Image: Pixabay
Penetration testing has been a standard practice that security professionals use in determining the integrity of security systems. Also known as the “pen test”, this form of ethical hacking is an authorized cyberattack undertaken to test the reliability of established defenses and look for exploitable vulnerabilities.
The relevance of this method of security testing is dwindling due to the advent of more sophisticated approaches. In particular, the rise of automated penetration testing using breach and attack simulation (BAS) is making manual pen tests appear crude by comparison.
The basics of penetration testing
The National Cyber Security Center refers to penetration testing as a method used to examine the dependability of an IT system through attacks on all or some of the system’s security features, employing the same tools and techniques used by attackers. These tests can be a part of a full security audit, similar to the routine tests undertaken by banks and financial companies in compliance with the Payment Card Industry Security Standard (PCISS) for instance.
To conduct a pen test, a team identifies the systems to target, sets goals, then collects and reviews information to formulate a course of action to achieve the goals. The ultimate result of the test will determine whether a system is vulnerable to attacks. The pen test will also evaluate the sufficiency or insufficiency of defenses, and it will identify the areas of inadequacy.
In all these, the key idea is that pen tests are done manually by security professionals.
Is pen testing obsolete?
In 2018, Gartner published an analysis piece stating that simple penetration has become outmoded. Using manual methodologies to search for vulnerabilities without threat behavior replication is no longer enough when dealing with advanced threats. A plain and straightforward hunt for vulnerabilities with basic parameters does not simulate the kind of cyberattacks that computers and networks are encountering at present.
Artificial intelligence, machine learning, and automation are already part of attackers’ arsenals. Thus, cyber threats have already evolved to a point wherein these can adapt and adjust using automation. Such technologies make persistent cybercriminals even more dangerous, so simple approaches in testing cyber defenses are simply not enough. This means that security professionals also need to keep up with the times.
New roles, paradigms, and automation processes
In addition to the evolving nature and increasing frequency of cyberattacks, simple pen testing is becoming less relevant because of the growing popularity of new paradigms, including automation and simulation. For instance, the concept of the “red team” approach involves continuous exercises that serve as alternatives to basic pen-testing.
Such high-quality exercises emulate the methods and approaches employed by real attackers. It also takes threat behavior into account. This goes beyond technology (computers, networks, and devices). It also deals with people (staff, contractors, and business partners), as well as physical assets (data centers, buildings, warehouses, and substations), in determining vulnerabilities.
Breach and Attack Simulation, or BAS, is a relatively new approach in IT security. It is designed to conduct tests automatically and continuously. BAS makes it possible to conduct repeated simulations of full attack cycles with greater ease, speed, and consistency.
Moreover, BAS tools enable businesses to conduct security simulations without the need to have high levels of technical skill. BAS platforms provide the ability to initiate attack simulations with a few clicks, and reports about the outcomes can be generated more efficiently.
Both approaches have superseded simple penetration testing, with different levels of expertise needed.
The read team approach will require experienced and highly competent security professionals who come up with the most suitable red team engagement, scrutinize the security system and develop ways to defeat it.
On the other hand, breach and attack simulation (BAS) is largely about continuously automating the penetration tests. BAS tools are used to perform scan-exploit-repeat cycles with a few clicks. It does not require more people to simulate the attacks. Advanced technical skills are not necessary for doing the simulations.
Does the simple pen test still have a place in security systems?
Depending on what an organization needs or prefers, the choice will have to be either red teaming or BAS. You may still consider vulnerability scanning, but simple and manual pen testing will be out of the question since more capable methods are available.
Some might raise the point that a full range of BAS tools might be impractical or expensive. This argument is easily countered by the availability of BAS tools on a software-as-a-service (SaaS) basis. Organizations don’t have to purchase and deploy BAS tools in their entirety. Essentially, they can just pay for it on an as-need basis.
Automated penetration testing with BAS yields significantly better results than hiring pen testers. SaaS makes it more accessible, as it allows businesses to perform sophisticated automated tests on their own, without the need to install hardware nor hire people.
Meanwhile, highly-trained security experts playing the role of the red team will advance penetration testing to a more rigorous level of scrutiny. This can be especially relevant in the context of a data-rich environment since this approach will consider the possibility of bad actors, malicious insiders, or unwitting participants that endanger an organization’s system from within.
The takeaway
Simple and manual penetration testing has become inadequate in dealing with today’s more aggressive and rapidly-evolving threat environment. Organizations need to elevate their security methods into something that replicates actual threat behavior and examines variations of potential attacks. This is where automated tools and continuous simulation will play a big part.
