Tuesday 17 July 2018

Manual Pen Testing vs. Automated Scanning

One of the more common questions we at ZeroDayLab are asked is what we see as the benefits of a manual penetration testing approach versus automated solutions and vulnerability scanning, and how to best leverage the two to drive meaningful improvement to an organisations security posture. The terms are often used interchangeably and while both are essential parts of a mature information security program, the two are completely different in terms of expected results and benefits.

Vulnerability scanning refers to the use of automated scanners such as Nessus, Nexpose, and a plethora of other tools to scan systems in an attempt to identify known vulnerabilities which may be present on those systems. Additionally, many scanners exist which are tailored specifically for application security and attempt to identify common appsec related vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), XML External Entity Injection (XXE), and many other vulnerabilities, but are ultimately unable to exploit these same vulnerabilities to provide a real world understanding of what is at stake.

Although vulnerability scanning solutions have come along way in the last few years, they are still overly prone to false positives and can often be misleading, confusing, and time consuming for employees who are unsure how to validate the findings and who may struggle to understand the true risk and business impact associated with identified vulnerabilities on an organisation in order to effectively prioritise remediation steps.

Vulnerability scanning when used as part of a continual process within an information security program can make great strides towards elimination of low hanging fruit and vulnerabilities which are easy to discover and exploit, and can even help a company meet compliance requirements. Many companies run mature vulnerability assessments internally where scans are performed on a monthly, bi-monthly, or quarterly basis, or as part of infrastructure upgrades or migrations, and prior to major releases on a development life cycle. This is a crucial element of any mature security program and is a fast and efficient way to establish and maintain a baseline of security controls.

That being said, automated vulnerability scanning solutions lack the ability to report on discovered vulnerabilities in a meaningful way as the severity of vulnerabilities are often not representative of the true severity, and crucial information such as vulnerability details, reproduction steps, and remediation steps are often extremely difficult to understand or translate in such a way as to provide meaningful assistance in the development of a meaningful plan of action.

Manual penetration testing on the other hand employs a more hands-on approach which more closely emulates real world attack scenarios and is intended to identify logic flaws and vulnerabilities which pose a more significant threat to a company by highlighting the true business impact of discovered vulnerabilities to a company’s business model. Unlike vulnerability assessments which are typically one dimensional, penetration testing typically consists of 5 core phases:

·         Reconnaissance and Information Gathering
·         Discovery and Enumeration
·         Exploitation
·         Post Exploitation
·         Analysis and Reporting

One of the major benefits of manual penetration testing is that it allows for a more in-depth review of network infrastructure and applications and allows a company to more easily understand not only risk, but how to more effectively prioritise and remediate discovered vulnerabilities. Another significant advantage of penetration testing is that during an assessment a penetration tester can often use bits of information that automated scanners are unable to process and understand such as error messages and anomalous behaviour and identify ways in which normally lower risk vulnerabilities can be used in conjunction to create a significantly more dangerous attack chain.

Potentially the most significant benefit of a manual penetration test though, lies in what happens after a vulnerability is discovered. Post exploitation is in many cases where the real value of a penetration test exists and is where a penetration tester can assess what the true risk associated with a compromise is. Can an attacker escalate privileges? Can an attacker use a compromised web application or system to pivot further into the network? Can an attacker leverage a vulnerability or misconfiguration to ex-filtrate sensitive data? Can an attacker deface a website or otherwise cause a denial of service that would prevent end users from utilising the service and cause significant financial loss to a company?

Finally, penetration testing reports are much more granular and specific as compared to the output generated by automated tools and are crucial to driving effective remediation of discovered vulnerabilities and helping management as well as technical staff understand what is at risk, and what steps can be taken to lessen or eliminate that risk entirely.

Penetration testing and vulnerability assessments should work together and in stages to provide the best benefit to a company and help them move up the information security maturity curve. Companies should perform vulnerability assessments early and often to not only establish a baseline of the company’s overall security posture, but to build a road-map of how to strengthen that security posture over time, and is the first step in the development of a mature security program. Penetration testing is most efficient and valuable when an organisation’s security posture is relatively strong and similarly should be performed regularly to cover the gaps missed by vulnerability assessments. They help to identify key areas of concern and steps necessary to further elevate an organisation’s overall security posture and to continually progress up the security maturity curve.