Testing the security of computer networks by trying to break into them, otherwise known as penetration testing, has been going on for nearly 50 years.
Most of the pen-testing techniques developed in the past few decades still work, but the scope of what's tested has broadened, with cloud systems and embedded devices now routinely targeted. Pen-testing tools have also become more automated and are starting to incorporate machine learning and artificial intelligence.
"As a pen tester, you're always looking for new ways, and more automated ways, to do things," says Jason Stockinger, Director of Global Information Security at Royal Caribbean Group, adding that automated tools are "super valuable."
Welcome to the machines
For example, the network-penetration tool Cobalt Strike can automatically plant backdoors and set up online command-and-control servers. The Social Engineer Toolkit crafts sophisticated phishing campaigns with the click of a mouse. Maltego scrapes social media to gather intelligence on a targeted company's staff. Even the end stages of a pen test can be automated with Dradis, which compiles the final report to present to the client.
"The vast majority of tools that are executed by penetration testers, or real threat actors, are going to implement some level of automation, whether it's managing social-engineering campaigns or collecting system information," says Scott Goodwin, a principal in the Cybersecurity and Privacy Advisory practice of consulting firm PKF O'Connor Davies LLP. "This is simply because it makes testing more efficient."
A penetration tool based on AI, PentestGPT, is already available on GitHub. Experts say usage of AI in pen testing will only grow.
"I think it's going to play a huge role," says Tom Nianios, Senior Security Engineer at Clone Systems. "It makes anyone capable of writing programs or scripts, or modifying data that's available, to compromise a specific network or bypass specific technologies and techniques."
Unfortunately, cybercriminals are also starting to use AI, kicking off an arms race that will make AI's adoption by pen testers inevitable.
"Among us security professionals, we are scared to death of artificial intelligence," says Stockinger. "But we need to be embracing it like the bad guys are embracing it. ... because the bad guys are going to be using this to attack us."
"My assumption is that we will have AI-driven penetration testing tools [that] are capable of identifying, exploiting, and reporting on known vulnerabilities in specific areas with relatively little human interaction," says Scott Goodwin, Principal, Cybersecurity and Privacy Advisory at PKF O'Connor Davies LLP.
Obscured by clouds
The scope of many penetration tests now includes cloud instances and assets. But pen-testing the cloud isn't like on-premises pen testing, for both technical and legal reasons. Data may be randomly distributed across a cloud service provider's physical servers, making it hard to gain visibility into valuable assets, and the lines between a CSP's area of responsibility and those of its clients may be similarly hard to see.
"It is a new set of skills. And it is a new set of methodologies," says Nianios of cloud-based pen testing. "However, it's easier in my opinion because all the security controls that they had in place on-site, all these layers that they've added over the years, they don't exist over there [in the cloud]."
A pen-tester should venture only into areas that are clearly the responsibility of the client. If a tester strays into areas that "belong" to the cloud service provider, that might constitute a violation of the client's service agreement.
Pen testers "really need to dig into the licensing and contractual agreements that that organization would have with the cloud provider," Stockinger explains. "For example, if you're doing infrastructure as a service, [the cloud provider] is not going to allow you to pen-test past a certain point. If you start probing that, it'll be a breach of contract."
Automated tools that probe cloud assets include Pacu for Amazon Web Services and AzureHound for Microsoft Azure. Both Microsoft and Azure also often offer scanning tools for their clients.
Careful with that Alexa, Eugene
The proliferation of embedded Internet of Things or "smart" devices in offices provides another avenue of attack that needs to be pen-tested. Consumer-grade gadgets owned by employees might never be catalogued or updated by the IT staff.
Stockinger points out that he knows executives who have Amazon Alexa voice assistants in their offices, "but what they don't realize is that if that [Alexa] rides the same wireless network as the corporate network, that can create a bit of compromise for the network."
"If those things aren't kept up-to-date, or if they're not connected appropriately," he adds, "they can absolutely be an injection point for the bad guys."
Consider a smart TV in a conference room, especially one that's connected to a video-conferencing system. It wouldn't be hard for an office cleaner to stick a small USB device into the back of the TV that could record meetings.
"Who goes in the conference room and updates the smart TV?" asks Nianios. "No one's going to notice that for the next 20, 30 days until someone's going to go in there and figure out why it can't go to Netflix."
Stockinger says that for starters, IT teams need to put smart devices on less-sensitive network segments, but that may not be enough.
"If you're not separating and segmenting those IoT things out from your crown jewels, I think you're really missing the boat from a protection standpoint," he says. "You've got to look at access control around those, what they're doing with sessions, how they are exposed from a man-in-the-middle perspective."