techniques:

• Web testing with Burp Suite Professional and custom scripts.
• Infrastructure testing using Nmap, Metasploit, and environment-specific tools.
• Reference public and proprietary vulnerability databases (CVE, exploit advisories) to confirm severity and exploitability.
• Depending on the environment will depend on the tools we use. For example, if we identify a MySQL database, we will use tools like SQLMap to aid further identification and exploitation.

9.6.3. Business Logic Testing

• Check for logical flaws in applications that automated tools might miss.
• Confirm that identified vulnerabilities also consider business context and impact.

9.7. Continuous Feedback & Client Reporting

Provide timely, actionable information and maintain an ongoing improvement cycle.

9.7.1. Regular Reporting

• Issue continuous or scheduled reports (e.g., weekly or monthly) detailing new findings, their severity, and remediation recommendations.
• Communicate risk ratings and highlight high-priority issues.

9.7.2. Real-Time Alerts for Critical Issues

• Immediately notify the client if a critical vulnerability is found and confirmed.
• Support urgent remediation efforts as needed.

9.7.3. Remediation Support

• Advise on patches, configuration updates, or architectural changes.
• Verify fixes once implemented, ensuring issues are fully resolved.

9.8. Continuous Improvement & Refinement

Adapt the methodology and toolset to evolving threats, client feedback, and environmental changes.

9.8.1. Methodology Adjustments

• Periodically refine scanning strategies, manual verification processes, and logic testing approaches.

9.8.2. Tool Stack Evolution

• Evaluate and introduce new scanning tools and detection methods as technology evolves.
• Update scanning templates (e.g., Nuclei) to detect newly disclosed vulnerabilities more rapidly.

9.8.3. Client Collaboration

• Regularly engage with the client to discuss changes in scope, upcoming projects, or new compliance requirements.
• Adjust scanning frequency, coverage, or methodologies as needed.

9.9. Post-Engagement Review (for Milestones or Contract Renewal)

Provide a strategic overview of the client’s security posture and the effectiveness of continuous testing efforts.

9.9.1. Summary Reports

• Detail trends, recurring issues, and improvements over time.
• Highlight remediation successes and remaining areas of concern.

9.9.2. Strategic Recommendations

• Suggest long-term improvements to the client’s SDLC, deployment processes, or configuration management to reduce vulnerabilities at their source.
• Offer guidance on integrating security into development pipelines and strengthening overall security maturity.