We already know that the concept of thinking like a potential hacker is the basis of penetration testing. But merely thinking like a hacker is not enough. We must also act like a hacker. They do not simply rely on their own intuitive genius to breach the systems of target organisations. They use a combination of automated tools and human intelligence to deliver their devastating results. So we must emulate this approach to secure our own defences. It is not a question of man or machine; like the hackers we must use a synergy of both.
When the whole HBO Game of Thrones attack occurred last August Mr Smith of the so-called White Hat Hackers issued a statement which made the point that his organisation invested $400 – $500,000 dollars a year on purchasing automated exploit tools. They then used the information this provided to arm their human hackers with the information required to further develop and exploit the weaknesses they discovered.
So when we at SRM develop a penetration testing strategy we use both automated tools and manual testing to deliver the best results.
Automation has a vital role to play and lays the groundwork for the penetration test. No human can deliver the rapid results that an automated tool can. Imagine yourself in a virtual world. You are in a vast chamber with hundreds of thousands of doors. Malicious hackers can get into your system through a just a handful of these doors but which ones? To identify where the vulnerability lies you must test each and every door; a task which if done manually would be time-consuming and complex. This task can, however, be completed accurately and swiftly through an automated vulnerability scan. Developed by experienced penetration testers, it identifies where the potential vulnerabilities are, putting you are in a position to accurately deploy the next level of attack tool: penetration testing.
To take the analogy a step further, the penetration test, conducted by highly-trained and experienced individuals, then opens the doors that have been identified and explores deep into the underlying infrastructure to examine what is lurking behind them. At the most sophisticated level of penetration testing (Red Team engagement) we then turn that thought process on its head and also test the procedural, social and physical components to replicate the wider view of an attack. Using an adversarial mind set, we think like a motivated hacker and help to develop strategy and policy making which anticipates as yet unconsidered vulnerabilities.
To find out more about the synergy of automated and manual penetration testing, see our pre-recorded webinar in conjunction with AppCheck, our automated tool partner. In this 30 minute webinar which took place on 8th March, Andrew Linn of SRM and James Nelson of AppCheck explain how both man and machine have a role to play in a resilient defence strategy.
To log in to the webinar GDPR: the roles of manual and automated penetration testing, click here.
Or visit our blog:
Or see our website Test and Exercise pages.