Cyberattacks are perpetually evolving. If a new threat is detected and blocked, several others emerge and infect more devices. Security experts ceaselessly chase these threats, and the cycle never ends.
To make the job easier, automation has become a staple in various aspects of cybersecurity. However, there is a notable exception: penetration testing. As CISO Alex Haynes noted in a recent column, penetration testing has remained “stubbornly immune” to automation for many years.
The good news is that significant progress has been made, and genuinely effective automated penetration testing is already available. Services such as BAS-as-a-service are changing the pentesting paradigm. Additionally, the creation of the MITRE ATT&CK framework makes it easier and more systematic to undertake continuous comprehensive security validation.
MITRE ATT&CK is a globally-accessible framework for addressing adversary tactics with a focus on effective techniques based on real-world observations. It empowers cybersecurity teams to assess the effectiveness of their security operations and processes in order to assess where and how to make improvements.
Automated penetration testing benefits
As the term implies, automated penetration testing or pen test is the simulation of cyberattacks with automated components. It is a form of ethical hacking employed to scrutinize the effectiveness of a security system, facilitating the detection and improvement of weaknesses as well as the plugging of vulnerabilities.
Virtual machines and bots are employed to undertake an automated pen test. They simulate the actions a typical human participant would do. They perform reconnaissance work, then proceed to launch attacks based on the vulnerabilities identified.
To emphasize, this kind of security testing is not limited to the determination of vulnerabilities. It does not merely generate references for Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS) scores. It simulates an attack to determine the extent of the potential security problems and to check if the vulnerabilities found are not just false positives.
Additionally, because of its agility, automated penetration testing can provide a real-time reflection of a system’s state of security. The traditional pen test can take weeks or months, which means the reports it generates usually do not depict current conditions. As such, responses to threats may not be timely.
Moreover, automated penetration testing is usually programmed to find the best possible target to attack and the most suitable attack method to use. For example, if the pen test bot determines that a computer is vulnerable to CVE-2020-1054, the attack will be based on how to get through the Windows kernel-mode driver flaw instead of brute-forcing open ports.
Automated pen tests are notably different from conventional pentesting because of their agility and persistence. They do not require a lot of human involvement, so tests are carried out with greater frequency, extent, and speed. Additionally, the automation usually entails a considerable reduction of errors and has no problems with unlimited repetitions.
Mimicking human penetration testers
Haynes affirms the human pen tester mimicry that happens in automated penetration testing. “A lot of this is exactly how pentesters and (to a lesser extent) attackers behave,” Haynes wrote in his column on Help Net Security. “The toolsets are similar and the techniques and vectors used to pivot are identical in many ways,” he added.
One of the best examples of automated pen testing is Breach-and-Attack-as-a-service (BAS-as-a-service), which is a cloud-based solution capable of delivering results that usually take months in just a few hours or even minutes. This combination of speed and effectiveness is said to be the fruition of Gartner VP Augusto Barros’ 2018 prediction about breach and attack simulation sending traditional penetration testing to obsolescence.
The teams providing BAS-as-a-service are confident that their solution ushers a paradigm shift reminiscent of how the innovativeness of the iPhone and Android ultimately crushed Nokia’s mobile phone market dominance. Automated penetration testing takes advantage of the advances in automation and security technologies while traditional pen testing, symbolized by Nokia, stands by the old and mostly inefficient strategies that usually require ample human involvement.
Instead of using more people to conduct penetration testing, automated pen tests invest in bots, algorithms, and virtual machines to imitate the behavior of human pen testers from recon to attack, propagation, and attack re-initialization.
Can automated pentesting replace people?
It is possible for automated penetration testing to replace most human pen testers. As mentioned, it can make traditional pen tests obsolete. However, pen testers do not represent all human security experts just like how pen testing is not the entirety of cybersecurity. It also bears pointing out that not all automated penetration testing systems deliver the same output quality. While there are advanced solutions such as BAS-as-a-service that prove to be viable, there are also those that are built on false promises and pretenses.
Automated pen tests are not the be-all, end-all of cybersecurity solutions. They too have their limitations. For one, they are generally not good in handling web applications. Auto pentests may identify web servers at the port/service level, but they may not be able to go deeper like spotting IDOR vulnerabilities in internal APIs or SSRF. To put things in perspective, though, even advanced specialist web application scanners encounter vulnerability detection difficulties in.
Another limitation of automated penetration testing is its inapplicability beyond the “inside” of a network. Automated penetration testing tools have yet to incorporate adequately effective functions for the web-based infrastructure. As such, it is still necessary to rely on human pen testers in some cases.
Better than crowdsourced security
Crowdsourcing has served as a viable alternative to traditional penetration testing for several years. Still, it is no match to the efficiency of automated pen tests. While the collaborative nature of crowdsourcing carries a number advantages, it does not address the natural weaknesses of human pen testers.
Humans need sleep and rest. Machines don’t. Automated pen tests can take as many starting points and paths as possible to fully explore all vulnerabilities. The processes can also be repeated as many times as necessary or periodically and regularly to have a constantly updated snapshot of the security condition of an organization.
Automated penetration testing is a promising technology. There is still a lot of room for it to improve. However, at present, it would be a stretch to say that this tech is enough to make human security experts unnecessary. Human cybersecurity experts remain indispensable, although they no longer need to work as hard as before with the rise of automation and artificial intelligence.