Review: ImmuniWeb offers true automated penetration testing

Its machine speed allows it to scale, while the human penetration testers ensure complete accuracy.

binary neural network - artificial intelligence - machine learning
Thinkstock

One of the best ways for organizations to get an idea of their network vulnerabilities is to hire penetration testers to come in and perform real attacks against their network, only without the added malicious payloads that most attacks entail. The military does this with their so-called red team exercises, and if the penetration testers are highly skilled or even ex-hackers, they can help you to learn a lot about where your network is most vulnerable.

There are two major problems with penetration testing, and one annoyance. In terms of problems, the first is that penetration testing is almost impossible to scale. Human testers can only go so quickly, and even in relatively long engagements where they might work for a week attacking a friendly network, they are only going to be able to access a small part of most enterprises. Second, because they can’t work continuously, it exposes organizations to a lot of risk between testing. In terms of the annoyance, they are expensive, with the best testing teams costing upwards of $100,000 or more per engagement.

ImmuniWeb Test Request John Breeden II / IDG

The platform is automated, but because humans are watching over everything, users can request specific testing parameters, like no testing on Friday, or staying away from certain systems, and the human staff will configure ImmuniWeb accordingly.

The ImmuniWeb suite aims to be a sort of penetration testing platform that anyone can use and afford. They do this by automating almost all of the penetration testing, while keeping a staff of experts on hand all the time to help out if the platform gets stuck or encounters something new. As the humans fix the problem, the program watches what they do and uses machine learning to reprogram itself so it won’t get stuck again. Humans are also called if ImmuniWeb encounters something that it suspects is a vulnerability, but isn’t completely sure. In that case, humans must either verify the vulnerability or reject it. High-Tech Bridge guarantees that no customer will ever receive a false positive from their testing. If they do, they get their money refunded.

Pricing is reasonable compared with hiring full teams of human penetration testers. Available as an on-demand service, a monthly subscription starts at $999.  

Testing ImmuniWeb

The installation process for the ImmuniWeb platform is almost non-existent. Potential customers visit the High-Tech Bridge website and answer a series of questions about their network and the types of testing they are interested in having performed. Users can then select a payment option and type out any specific requests for the test, such as not doing any testing on certain days, not testing against SQL, or whatever they need. Speaking to a live human is also an option, though we didn’t find it to be necessary during our testing.

ImmuniWeb Web Portal John Breeden II / IDG

Customers log into a portal to see how the testing is going, or alerts can be set up by various communication channels. This is the ongoing testing report for ImmuniWeb Continuous, which provides ongoing vulnerability monitoring.

The one thing that users must do on the backend to make the ImmuniWeb Continuous penetration testing work is to whitelist certain IP addresses that will be used to launch some of the probes and mock attacks. This will allow the testing to get through perimeter defenses like firewalls to probe the main network. Generally, organizations will need to whitelist about five IP addresses.

ImmuniWeb Reports John Breeden II / IDG

In addition to the portal, it’s easy to configure who gets alerts about problems that the ImmuniWeb platform discovers, and with what frequency.

ImmuniWeb Continuous can get started right away, or at least right away once the IPs have been cleared through perimeter defenses. Doing this will allow the platform to find and scan the bulk of most networks. However, like many organizations, our testbed has internal assets and applications that are not visible or accessible from the outside, or at least they are not supposed to be accessed that way. ImmuniWeb will find any internal assets that are accidently exposed to the internet. However, for truly internal assets, a small Linux box needs to be installed or virtually installed inside the network. This acts as a simple agent, allowing scan results for internal programs to be conducted, with reports sent back out and collected with the others. This is optional, but useful if internal vulnerabilities or threats are a concern.

ImmuniWeb Discovery John Breeden II / IDG

The ImmuniWeb Discovery program can help organizations untangle exactly what assets they own, and what they need to protect. A single use of the program is offered for free.

ImmuniWeb Continuous was able to find every public-facing asset on a test network, and then perform a series of vulnerability scans on them. Common criteria to test against like HIPAA, PCI and GDPR compliance are included alongside the standard vulnerability hunting engines. If a customer has a specific industry guideline or government regulation that needs to be tested against, it can be added without too much hassle.

ImmuniWeb OnDemand John Breeden II / IDG

ImmuniWeb provides an easy to use portal for configuring and setting up a test or testing contract.

In one instance during the testing, ImmuniWeb was not completely sure about a vulnerability. It was 70 percent sure that it found something of concern, but that was not enough for the platform to make a definitive judgement. As such, the potential vulnerability did not make it into the report at first. Instead, it asked for human help. This entire backend process would normally be invisible to users, but we were able to see it during our tests. A human penetration tester got the request and ran some of their own testing, not only confirming the vulnerability but training ImmuniWeb about this kind of defensive deficiency in the future. Within a day, the vulnerability was confirmed and added to our overall report.

ImmuniWeb Report John Breeden II / IDG

Graphical reports can be generated in PDF format to share with c-suite executives or others who need an overview about current network vulnerabilities. 

The bottom line

ImmuniWeb, and especially ImmuniWeb Continuous, are extremely robust vulnerability management tools that go well beyond what a simple vulnerability scanner could accomplish. ImmuniWeb offers true penetration testing in an automated format with human oversight the entire time. Its machine speed allows it to scale, while the humans ensure complete accuracy. It would be a good product for any organization that is interested in penetration testing without having to deal with the expenses or the inherent drawbacks of occasional human-powered penetration exercises.

Copyright © 2018 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline