One of the more common questions we at
ZeroDayLab are asked is what we see as the benefits of a manual penetration
testing approach versus automated solutions and vulnerability scanning, and how
to best leverage the two to drive meaningful improvement to an organisations
security posture. The terms are often used interchangeably and while both are
essential parts of a mature information security program, the two are
completely different in terms of expected results and benefits.
Vulnerability scanning refers to the use of
automated scanners such as Nessus, Nexpose, and a plethora of other tools to
scan systems in an attempt to identify known vulnerabilities which may be
present on those systems. Additionally, many scanners exist which are tailored specifically
for application security and attempt to identify common appsec related
vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), XML External
Entity Injection (XXE), and many other vulnerabilities, but are ultimately
unable to exploit these same vulnerabilities to provide a real world
understanding of what is at stake.
Although vulnerability scanning solutions
have come along way in the last few years, they are still overly prone to false
positives and can often be misleading, confusing, and time consuming for
employees who are unsure how to validate the findings and who may struggle to
understand the true risk and business impact associated with identified
vulnerabilities on an organisation in order to effectively prioritise
remediation steps.
Vulnerability scanning when used as part of
a continual process within an information security program can make great
strides towards elimination of low hanging fruit and vulnerabilities which are
easy to discover and exploit, and can even help a company meet compliance
requirements. Many companies run mature vulnerability assessments internally
where scans are performed on a monthly, bi-monthly, or quarterly basis, or as
part of infrastructure upgrades or migrations, and prior to major releases on a
development life cycle. This is a crucial element of any mature security program
and is a fast and efficient way to establish and maintain a baseline of
security controls.
That being said, automated vulnerability
scanning solutions lack the ability to report on discovered vulnerabilities in
a meaningful way as the severity of vulnerabilities are often not
representative of the true severity, and crucial information such as vulnerability
details, reproduction steps, and remediation steps are often extremely difficult
to understand or translate in such a way as to provide meaningful assistance in
the development of a meaningful plan of action.
Manual penetration testing on the other
hand employs a more hands-on approach which more closely emulates real world
attack scenarios and is intended to identify logic flaws and vulnerabilities
which pose a more significant threat to a company by highlighting the true
business impact of discovered vulnerabilities to a company’s business model. Unlike
vulnerability assessments which are typically one dimensional, penetration
testing typically consists of 5 core phases:
·
Reconnaissance and Information
Gathering
·
Discovery and Enumeration
·
Exploitation
·
Post Exploitation
·
Analysis and Reporting
One of the major benefits of manual penetration
testing is that it allows for a more in-depth review of network infrastructure
and applications and allows a company to more easily understand not only risk,
but how to more effectively prioritise and remediate discovered
vulnerabilities. Another significant advantage of penetration testing is that
during an assessment a penetration tester can often use bits of information
that automated scanners are unable to process and understand such as error
messages and anomalous behaviour and identify ways in which normally lower risk
vulnerabilities can be used in conjunction to create a significantly more
dangerous attack chain.
Potentially the most significant benefit of
a manual penetration test though, lies in what happens after a vulnerability is
discovered. Post exploitation is in many cases where the real value of a
penetration test exists and is where a penetration tester can assess what the
true risk associated with a compromise is. Can an attacker escalate privileges?
Can an attacker use a compromised web application or system to pivot further
into the network? Can an attacker leverage a vulnerability or misconfiguration
to ex-filtrate sensitive data? Can an attacker deface a website or otherwise cause
a denial of service that would prevent end users from utilising the service and
cause significant financial loss to a company?
Finally, penetration testing reports are
much more granular and specific as compared to the output generated by
automated tools and are crucial to driving effective remediation of discovered
vulnerabilities and helping management as well as technical staff understand
what is at risk, and what steps can be taken to lessen or eliminate that risk
entirely.
Penetration testing and vulnerability
assessments should work together and in stages to provide the best benefit to a
company and help them move up the information security maturity curve. Companies
should perform vulnerability assessments early and often to not only establish
a baseline of the company’s overall security posture, but to build a road-map of
how to strengthen that security posture over time, and is the first step in the
development of a mature security program. Penetration testing is most efficient
and valuable when an organisation’s security posture is relatively strong and
similarly should be performed regularly to cover the gaps missed by
vulnerability assessments. They help to identify key areas of concern and steps
necessary to further elevate an organisation’s overall security posture and to
continually progress up the security maturity curve.