Home Magazine

Autonomous Penetration Testing Ensures Better Protection of IT Infrastructures

14 september, 2023
Aanleiding
De auteur heeft in januari 2023 voor ISACA een lezing verzorgd over het onderwerp. Aanwezigen waren dermate positief dat NOREA de auteur gevraagd heeft hiervan een artikel te maken. In verband met het feit dat de auteur van Duitse origine is, is het artikel in het Engels.
Conventional security mechanisms and vulnerability scanners make it possible to clean up many security gaps - but what remains is usually a patchwork quilt that still leaves plenty of opportunities for resourceful hackers. To really test the security of IT networks, the eyes of a hacker are needed. Because only they can see vulnerabilities that carefully camouflage themselves and only gain visibility when it is too late. Autonomous pentesting uses the same methods as hackers, does not require waiting times like a professional pentester, and can also be used at any time to monitor the infrastructure on an ongoing basis. 

Cybercrime, in its various forms, represents an increasing threat to the EU. Cyberattacks are highly complex crimes and are almost always successful due to organizations not knowing where they are at risk. Meanwhile the perpetrators behind these crimes are becoming increasingly agile, exploiting new vulnerabilities most often created by weaknesses in code, poor user and admin credentials, software and hardware misconfigurations, and the continuous use of dangerous product defaults. One of the most recent warnings was published in the Internet Organised Crime Assessment (IOCTA), Europol’s assessment of the cybercrime landscape. “Cyber-attacks: the apex of crime-as-a-service” impressively shows how much cyber-crime has evolved and has now become its own industry. Now, the relevance of cybersecurity in value creation has never been higher.

A successful cyberattack can not only mean the outflow of data, but also cause a production stop. In extreme cases, this leads to a company's inability to pay a ransom - and thus can cause insolvency. The financial losses are enormous, and the cost of security is ever growing. The Germany’s digital association BITKOM values its yearly damage at more than 200 billion Euros. Almost all organizations have been affected and often report data theft, espionage, and sabotage. Attackers are becoming increasingly professional, are well organized, and also closely monitor trend in the IT security industry and many are experts at security technologies and approaches. Many software companies regularly issue advisories on vulnerabilities they, or researchers, have discovered, which are then almost immediately exploited due to attackers staying one step ahead patch cycles. The rule is that those who patch too late lose out in the race against time. The pressure on IT specialists and security professionals is correspondingly high.

According to a Bitkom study, the number of vacancies for IT specialists across all industries in Germany is at a record figure of 137,000 in 2023. In other European countries there is no different picture: Organizations are lacking an enormous number of specialists. This shortage is putting additional pressure on corporate IT departments, while the number of security vulnerabilities and corresponding exploits are increasing daily. Although the EU Commission's Cyber Resilience Act holds out the prospect of a law that will make manufacturers of technology with digital elements much more accountable, it will be some time before the law comes into force. In addition, existing technology is not covered and must therefore also be protected.
IT departments under pressure
IT administrators and their teams have to check and work through long lists of prioritized vulnerabilities spat out by the vulnerability management tools and other sources of intel on a daily basis. However, most organizations do not have the necessary capacity to do this, so only a fraction of the relevant vulnerability reports are actually investigated, and the underlying weakness is fixed.

One of the most effective ways to fight cyber attackers is using an attacker's point of view to find the most critical vulnerabilities in an IT infrastructure. Traditionally, organizations used manual penetration tests to find their greatest weaknesses before attackers did. These tests were normally performed by certified penetration testers who try to determine the sensitivity of networks or IT systems to intrusion and manipulation attempts by carrying out simulated attacks. The methods and techniques used are the same as those used by attackers to penetrate a system without authorization, and often without leaving any traces.

However, certified pentesters are in short supply - the service they deliver can be associated with long waiting times and usually the pentest provides a moment-in-time security assessment, which can be viewed as a snapshot - but can in no way be seen as a permanent safeguard in the fast-moving threat landscape. The challenge most organizations face is that after a pentest is complete, and outcomes are reviewed though reports and analysis, most security teams are still not quite sure what needs to be fixed - and what does not. The reason for this is simple. They often lack a clear understanding of what weaknesses are actually exploitable and what “weaknesses” are not.
Combination of different attack vectors
Compromising the IT infrastructure of even the largest enterprises is conceivably easier than most people believe. For example, an innovative company located in the U.S. who provides an autonomous pentesting solution revealed that completely taking over an IT infrastructure can be done in less than a few hours, and sometime shorter, with no human effort required.

For example, in an autonomous pentest at a large company, the autonomous pentesting solution started out as a harmless computer in the network. Within minutes, the solution proved it could become a domain administrator by first compromising low-level credentials, then pivoting to other systems where more credentials were dumped, and eventually increased its admin privileges to the point where the solution could take over the company's business email system. The autonomous pentest took ~30 minutes to execute and exploited no CVEs whatsoever. The attack path the pentesting solution discovered, to obtain domain admin, is typical for highly skilled criminals. These types of attack paths often result in attackers first stealing data, then injecting ransomware into an organization where they can lock up systems and encrypt data until the victim pays the ransom.
Hacking in broad daylight
Compromising the IT infrastructure of even the largest enterprises is conceivably easier than most people believe. For example, an innovative company located in the U.S. who provides an autonomous pentesting solution revealed that completely taking over an IT infrastructure can be done in less than a few hours, and sometime shorter, with no human effort required.

For example, in an autonomous pentest at a large company, the autonomous pentesting solution started out as a harmless computer in the network. Within minutes, the solution proved it could become a domain administrator by first compromising low-level credentials, then pivoting to other systems where more credentials were dumped, and eventually increased its admin privileges to the point where the solution could take over the company's business email system. The autonomous pentest took ~30 minutes to execute and exploited no CVEs whatsoever. The attack path the pentesting solution discovered, to obtain domain admin, is typical for highly skilled criminals. These types of attack paths often result in attackers first stealing data, then injecting ransomware into an organization where they can lock up systems and encrypt data until the victim pays the ransom.
Hackers also use autonomous attacks
One argument for an autonomous pentesting solution that should not be underestimated is the fact that cybercriminals also launch autonomous attacks – meaning – they conscript machines and turn them into bots, load up scripts on them, and have them perform attacking on their own. In fact, command & control servers are the handywork of advanced attackers allowing them to monitor their bots’ activities closely. Accordingly, anyone who only has a manual pentest performed once a year is putting themselves in a very risky position due the fact that new vulnerabilities are discovered daily, and networks, applications, and computing systems are in a constant state of flux.

Autonomous pentests, on the other hand, can be run continuously without disrupting the organizations ongoing operations. Running tests regularly can help ensure the organization’s infrastructure can withstand the latest complex attacks. This effort is especially important because the takeover of an IT network can be completed in as little as a few minutes. Another advantage of autonomous pentesting solutions is that they are easy to use and do not require any special skills. In comparison, a manual pentest requires a highly qualified certified pentester, often with decades of experience. Hiring them can be quite costly for most organizations.

In autonomous pentesting, finding the riskiest vulnerabilities is not the end of the job. Instead, using the expert remediation guidance, IT specialists need to quickly resolve the discovered issues, retest, and verify their fix worked. In an internal autonomous pentest, it starts by simulating an attacker that has already gained a foothold in the network, then it shows what an attacker could easily do next with proof that it is completely doable. Vulnerabilities found are classified by the solution into threat classes and detailed suggestions for solving the vulnerabilities are also provided.
Find, fix and verify!
Regularly testing a corporate network is the only way to fully ensure that the infrastructure can withstand a targeted attack. Therefore, launching an autonomous pentest must be a simple task that can easily be carried out by less specialized IT staff. A modern platform for autonomous pentesting should be delivered using a SaaS (Software-as-a-Service) model because it ensures the solution is running the latest and greatest exploits and new features can be turned on with the click of a button.

Depending on how the test is run, it can examine the entire infrastructure it has access to. It does not matter whether the hosts, servers, or storage are on-premises, in the cloud, or in a hybrid architecture. All fronts are attacked as an attacker would - the only difference being that IT managers are given concrete recommendations for action on the classified risks. "Blind spots" in existing security processes and tools are identified in the same way - and, like the entire process, in compliance with data protection legislation.

With a user experience focused on the needs of any-sized IT departments, a modern autonomous pentest solution gives security teams, CIOs, CISOs, GRC personnel, and administrators a detailed analysis of the discovered attack paths in their networks with evidence and proof of successful exploitation, prioritized corrective actions, and then a 1-click verification that the fix was successful. This "find, fix, and verify" model is necessary to verify that patches and security adjustments made have had the desired effect and have completely closed the former vulnerability and not opened another.
IT security with a 360-degree view
As a security measure, autonomous pentesting has a 360-degree view of the entire infrastructure, and attacks are also carried out in this way. Holistic thinking is therefore a necessity for securing networks with a wide variety of computing devices, operating systems, security controls, datastores, and increasing integration of industrial control technology. However, this also means that autonomous pentesting alone is not enough. Solid patch management and long-term vulnerability management programs should be used in addition. Especially when pentesting and patch management go hand in hand, IT administrators can concentrate on issues that are proven to be exploitable.

A self-service platform for autonomous pentesting not only makes a significant contribution to greater security in all organizations, but also relieves the burden on professional pentesters, who can process more volumes and, above all, carry out predictable, regular tests with little setup effort. In other words, professional pentesters can initiate an autonomous pentest, let it run on its own, then use their time and expertise to interpret the results and develop a mitigation strategy that organizations can follow. This approach can also help to overcome the shortage of personnel in IT security and make their efforts more laser focused.

Mr. Rainer M. Richter, Vice President EMEA & APAC at Horizon3.ai
Rainer has over 35 years of executive, general and sales management experience in the IT & Telecom industry, focusing on cybersecurity, IoT security, security compliance and SaaS solutions. Since December 2021 he is Vice President EMEA & APAC at Horizon3.ai. Horizon3.ai is a US based company specializing in autonomous penetration testing solutions. Among other positions, Rainer was General Manager New Technologies EMEA & APAC at Nokia Internet Security Solutions, Director Central & Eastern Europe at SentinelOne and member of the Governance Board and member of the Security Stream for the Zero Outage Industry Standard.