The cyberwar behind the Ukraine war has shuffled the cards in cybersecurity management and paved a wider path for automated penetration testing. The fact that a masked attacker can sneak into a business network anytime and stay low has awakened the desire and urgency for more robust defences and trained response centres.
This also entails checking the effectiveness of the SOC teams and the organisation’s cyber security posture, focusing on continuous improvements. In 2020 we posted a blog titled Cybersecurity 2021 – Man or Machine? which discussed the fact that annual penetration tests are no longer sufficient for a sustainable cybersecurity level. It has probably been made clear by now that this issue is not an “either-or” relationship but an “and” one. A human – a pentester or a SOC member – must ally with AI tools if we are to repel daily attack attempts successfully.
A completed penetration test shows a cybersecurity posture for today – what about tomorrow?
Let me go back to the assumption that companies have traditionally carried out penetration tests once a year. What does this mean in the context of today’s cyber security?
Let’s say you have just completed a two-week penetration testing project today. The pentesters did an excellent job. They found one critical vulnerability, two ranked high, three medium, and five info level. They also wrote recommendations on how to fix these vulnerabilities. They did not write specific remediation instructions because you need to do the remediation according to the specifics of your architecture and in coordination with external service providers. The final meeting is over; tomorrow, you will start discussing the timeline for remediation. In our experience, the time to remediate vulnerabilities is measured in months.
Now let’s look at the vulnerability side. In 2021, there were 20,168 CVEs recorded, which means 55 vulnerabilities per day. This year, there have been more than 10 000 CVEs in the first five months, which means that we will beat the record again by the end of this year.
Let’s assume the unrealistic situation: on the same day that vulnerabilities were discovered in our network, we fixed them all. Great! Nobody can hurt us. Until tomorrow morning, when 55 new vulnerabilities will be detected and our IT system will be at risk again.
If only an ethical hacker was on duty every day …
Ideally, you would take the following three steps to test cybersecurity daily: a vulnerability scan and a penetration test to exploit the vulnerabilities found in the scanning phase. In the third step, you would immediately remediate the exploitable vulnerabilities.
This scenario is not possible for two reasons, which we have also mentioned in our previous posts:
- daily penetration testing would be highly cost-ineffective and too expensive for any organisation,
- there are not enough ethical hackers on the market for companies to employ them for daily testing.
In addition to specific skills, vulnerability detection and penetration testing also require specialised tools, which can be pretty expensive. The third step – vulnerability remediation – requires an extensive and, at the same time, in-depth knowledge of the technology, the network, how the devices work and how they are interconnected.
For one ethical hacker in a medium business or even a team of three or four, eliminating all exploitable vulnerabilities on a daily basis is unrealistically demanding. However, considering the escalation of cybercrime, carrying out such tests is becoming a necessity.
Automated penetration testing is one step closer to the ideal
The leading cybersecurity development companies have recognised the need to automate penetration testing. Tools are now available that can perform the routine task of testing if discovered vulnerabilities are, in fact, exploitable. Artificial intelligence can run such tests quickly and deliver usable results.
Automated penetration testing tools carry out controlled brute force attacks and thus act as real attackers. In the first step, they run vulnerability scans; in the second step, they try to exploit these vulnerabilities. Based on the result of both steps, they evaluate the criticality of the vulnerability and business impact.
What is the key difference between a vulnerability scanner and an automated penetration testing and security validation tool? A vulnerability scanner performs a static scan to detect security holes ranked according to the CVSS methodology. These tools are primarily patching identified vulnerabilities and do not measure the impact of a vulnerability on a particular system (false positive vulnerabilities) nor address them dynamically (false negative vulnerabilities).
On the other hand, automated penetration testing tools take one step further and are primarily designed to validate cyber security. This means they try to exploit detected vulnerabilities which shows how harmful they are to the given system. These tools rank the exploitable vulnerabilities in terms of the business impact or potential business loss. The added value of such a tool is reflected in the information on which vulnerabilities actually present a risk for the organisation and need to be addressed and remediated as a priority.
For example, one of the Log4j vulnerabilities spiced up the lives of IT professionals at the end of 2021. The vulnerability is rated as medium with a score of 5.1 according to the CVE metric.
Based on the CVE metrics, we might conclude that this vulnerability is worth the attention, yet it does not need to be fixed immediately. This is most likely the case. However, the configuration of our system might allow this vulnerability to escalate to a critical level through other vulnerabilities and enable an attacker to break into the system. We cannot know this until we simulate vulnerability exploitation.
An example of a medium-rank vulnerability which eventually turned out to be highly critical is shown in the following diagram of the evolution of the vulnerability from the Pentera tool.
From a criticality rating of 5.5, the exploit simulation developed a vulnerability rating of 10, which allows an attacker to take over an administrator account. On the contrary, a vulnerability with a score of 9 may prove harmless in a specific system, e.g. with a final score of 2.
Along with the graphical representation of the vulnerability kill chain, the tool also provides instructions on how to fix the specific vulnerability. The instructions are compiled in the form of encyclopaedic entries that quickly provide the user with the correct information and guide them through the remediation process.
IT departments make the final call
The final step in the cybersecurity validation process is vulnerability remediation. This burden is still on the shoulders of the IT professionals in the organisations and is very time-consuming. Companies that already use automated penetration testing tools report that vulnerability remediation can take several weeks, depending on how much time IT departments can devote to it.
However, the tool proves its added value even at this stage: the encyclopaedic or wiki entries mentioned above can save operators hours of surfing the internet to find the right solutions. This is also the stage at which the company assesses whether it is reasonable to invest the time (and resources) to eliminate the vulnerability or to accept the risk and perhaps address it at another point.
Key benefits of automated penetration testing tools
- Information on exploitable vulnerabilities and a knowledge base with remediation instructions.
- Ability to perform penetration tests more frequently, e.g. on a weekly or monthly basis.
- Faster penetration tests with detailed instructions on how to remediate vulnerabilities.
- Penetration tests are used to verify the performance of security devices.
- An accurate picture of the cybersecurity posture and a starting point for negotiations for investments in new security devices.
Despite the advantages of automated tools, there are two important factors that you should consider:
- Before implementing automated security verification and validation, an organisation must have a sufficiently high level of cybersecurity awareness and culture. We are happy to advise you in this regard.
- Automated penetration testing cannot fully replace a manual penetration test, so we recommend that you perform a manual penetration test once a year. Ethical hackers can more easily adjust the test flow according to the vulnerabilities discovered during the test and, with the client’s agreement, take a closer, in-depth look at the segments that are more important for the organisation.
Automated penetration testing with Pentera assures daily security validation of exposed networks, users, devices and applications.
A penetration test helps identify vulnerabilities and offers the foundation for ranking vulnerabilities and giving recommendations.
Test your IT team, employees, and processes. Red Teaming aims at hacking into your system without getting noticed.