Part of Solutions Review’s Premium Content Series – a collection of columns written by industry experts in maturing software categories –Eric Fredrickson, Head of Attack Engineering at Horizon3.ai, shares his insights on how the future of penetration testing can better support an enterprise’s security efforts.
I spent years of my career as a pentester (penetration tester), a role where I helped organizations identify security vulnerabilities by exploiting them in a secure environment. I also enjoyed the work. On the one hand, it’s fun to be on offense, as I was tasked with finding a way to exploit a network while the defenders tried to protect everything. My clients also had good defensive teams, so when I found and exploited weaknesses, I was competing against some of the best.
The problem with traditional pentests is that they are time-consuming manual processes. Here is a simple overview of some of the steps involved in preparing for and launching a penetration test:
- Prepare the test environment by gather relevant technical contacts that the tester may need to communicate with.
- Notify key IT personnel of the plan to ensure they know the business is not facing an actual attack when testing begins.
- Teams should define the scope of the test and ensure that the tester has the appropriate permissions to perform the tests.
- Since pentests sometimes cause problems in the IT environment, you need IT staff to be on standby.
Overall, organizations should allow one to two weeks of preparation time before testing.
The time it takes to complete the test itself will depend on the organization. If a pentester has enough time, he can cover more of the IT environment and spend time on more sophisticated attacks. A full pentest can take two to three weeks, plus a week to write up the results and recommendations. So we now have four to six weeks to complete a pentest for just one portion of an organization’s environment, assuming the provider is available. If you want a follow-up pentest to validate the correction of the results, time must start over.
But it’s not just time that affects these tests, they also require money. Skilled pentesters are in high demand and charge a lot for their services. The pentest described above can easily cost between $15,000 and $50,000 (for part of the target computing environment). Few organizations have the budget to scale pentests across their entire environment or with the frequency required to ensure network security as new systems, users, and applications are updated or added.
All of this leads organizations to use pentests sparingly, usually a few times a year. Unfortunately, with the threat landscape evolving at its current pace, a secure network today could open the door to attackers tomorrow due to stolen credentials, poorly executed software updates, misconfigurations, or newly disclosed vulnerabilities. Waiting three to six months between pentests can leave an organization vulnerable to simple attacks.
As a (former) pentester, things have to change. Here are some of the things the pentesting field needs to improve.
Faster cycles
Organizations cannot afford to leave their environment at risk for months at a time. More frequent pentests will not eliminate the risk of breaches, but they will improve network security. According to the NIST Cyber Security Framework (CSF), organizations should verify through systematic auditing and assessment to ensure that they have remediated vulnerabilities after updating systems or deploying patches. Unfortunately, even the largest organizations cannot afford to hire enough staff or consultants to perform daily or weekly manual pentests.
This means we need “on-demand” pentests that don’t require weeks of preparation. For example, organizations should be able to perform testing after every software update, even when vulnerability scanners and patch management systems show the security updates were successful.
Cost reduction (without sacrificing quality)
Traditional pentests are expensive. By some estimates, organizations around the world have spent $1.6 billion on the pentests in 2021 and could reach more than 3 billion dollars in several years. Most organizations cannot afford to run traditional pentests as often as needed.
High-quality pentests should be within reach of all organizations. For this to be possible, the cost must be reduced by a factor 10 or more to allow companies to perform pentests when they need to, not when they can afford it.
Autonomous pentests
Manual pentests require highly skilled professionals, and the shortage of cybersecurity talent at all levels is significant and growing. In the world, there are between 3.5 million and 4 million unfilled jobs in cybersecurity. It is unlikely to improve anytime soon, as aid from universities is not on the way. So what do we do? One solution is to remove the human bottleneck for most pentests. They should be “self-service” and available at the click of a mouse, so IT and security professionals can run one when they need one, not when they can schedule one.
This means real pentests can deliver the same results as trained professionals, not day-long “point-and-click” pentests performed by interns using pre-built scripts. These must simulate real-world attack techniques and chain together exploitable vulnerabilities, misconfigurations, harvested credentials, and dangerous flaws in products that exploit a network.
High-frequency, low-cost stand-alone pentests
It’s a lot to ask, but standalone, on-demand pentests can change the way organizations defend against a growing threat landscape, allowing tests to be run weekly instead of several times a year. This will reduce the time that organizations are vulnerable to new attack patterns, verify their existing security controls, and ensure systems patches address anticipated weaknesses without introducing new ones.
However, the skills of professional pentesters will still be needed. Smart humans always add value, and critical systems and high-risk environments warrant manual testing. In these situations, however, automated, stand-alone pentesting can help with recognition and cover a larger portion of the system under test. More importantly, standalone pentesting brings pentesting and greater security to the masses.
Eric Fredrickson is the Attack Engineering Manager at Horizon3.ai and is an expert in network operations, including network design and implementation, threat mitigation, and network defense. He was previously the cybersecurity manager for the US Joint Communications Unit, a technical unit of the United States Special Operations Command responsible for standardizing and ensuring the interoperability of Joint Special Operations Command communications procedures and equipment. and its subordinate units. He was also Senior Cyber Security Specialist, Cyber Risk Services, Deloitte.
