Athena Dynamics Young Writers Series: Analysing Automated Penetration Testing
Author: Bryan Lim, Business Development Intern, Athena Dynamics
Copyright © July 2021 All Rights Reserved Athena Dynamics Pte Ltd
Advisory Editor: Nyan Tun Zaw, VP of Business Development, Athena Dynamics
In a previous article we looked at the differences between vulnerability assessment and penetration testing, and covered which would be suitable for your company or organization. In this article, we will be taking a closer look at a new development in the VAPT industry – Automated Penetration Testing.
As touched on in the previous article, penetration testing is a simulated cyberattack where vulnerabilities in a system are exploited, emulating real world cyberattacks so as to give a complete picture of the robustness of the system’s security infrastructure. The penetration testing sector has been long dominated by Manual penetration testing. These penetration tests are conducted by highly trained cybersecurity experts acting as ethical hackers who perform the simulated cyberattacks. It has widely been accepted that automated tools are not as advanced as Humans, being disadvantaged when it comes to flexibility and detail, among other reasons, thus not being a viable option in the pen testing role. However, recent developments and advancements in these automated tools have not only made the use of such tools viable; some in the in industry are even questioning not if but when these tools will supersede traditional manually conducted penetration testing. Let us take a closer look at how this may be possible.
How do Automated PT (Penetration Testing) tools work?
First of all, how do Automated Penetration testing tools work? To explain simply, these tools deliver a penetration test which simulates the pen-tester’s device or attacking proxy connecting into a network. The bot behind the tool then proceeds to conduct reconnaissance on the environment. This is achieved through vulnerability assessment scans, similar to what a human pen-tester would do. After potential targets have been earmarked, these tools select the most suitable system as a target to take over. Such decisions are made based on factors such as the ease of exploitability, potential alarm or “noise” an intrusion would create, among other things. Once the tool gains a foothold within the system, it will propagate and spread within the system. However, unlike human pen tester, the tool installs an agent on the compromised machine. Then it pivots, and makes use of different combinations of gleamed credentials and adapts to find the best possible method to gain entry to the entire system.
Advantages of Automated PT
Human Pen testers manually conduct their tests and this may result in a wait of several days or even weeks depending on the scope of the pen test, before a report of the detailed vulnerabilities within the system can be generated. This is a major issue as the reports may not be updated and accurate, having become outdated as the system environment may have changed or updated since the report was first generated. New vulnerabilities not present during the test could have emerged. Automated Penetration testing on the other hand, eliminates these concerns. Reports generated by automated tools require just a fraction of the time, some reports being generated instantly. Given the short amount of time relative to manual testing to generate a report, automated pen tests can also be repeated multiple times. This allows frequent detection of new vulnerabilities, which can be remediated quickly. Over are the days of waiting for a long time for a report which may be obsolete.
Secondly, Automated pen testing tools are also typically more affordable than manual pen-testing. Typically, the pen-tester would be given a certain access point (known as an entry point) before he attempts to gain access to a system during a penetration test. A pen-testing tool on the other hand, can make use of differing entry points, discovering a greater number of exploits, thus creating a wider range of case studies and scenarios. While this is also possible with manual pen testing, the cost may be prohibitively expensive as a significantly longer time and greater amount of effort is required to conduct a test from each single point. This is both not practical and financially viable.
Furthermore, automated pen test tools also have the ability to collect large portions of data from a system, even entire subnets (sections), which is very time consuming for a human pentester, thus helping to save time. As mentioned earlier, this allows for testing of huge infrastructures with many endpoints, while doing so with human pentersters would be impractical – both financially and time consuming. Instead, with automated pentesting tools, it would be as simple as inputting an IP range, waiting for the final results to be generated before diving into the glaring findings.
Limitations of Automated PT
On the other hand, automated tools, when compared to traditional manual Pen-tests, manual penetration testing could provide an advantage when it comes to engagement with the client. Typically, results can be broken down, false positives are weeded out by human pentesters upon the completion of the test. The tester may even be able to answer questions pertaining to the results of the test, but this would not be possible with automated penetration tests, with the report having been generated by a tool. This making it difficult for consultants to break it down and explain what the client would like to find out. As such, the results may be less personalized and may not necessarily be tailored to fit the client’s expectations.
When choosing between Automated and Manual Penetration testing, it depends on several factors and perspectives which have to be taken into consideration. Factors such as the amount of time require for the penetration tests, the size of the institution or organization being tested; regulatory requirements among others all play a part in choosing the type of pen test solution. Nevertheless, these new Automated Penetration testing technologies do demonstrate great promise, and when used correctly, can benefit your organization greatly. Alternatively, some pen testers also make use of a combination of automated pen-testing tools when doing manual pentesting, so as to suite a client’s needs, where an area can be tested more in detail to the client’s requests, while less important systems can just undergo a general automated penetration test. This shows that usage of either is not just limited to each other, but can also be used flexibly together.
Bryan Lim is an Associate (Intern) in the business development team in Athena Dynamics Pte Ltd, a subsidiary of BH Global Corporation Ltd, a company listed on the Singapore Stock Exchange (SGX).
Contact: [email protected]
Nyan Tun Zaw is the VP of Business Development at Athena Dynamics Pte Ltd, which is a subsidiary of BH Global Corporation Ltd, an SGX mainboard listed company.
With a wide range of background in cybersecurity, software development, web development as well as networking, Zaw has in-depth experiences in deploying security solutions for several highly confidential government and critical infrastructure projects, particularly in the CDR/CDNR field as a technical lead. His interest mainly lies in Cybersecurity and AIML.
Zaw holds a Bachelor of Business Management, with double majors in Finance and Information Systems, from Singapore Management University as well as Master of Business Administration (MBA) from Quantic School of Business and Technology. He is also a holder of the Certified Ethical Hacker (CEH) and EC-council Certified Security Analyst (ECSA) certificates.
Being a technical person who also likes sharing his experiences and knowledge, Zaw has also been part of a speaking panels with global C-level executives at various events and conferences in the region.
Contact: [email protected]
Disclaimer: Neither BH Global, Athena Dynamics nor the writer guarantees full and timely accuracy of the write-up. Readers shall read with their own discretion, judgement and research if in doubt. If you wish to contribute further writings, please feel free to contact us.
Not for General Distribution. Copyright © 2021 All Rights Reserved. No part of this presentation materials may be distributed/reproduced without the writers’ expressed consent.
Alex H. for DARKReading, “Automated Pen Testing, Can it replace humans?” Retrieved 1 July 2021
ImmuniWeb, “Automated Penetration Testing” Retrieved 25 June 2021
Neha S. , San Jose State University, 2011, “Automated Penetration Testing” Retrieved 6 June 2021