Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz, Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to simplify penetration testing processes in the webcast "Escalate your Efficiency: How to Save Time on Penetration Testing". Read on for the top 3 takeaways from their technical, in-depth conversation:
1) Metasploit is to a Pen Tester as a Scalpel is to a Surgeon – Not using automation for penetration testing is akin to a surgeon performing surgery without using tools. Historically, pen testing was a step by step approach with the ever increasing attack surface adding more steps all the time. It is immeasurably more difficult and time-consuming to keep your security strong when bogged down by the repetitive tasks required by penetration testing. Metasploit Pro makes it possible for security professionals to get extremely repetitive and labor-intensive tasks done with just a few clicks, enabling users to spend more time on customized solutions, targeted pen tests, or any other project on their plate that will ensure greater security for their organization.
2) Credential Security Flaws can be Confronted – Credentials continue to be the #1 attack vector when it comes to compromising networks. With this in mind, the Metasploit team has added a credentials management system to the Pro edition of Metasploit. Features like the Credentials Domino MetaModule and simplified bruteforcing provide huge time-savings and improved security visibility for penetration testers so that credentials are no longer an unmanageable blind spot. (These features are demo'd in the webcast - check it out now.)
3) Compliance is but a framework to build upon – Requirements in frameworks like PCI and HIPAA provide a minimum standard checklist for organizations. Truly strong security is dependent on the strength and ability of a penetration tester getting to go off script and check out possible weaknesses in networks and infrastructures beyond what regulatory guidelines cover. Tools like Metasploit Pro take away the busy legwork in the process, allowing penetration testers to get the job done more thoroughly and quickly.
The juiciest parts of the webcast were the Q&A with the live audience and getting to dive into the product to see how Metasploit Pro gets tasks like credential management, bruteforcing, AV evasion, VPN pivoting, and task chains done in a few simple clicks. To experience the full broadcast: view the on-demand webcast now.