Automated Penetration Testing: Formalization and Realization

TL;DR

This paper formalizes the penetration testing problem at the architectural level and proposes an automated system, ADAPT, capable of performing effective penetration tests on real systems, addressing the shortage of skilled cybersecurity experts.

Contribution

It introduces a formal architectural framework for automating penetration testing and implements it in the ADAPT tool for practical application.

Findings

Successfully automated penetration tests on Metasploitable2 and 3

Demonstrated feasibility in a realistic virtual lab environment

Addresses automation to mitigate cybersecurity skill shortages

Abstract

Recent changes in standards and regulations, driven by the increasing importance of software systems in meeting societal needs, mandate increased security testing of software systems. Penetration testing has been shown to be a reliable method to asses software system security. However, manual penetration testing is labor-intensive and requires highly skilled practitioners. Given the shortage of cybersecurity experts and current societal needs, increasing the degree of automation involved in penetration testing can aid in fulfilling the demands for increased security testing. In this work, we formally express the penetration testing problem at the architectural level and suggest a general self-organizing architecture that can be instantiated to automate penetration testing of real systems. We further describe and implement a specialization of the architecture in the ADAPT tool, targeting systems composed of hosts and services. We evaluate and demonstrate the feasibility of ADAPT by automatically performing penetration tests with success against: Metasploitable2, Metasploitable3, and a realistic virtual network used as a lab environment for penetration tester training.