Nothing can replace a manual security assessment, especially if you are defending against highly targeted attacks or advanced persistent threats (APTs). However, the majority of attacks are untargeted, trying to exploit or brute force servers on a large scale with minimal effort and minimal risk. So why are penetration testers still mostly testing by hand, especially if they are overworked and companies are having trouble hiring skilled people?
According to the Verizon business report, 67% of data breaches involved low or very low difficulty for the initial compromise. Just to drive the point home, here is how the report classifies low difficulty: “Basic methods, no customization, and/or low resources required. Automated tools and scripts.” In other words, no human interaction was required to get in to 67% of companies breached. That's a lot of low-hanging fruit that is easy to protect against. The best part: You won't even have to stay late because, like the attackers, you can automate the entire process.
Slicing the data further, 81% of breaches involved some sort of hacking, which is up 31% from last year. In that category, the top three threat action types were:
- Exploitation of default or guessable credentials (44%)
- Use of stolen login credentials (32%)
- Brute force and dictionary attacks (23%)
As of version 4.3, which was released today, Metasploit Pro can now automate looking for these attack vectors:
For example, you could run the following tasks every weekend:
- Scan the network, either with Metasploit Pro's discovery scan or with the Nexpose vulnerability scanner (both new scans and site imports are supported). This will also discover all new, unauthorized, and BYOD devices on your network.
- Try to exploit all vulnerable hosts. Collect passwords and password hashes on machines that are exploitable.
- Try default and guessable passwords on all hosts. Collect passwords and password hashes on machines with weak passwords.
- Have the report emailed to you.
Because automated tests can be carried out with a higher frequency at no additional cost, they uncover threats more quickly than manual security assessments, which typically are few and far between. Finding these low-hanging fruits early is important because attackers can likewise automate the process. In addition, regularly scheduled simulated attacks can test security controls, such as IDS and SIEM systems, to verify that they correctly alert.
Generally speaking, automated security assessments can adversely affect a production environment. This is why Metasploit's smart exploitation is by default configured to only use exploits that have been rated as reliable by our quality assurance. And remember – manual tests also carry the potential of human error.
While automated security assessments increase the overall security baseline for your average automated attacks, they are no substitute if you also expect to be the target for APT-style attacks, where the attacker is strategically planning the attack and able to leverage his or her intellect. Getting basics out of the way with automated testing also makes ethical hacking more interesting because the attack scenarios start at a more sophisticated level. However, automation can only supplement existing penetration tests and help companies do more with the limited number of skilled penetration testers they employ, especially in times where skilled penetration testers are hard to find.
To try out the new automation features, download a free Metasploit Pro trial today.