How Artificial Intelligence Will Drive the Future of Penetration Testing in IT Security
By Esteban Farao, ERMProtect, Director of IT Security Consulting
When we talk about proactively testing our environment or applications to detect vulnerabilities before a hacker can find them, we are talking about performing penetration testing or “ethical hacking” exercises. This concept has been around for quite a while. When you are trying to look for deficiencies in processes and controls by conducting simulations or false attacks, you are actually doing a penetration test.
Evolution of Pentesting
Over time, the penetration testing practice has evolved from being a completely manual and tedious process that only a few people knew how to do to a more automated and highly propagated process. This evolution goes hand in hand with the evolution of technology. Download our guide to penetration testing here.
In the beginning, most processes were done manually with some computers, so performing manual penetration tests was quite effective. Then, the proliferation of computers and the automation of processes forced penetration testers to automate their tools to cover more ground in a short time, making the detection of vulnerabilities faster.
Now, we are at the point where companies have different kinds of technologies and hundreds of thousands of IP addresses, making it more difficult for pen testers to check everything in a reasonable time with exact results. This is why the use of artificial intelligence (AI) and machine learning (ML) has started to help pen testers overcome these obstacles.
Artificial intelligence refers to the ability of a machine to perform tasks simulating human intelligence. A subset of artificial intelligence is machine learning, which refers to the concept that a system can learn and adapt without following explicit instructions but instead use algorithms and statistical models to analyze data and make conclusions.
Using AI in Penetration Tests
So how can AI and ML help in penetration testing? Well, let’s analyze the different phases in a normal penetration testing assessment and determine where AI and ML can be used. There are several well- known methodologies and standards that can be used to perform penetration tests such as OSSTMM (Open Source Security Testing Methodology Manual), OWASP (Open Web Application Security Project), NIST (National Institute of Standards and Technology), PTES (Penetration Testing Methodologies and Standards), ISSAF (Information System Security Assessment Framework). But for this specific article and to simplify the analysis, we will be focus on the use of Artificial Intelligence and Machine Learning in the following four phases of penetration testing:
- Information Gathering and Reconnaissance – During this phase of pen testing, we try to gather as much information as possible about our targets by collecting information from publicly accessible sources to discover the ports and services that are open. At the end of this phase, we will have a dossier of our targets including information such as domains names, target hosts, services enabled, technologies in place, employees’ names, employees’ emails, physical locations, pictures of the physical locations, potential usernames and passwords, etc.
AI and ML can help the pen tester to not only gather all the information automatically but also analyze it and determine different courses of action. For example, it can determine the best social engineering attack to deploy based on the information collected (social engineering is the use of deception to manipulate people into disclosing confidential or personal information that can be used for fraudulent purposes). Or it could be used to identify the target hosts that should be attacked first since there is more probability of success.
- Vulnerability Assessment / Scanning – During this phase of penetration testing, we perform more in-depth vulnerability scans trying to determine all the potential vulnerabilities that the targets could have. Here, AI and ML could help the pen tester understand the results of the scans by analyzing them and removing everything that is not applicable or generates noise, taking into consideration information gathered from the previous phase combined with threat intelligence from sources such as social media, open records, the deep web, the dark web etc. Also, AI and ML can help determine the best course of action for the attack phase by correlating all gathered information and knowledge.
- Exploitation - This is the phase of pen testing where we put into action everything that was planned before. Here, we try, among other things, to gain access to the systems, perform lateral movements, escalate privileges, gather more information, and maintain persistent access. As I mentioned before, AI and ML can assist by determining the best course of action to penetrate a target, but they also can perform the exploitation simultaneously. The results of these exploitations can be fed back to the AI model, allowing it to generate exploitation alternatives or new exploitation pathways not considered before.
There are already open-source tools in the market that combine the execution of the first three phases of this methodology such as Deep Exploit (https://github.com/13o-bbr-bbq/machine_learning_security/wiki). This is a fully automated penetration testing tool that uses machine learning to not only enhance the information-gathering phase but also to exploit the vulnerabilities.
- Reporting – During this phase, a report with detailed information about the issues found, the risk implications, and recommendations is prepared and delivered to the penetration testing client. AI and ML can enhance the reporting process by analyzing the data obtained during the assessment and combining it with threat intelligence and the knowledge acquired in previous engagements to generate actionable insights specific for the organization under review.
The future of penetration testing lies in using AI to make results more accurate and evaluations more efficient. But it is also important to understand that pen testers still must use their experience and knowledge to ultimately decide what is the best course of action to perform the assessment. Learn more about our penetration testing services here.
Get a curated briefing of the week's biggest cyber news every Friday.