At a recent U.S. Armed Forces Electronics and Communications (AFCEA) Technet Augusta: Solution Series, I learned the harsh reality of cybersecurity and automation. “The enemy is using automation to attack our systems so we must use automation in response, or we will lose the battle.” This came from General Dynamics IT (GDIT) leadership and demonstrates the importance of automation in the world of cybersecurity.
Specifically, certain aspects of the penetration testing process can be automated to provide more timely assessments of a system. Remember that pen testing is the process of testing your IT systems to find vulnerabilities. The process reveals system weaknesses so we can mitigate potential threats before the enemy discovers and exploits them.
At a minimum, pen testers should automate the vulnerability scanning process to provide daily, weekly or monthly reports. Currently, many companies scan only once or twice a year to maintain compliance (e.g., PCI-DSS, NIST), but this is not realistic in most settings. Organizations must scan for vulnerabilities much more often.
Opportunities For Automation
CompTIA PenTest+ (PT0-002) includes best practices for automation techniques. The exam assesses how to perform automated vulnerability scanning and penetration testing using appropriate tools and techniques, and then how to analyze the results as shown below.
Domain 2.0 Information Gathering and Vulnerability Scanning
- 2.4 Given a scenario, perform vulnerability scanning. Includes vulnerability testing tools that facilitate automation.
Domain 5.0 Tools and Code Analysis
- 5.2 Given a scenario, analyze a script or code sample for use in a penetration test. Includes automating the penetration testing process and next steps based on results of a scan.
- 5.3 Explain use cases of the following tools during the phases of a penetration test. Includes automation tools for scanning and web application testing.
Most modern penetration testing tools include automation capabilities. For example, you can find automation testing features in Metasploit, Nettacker, Jok3r, Legion, Sn1per, Open Security Content Automation Protocol (SCAP), OWASP ZAP and Burp Suite – to name a few.
Inherent Hurdles and New Fixes
There is recorded use of pen testing by the U.S. Air Force in 1971 to protect various systems (50 years ago!). They used manual scanning techniques found in most scanners available today, such as nmap tools.
Historically, the problem with these pen testing tools has been two-fold:
1. The lack of consistent testing, or scheduling, throughout the year; and
2. The inability to penetrate web apps to determine problems in the code beyond SQL injections (SQLi) and Cross-Site Scripting (CSS) attacks.
Recent tools are focused on fixing these problems.
For example, nearly all pen testing tools include automation tools for scheduling frequent scans, on a daily, weekly or monthly basis, or upon system changes. If configured properly, these scans provide better visibility of potential threats across the organization in near real time.
Deep scanning of web apps has been elusive. Historically only basic attacks like SQLi and CSS have been identified in web app scans. Alex Haynes from Dark Reading emphasizes this limitation.
“They [automated web app scans] won't understand that you have an insecure direct object reference (IDOR) vulnerability in your internal API or a server-side request forgery (SSRF) in an internal webpage that a human pen tester can use to pivot further,” Haynes said.
To fix this problem, specialized pen testing software has been developed for web app testing in software development, DevOps and SecDevOps. NetSparker claims to identify 100% of web app vulnerabilities while Burp Suite catches 86%. Other specialized web app testing tools include HPWeb Inspect, Rapid7 AppSpider and IBM AppScan. These tools are maturing quickly – each new release offers more web app protection than the last.
Automated Pen Testing Will Not Replace Humans
Automation is used to get a job done and right now it can be argued the job isn’t getting done in cybersecurity. For example, most organizations require one or two pen testing tests each year to maintain compliance to PCI-DSS or NIST. But the low rate of testing and the increased number of attacks is leaving organizations vulnerable, forcing them to resort to daily or twice-daily automated scanning.
The process of going from two scans a year to two scans a day, requires more human involvement, maintenance and results analysis, not less. Most organizations regard vulnerability scanning as essential, and humans are needed to configure and analyze the process.
Another reason pen testing will continue to require human participation is due to lateral movement shortcomings once a foothold has been gained. For example, automation may identify common vulnerabilities, but can it:
- Prioritize vulnerabilities and choose the best vulnerability to exploit?
- Move laterally across systems, install agents and find other vulnerabilities?
These are complicated questions and pen testing automation comes up short. Additional industry tool development is underway to expand pen testing automation beyond vulnerability scanning.
CompTIA PenTest+ Covers Automation: Learn the Skills Today
The CompTIA PenTest+ (PT0-002) exam objectives focus on pen testing and vulnerability scanning automation. The latest pen testing techniques and best practices are included for operating in multiple environments, including on premises, the cloud and hybrid networks. The objectives also include pen testing web apps, wireless systems, embedded systems and IoT devices in these environments.
Automation skills are expected to grow in demand in the foreseeable future to help already burdened cybersecurity professionals get the job done. If IT pros do not embrace automation skills, their organizations will pay the price of continued breaches.
To learn the pen testing automation skills you need to succeed, please download the CompTIA PenTest+ exam objectives, study hard and take the exam! The certification will help prove to employers that you have the latest skills to protect their organization from the next cyberattack.
