Cyber attackers must be creative to succeed. Given that about 2,200 cyber attacksoccur every day, some of these attacks are bound to be completely novel.
Automated scanners cover known threats, but manual penetration testing is far more creative. That’s where the main value of manual penetration testing lies.
At EliteSec, we have extensive experience with both manual and automated penetration testing. We like to use a combination of both in our work, and you’ll soon find out why manual penetration testing is always a mainstay of our pen testing process.
What is Penetration Testing?
Penetration Testing is a set of assessments that cybersecurity professionals carry out to assess how vulnerable your organization is to a cyber attack. These assessments can be carried out manually, by a penetration tester, or they can be carried out using automatic tools.
The intent of a penetration test is for the penetration tester to find vulnerabilities in your systems the same way a hacker would. They do this with full permission from the organization and in doing so, they need to think in the same nefarious way that a hacker would.
Manual Penetration Testing vs. Automated Penetration Testing
As pen testers, the main objection we get when suggesting manual penetration usually concerns cost. But organizations do themselves a disservice when they view the issue from this perspective—it’s rather superficial.
It’s best to forget the dichotomy and see automated penetration testing for what it actually is: a valuable part of any manual penetration testing strategy.
To help you understand what we mean, let’s first define the penetration testing process step by step.
Preliminary Reconnaissance
At this stage, the penetration tester collects data on your organization’s digital infrastructure to determine the scope of the test. They will need to spend a lot of time gathering intelligence to identify various avenues for attack.
Of course, the caveat is that there could be innumerable target software and attack vectors that require evaluation. Even a manual tester will employ tools to expedite the process. For instance, Maltego helps visually map the relationships between your organization’s public data to help you understand where your main attack vectors lie. This saves pen testers time on mapping out and accounting for all the different data.
However, just because that process is automated, doesn’t mean that all the tester’s problems are solved. The tester still needs to strategize what types of data are needed and think of new ways to gather data that hackers could potentially adopt.
Vulnerability Scanning
Vulnerability scanning is the process of poking around and probing at all your open ports and other vulnerabilities in your target software to get a thorough understanding of your security weaknesses. Usually, testers use automated vulnerability scans to carry this out. It’s not uncommon for this entire process to be carried out by software.
There are a wide range of vulnerability scanning tools, including:
- Network scanning
- Web app scanning
- Vulnerability assessments, which are more comprehensive.
Attaining Access
Once all the vulnerabilities are mapped out and the tester has the most extensive knowledge possible about your target system, they will begin to act like a hacker and try to breach your system. This is the third phase and at this point, automated tools are generally not as prominent.
However, there are some automations that serve a role as part of a larger set of tactics used to gain access to your software. For instance, there are password cracking tools, which are of course suited towards automation given the iterative nature of testing different passwords.
Furthermore, some tools carry out large chunks of the penetration process, known as exploitation frameworks. However, the drawback here is that this only exploits known vulnerabilities using methods that have already been invented. In the interest of preventing zero-day attacks from clever cyber hackers, a pen tester must manually come up with new attacks and stay abreast of the latest tactics if they want to put you in a position to repel such threats.
Escalating Access
As the role of a penetration tester is to stretch the limits of what is possible security-wise, the pen tester will attempt to escalate their privileges as soon as they get access to the target system. Hence, the pen tester will attempt to work their way to the most privileged permissions that only administrators would have access to. This mimics real-life scenarios where the hacker will attempt to gain enough privileges to obtain information from the target.
Like in the previous step, the use of automated tools is limited here. Once again, they rely only on known methods of obtaining information, which makes you vulnerable to novel attacks. One interesting automation that penetration testing teams can use here is credential-dumping tools. These extract credentials from a breached network including passwords, PIN codes, and other vital security information.
Analysis & Reporting
After the tester has completed all testing processes, it’s then time to produce a report on their findings. Once again, many of these automated exploitation tools come with reporting capabilities. But these tools typically lack the nuanced point of view unique to experienced pen testers. To get recommendations that fit your particular scenario, you’re better off asking for advice from a professional.
13 Reasons Why You Need Manual Penetration Testing
Now that you understand how automated pen testing tools are deployed alongside manual techniques over the course of a penetration test, let’s discuss why we prefer manual penetration testing to protect your security posture.
Benefit From Strategic Thinking
In most cases, penetration testers need to think like hackers if they are to successfully fend off a cyber attack. Naturally, this will require a degree of human intuition. Pen testers will usually spend part of the initial phases identifying complex attack chains that usually go unnoticed by automated tools.
Essentially, automated tools can recite tactics that already exist but have no creative capabilities. In fact, it’s not uncommon for hackers to string together exploits based on several low-severity threats that automated tools marginalize. Essentially, a human pen tester will have a much better understanding of your business logic and apps than any machine can, and this makes all the difference in uncovering obscure yet critical vulnerabilities.
Manual Is Dynamic
Most automated tools are just following a set script based on a list of preconditions. That doesn’t really prepare you for the dynamic threat environment most businesses face.
Manual pen testing allows the tester to make real-time decisions and adapt to circumstances that develop throughout the course of a test. Of course, pen testers do this to emulate the behaviour of an attacker who would likely adjust their strategy on the fly to see how far they can take the exploit.
Defend Against Social Engineering Attacks
Social Engineering attacks rely on exploiting human error and vulnerabilities rather than software vulnerabilities. In a social engineering hack, the attacker will use psychology-driven tactics to extract data from key people in your organization. Given that this includes a major human element, it’s very difficult to automate this process. And automating creativity? Impossible.
Phishing campaigns, involving the collection of data from your users via email, are the most common social engineering campaigns. A convincing email campaign that fools your users into giving out sensitive information can only be crafted with human insight.
Customization
With manual penetration testing, nearly everything is up for customization. You can modify standardized attacks to suit the threat environment or find novel strategies to bypass security controls. Once the pen tester develops a theory, they use their skills to put their theories to the test.
Better Edge Case Detection
Most edge cases go unnoticed by automated penetration testing tools. That’s why it’s much better to work with manual testers who can manoeuver around rate limiting or input validation weaknesses.
Awareness of Business Context
An automated tool doesn’t understand the structure of your business. It can make diagnoses based on your security vulnerabilities, but it won’t be able to replace intimate knowledge of security controls or different business processes.
Test Temporal Security Flaws
To exploit a timing-based vulnerability, you need manual testing tactics. Most automated tools are deterministic and thus, they have no ability to adapt to the patterns that system responses typically exhibit. Since automated penetration testing runs tests in a predictable sequence, it can never detect hidden windows of opportunity the way that a manual penetration tester can.
Business Process Abuse Scenarios
An interesting aspect of cybersecurity is that many hackers will attempt to abuse your systems by using them to the fullest. This means they use your functionality legitimately, but in ways that could compromise your security despite staying within the parameters you’ve outlined.
For example, a common eCommerce exploit involved attackers applying a 10% discount code at the same time as a 100% refund. These two processes would “race” together and cause a conflict where the attacker would actually get a 110% refund. This would be extremely profitable for an attacker if they deploy this tactic on an expensive item. So, a penetration tester needs to come up with schemes like this to put your systems to the limit.
Manual Works Better for Mobile App Testing
The reality of mobile apps makes it so that automated penetration testing tactics are extremely difficult to apply to custom mobile apps. The complexities of data storage make it such that a custom test is far preferable to automated testing.
Cloud Configuration
A cloud configuration assessment is best conducted manually. A pen tester can find complex misconfigurations from service to service to see how permissions or interactions between services compromise your security.
API Security
Testing your API security requires a degree of nuance that automated testing tools can’t cover. Experienced pen testers and hackers are both aware of how to identify minor flaws in endpoint logic and stretch them into full-blown attacks. Worst of all, since they are still using the API in a legitimate (yet unintended) manner, these are some of the most underrated exploits.
Manual Code Review
Checking your code for vulnerabilities in application logic is typical of a penetration test. However, if you want the most thorough review possible, you need to involve a human who understands the nuance of security control enforcement and other areas of vulnerability.
Uncover Hidden Trust Relationships
So far, most of the justifications we’ve provided for manual penetration testing relate to nuance and detail.
However, there’s a bigger picture aspect that we need to consider as pen tasers as well. By seeing the bigger picture, we’re able to uncover various trust relationships that go unnoticed. For instance, there are patterns in traffic and lateral pivot points that become detectable to cyber attackers over time, and the detection of such security issues is well beyond the scope of an automated test that relies merely on running a script.
Human Testers Provide Better Advice
At the end of a penetration test, an automated tool might provide generic advice based on how they categorized your particular situation. On the other hand, a manual pen tester can directly lay out a plan for how to remedy your security weaknesses. They’ll work side by side with IT teams and the rest of your organization to train employees and implement security controls that counter your vulnerabilities.
Partner With EliteSec For Manual Penetration Testing
So far, there’s one main weakness to manual penetration testing that we’ve left unsaid:
A poorly conducted penetration test does more harm than good.
The quality of your manual penetration test is subject to the quality of the personnel.
Without experienced pen testers who have done their due diligence to understand particular organizational nuances, you might not gain any advantage over automated tools. What’s more, inexperienced testers might provide erroneous recommendations or a false sense of security.
Penetration testing isn’t something you should delegate to your IT team, you should work with dedicated cybersecurity professionals like us at EliteSec. Sit down for a quick discussion about your security posture with us so we can help you understand the necessary scope for your next penetration test. Book an appointment to discuss penetration testing with us today!