Mimicking a hacker with event-based AI
Having hackers do manual penetration testing has always been vital for companies’ digital security strategies. Ethical hackers take the same approach as a cybercriminal would to check for common vulnerabilities, like injection attacks or broken authentication, and then submit reports regarding the problems they have identified. Pre-emptive hacking is proactive security, as improvements can be made before a cybercriminal has the chance to infiltrate the system. The importance of hackers presents exciting possibilities: If you could automate part of a hacker’s workload, you could free up the time of security teams to do more challenging tasks.
Sadly there are not enough hackers to keep up with increasing demand. The US National Initiative for Cybersecurity Education estimates that there were 3.12 million jobs in digital security unfulfilled in 2021. As a result, traditional techniques for tracking vulnerabilities often involve having to pick and choose which assets to test. The more assets to test the more hackers, and thus money, a company has to spend. By automating parts of the hacker process Hadrian preserves the hacker-perspective while allowing for thorough, cost-effective testing.
A hacker’s approach to digital security is unique, in that it takes a top-down approach to infiltrate a system. Our Head of Hacking, Olivier Beg, emphasizes how a hacker’s perspective is different because they do not start with inside knowledge of your organization’s attack surface. “We use more offensive methodologies,” says Beg, who discusses how a hacker will link multiple assets together to find vulnerabilities. “We can use content discovery tools that are based on wordlists and fingerprints of known systems instead of using the insights that an organization already has. It gives us a different perspective.”
Hadrian’s infrastructure-level event-based approach to digital security mimics the behavior of a hacker, and thus frees up valuable time. In an event-based system, different modules are triggered in response to the previous event. Modules can include new insights, new tests, new data or new external threats. These modules run in parallel to each other and create subsequent events which in turn propagate more modules. For example, an event can be as simple as looking at a company’s website and noting which type and version of the software is used. This discovery event would trigger a module that would look up any known vulnerabilities for that software and all previous versions. Any vulnerabilities found would trigger a new event that would attempt to exploit these vulnerabilities and notify our customers of their existence.
Like a hacker, Hadrian conducts its event-based testing at the infrastructure level, meaning instead of focusing on one asset, Hadrian can perform cross-asset testing. Cross-asset testing means that triggering an event on one asset, can result in a test on another asset. For instance, one test might find an environment that has information like the credentials to a company’s database. On its own these credentials are not a highly critical vulnerability. However, based on a previous test Hadrian may have also found out that a database these credentials allow us to authenticate. In combination with the credentials, Hadrian has now identified a potential data leak. In contrast, traditional pentesting would have only been able to test one asset. More tests would’ve meant more hackers, and a higher cost to the company. Navigating the company’s environment like a hacker would, Hadrian performs cross-asset tests in a way that saves hacker’s valuable time.
Hadrian's cross-asset testing
Tijl van Vliet, Chief Technology Officer (CTO) at Hadrian highlights how Hadrian works to complement rather than compete with existing hacker talent: “We help hackers with the known technology exploits, so hackers can focus on finding business logic exploits and new bugs.” While Hadrian checks for known breach methods, a hacker can check for a bug that is client-specific. For white-hat hackers, having the time to delve into these business logic exploits is extremely important, as it allows them to really consider the unique differences of an organization’s attack surface. Beg: “Think about a vulnerability that discloses a user’s email address. For some organizations that’s a security risk, but for others it’s a feature.”
Beyond saving hackers time, Hadrian has major benefits for companies in terms of providing continuous security validation. As the technology is completely autonomous, tests can be run more frequently. It wouldn’t make sense for a hacker to manually rerun a test every three hours, but Hadrian can. At Hadrian, we allow our customers to have more control over when they run these tests. Autonomy in choosing when to test, makes Hadrian less intrusive than other pen-testing technology, as testing is only triggered based on relevant events.
Hacking talent is important to a digital security testing process which is comprehensive and proactive. A hacker’s unique approach to digital security allows them to start testing without any prior knowledge of the organization. As criminals increasingly use automation in attacks, the low supply of hacker talent will become even more pressing. It will take creative solutions like event-based AI to fill the gap with agentless zero-trust solutions that save organizations and hackers time and money.