From Automated Penetration Testing to Continuous Security Validation

With the accelerating evolution of the threat landscape, the emergence of new ransomware strains, threatening crypters, evasive Remote Access Trojan (RAT) loaders, and more, the efficiency of periodic manual penetration tests is shrinking at a worrying speed. 

What is Automated Penetration Testing, and How Does it Work? 

As its name indicates, automated penetration testing is the automated version of manual penetration testing. The necessity for automation arose when classic penetration testing could no longer identify the majority of security gaps exploitable by cyber-attackers because of: 

  • The massive adoption of agile development across all industry sectors: From a cybersecurity perspective, the consequence of frequent deployments that are the hallmark of agile development means that environments are constantly evolving, nullifying the result of penetration tests performed on pre-new deployments’ configuration. 
  • The automation of cyber-criminal tools:  Tools and off-the-shelf digital services such as RaaS (Ransomware as a Service) or MaaS (Malware as a Service) that use AI/ML capabilities to enhance the efficiency of attacks translate into an accrued complexity and variety of cyber-attacks combined with a reduced reliance on advanced coding skills to launch attacks. Reliance on manual penetration skills to emulate the ability of attackers equipped with automated tools is illusory. 
  • The ever-growing tide of high-risk vulnerabilities: A number of factors, including the need for speed in agile development and the resulting reliance on open-source and other ready-made pieces of code, led to an ever-growing number of high-risk vulnerabilities. In this context, validating an infrastructure resilience requires validating that security controls configuration is optimized, not only that it is resilient to the current list of vulnerabilities. 

The logical response when the function filled by a manual process is becoming too labor-intensive to be practically met is to automate as much of the process as possible. Thus, was born the concept of Automated Penetration Testing. 

What is Automated Penetration Testing? 

Originally, automating penetration testing entailed replacing most of the repetitive tasks performed by a human penetration tester with automation. Yet, as complexity grew beyond the ability of any human to keep an overarching view of the entire cyber-criminal capabilities, the generic field of automated penetration testing had to evolve and become what is now known as Continuous Security Validation. 

How Does Automated Penetration Testing Work? 

At its core, automated penetration testing capitalizes on AI capabilities to imitate the techniques used by cyber-attackers. The two main sides to automated penetration tests are external and internal.  

What are External Automated Penetration Tests? 

External penetration tests consist of emulating attackers’ thinking processes and techniques used to find a weakness in the attack surface, gain an initial foothold, and progress laterally and vertically within the targeted environment. 

Automating these external penetration tests is broken down into a series of continuous security validation tools covering an attack’s various steps: 

  • Attack Surface Management: This mimics an attacker’s recon phase, where the attacker looks for unmonitored, unsecured, digitally accessible assets that they could potentially leverage to gain an initial foothold in the targeted environment. 
  • Phishing Awareness: This automates the bulk of creating, sending, and monitoring the response to a series of emails containing enticement to click on an infected link or download a compromised attachment. 
  • Automated Red Team Campaigns: This mimics the way an attacker would progress within the targeted environment after successfully breaching its attack surface to gain control over as many resources as possible. 

What are Internal Automated Penetration Tests? 

Internal penetration tests consist of running as comprehensive as a possible number of scenarios (such as those listed on MITRE ATT&CK) to test the security control configuration’s resilience to attack. These attack scenarios implement the tactics, techniques, and processes (TTPs) used by cyber-attackers and check the environment’s resilience and ability to detect, preempt or respond to these simulated attacks. Breach and Attack Simulation (BAS) is the tool of choice to automate internal penetration tests. 

The results of these simulated internal and external attacks are then compared to the performance of detection and response tools to evaluate their efficacy. 

Key Benefits of Mature Automated Pen-Testing 

Mature automated penetration testing, better known today as continuous security validation, yields benefit on multiple levels: 

Security Benefits of Automated Pen-Testing 

  • Full visibility of security posture: The discrepancy between the simulated attacks launched and those detected, prevented, or mitigated provides a bird’s eye view of where security gaps are. 
  • Security drift monitoring: The availability of exact risk level measurements allows easy monitoring of potential deterioration in real-time, enabling taking corrective measures as soon as any variance from accepted baselines is detected. 
  • Resilience against emerging threats: When available in the automated penetration testing service basket, immediate threat intelligence enables instantaneously testing the infrastructure’s resilience to emerging threats. 
  • Eliminating repetitive manual tasks: Automating repetitive and predictable tasks frees the security team’s time for higher-level tasks requiring creativity. 
  • Rationalization and optimization of existing security tools: The precise identification of which tool is detecting, preventing, or mitigating which simulated attacks enables the security to:
     • Identify capability overlap between tools
     • Reconfigure detection tools to optimize detection, prevention, and mitigation
     • Detect missing capabilities 
  • Reduction of false-positive alerts: Informed rationalization and optimization of the defensive tool stack eliminate a large percentage of false-positive alerts, reducing wasted time and preventing alert fatigue. 

Business Benefits of Automated Pen-Testing 

  • Availability of exact metrics: Automated penetration testing measures exactly the ratio of attacks stopped by the existing defensive controls compared to the number of attacks launched. When adjusted to take into account other factors such as CVSS score and DREAD type risk assessment models, the risk level can be precisely quantified. 
  • Optimized patching schedule: The ability to evaluate how security controls compensate for the security gaps stemming from vulnerabilities with Attack Based Vulnerability Management (ABVM) can reduce IT patching workload by up to 50% while hardening the overall security posture. 
  • Increased defensive tool stack ROI: Rationalize and optimize the defensive tools stack with quantified metrics and detailed information to:
    • Prevent unnecessary solution purchases leading to tool sprawl
    • Avoid unnecessary complexity eating up analysts’ time
    • Provide metrics enabling the exact evaluation of the defensive array ROI 
  • Facilitated compliance: especially at a time when regulators increase demand for security validation, automated pen-testing combined with automated report generation enables documenting security validation processes. 
  • Better cyber-insurance rates: The documented and quantified security posture risk level facilitates negotiating with cyber-insurance underwriters and lowering the primes. 

As an added bonus, the availability of exact metrics enables the cybersecurity team to quantify risk and define KPIs instead of baselines established with guestimates, facilitating communication with the board. 

The BAS Revolution and the Future of Automated Penetration Testing 

With a clearer idea of the numerous benefits of automated penetration testing, let’s have a closer look at what is the best-known continuous security validation tool today, Breach and Attack Simulation Attack (BAS). 

One of the key ingredients necessary to yield the full benefits of automated penetration testing is the ability to run tests continuously. BAS is historically the first continuous security validation tool to make it to Gartner’s Hype Cycle for Threat Facing Technologies, where it was listed as an innovation trigger in 2017. As such, it was the first continuous security validation tool to be available with more than one vendor, albeit with far fewer capabilities than today. 

Today, BAS tools validate the efficacy of endpoint security, email gateways, web gateways, Web Application Firewalls (WAFs), and data exfiltration, and ideally include updated Immediate Threat Intelligence and full kill chain capabilities. BAS solutions require the integration of a lightweight agent to function and provide detailed information about security gaps as well as mitigation recommendations that accelerate remediation and harden security posture.  

However, as an agent-based solution, BAS fails to cover outside-in attack aspects such as gaining an initial foothold, an essential step in any attack emanating from outside the environment. Advanced penetration testing automation platforms include attack surface management (ASM), phishing awareness, lateral movement simulation capabilities, and the latest generation of vulnerability management software, Attack Based Vulnerability Management (ABVM) which uses the data collected during automated penetration tests to optimize and reduce the vulnerability patching schedule. 

Leading continuous security validation vendors such as Cymulate integrate BAS in a comprehensive Extended Security Posture Management (XSPM) platform that also facilitates the analyst’s work with customizable dynamic dashboards and accelerates the mitigation process by integrating ticketing systems. In the future, continuous security validation tools will expand their capabilities to extensively cover supply-chain-born risks, OT, IoT, and more domains as digital technology evolves. 

Manual vs. Automated Penetration Testing – Can it Replace Humans? 

Can all this automation ever replace the need for human beings? Not in the foreseeable future.  

Though the automation that is the core to continuous security validation can process vast amounts of information, perform endless repetitive tasks without losing focus or getting tired, generate exhaustive reports, and even learn to recognize outlying behaviors, they lack creative thinking abilities and the capacity to infer causal links from a set of data. 

Causal inference and creative thinking are still reserved for humans for the foreseeable future, and both are key to effectively analyzing the data produced by automated penetration testing techniques. Humans’ role in cybersecurity remains crucial, but continuous security validation solutions are diligent assistants that perform the tedious work and crunch enormous amounts of data to produce digestible and actionable information. Humans can then leverage that information to optimize their decision process. 

Conclusion 

Despite their relatively recent emergence, automated penetration testing tools already have a rich history, starting with custom-made pieces of code produced in-house by cybersecurity staff to full-fledged, multi-layered continuous security validation solutions with multiple vendors. 

The continuous security validation market is vibrant and, as knowledge about its ability to harden organizations’ security posture without requiring considerable additional resources spreads, its gradual adoption by the wider public might translate into a turning of the tide in the war against cybercriminals. 

Get a free 14-day trial of Cymulate’s Extended Security Posture Management. No credit card is needed.

 

Start A Free Trial