Review: XM Cyber HaXM makes automated penetration testing more accessible, reliable

HaXM is the next logical evolution of automated pentesting programs. Not only does it offer continuous scanning that is easy to configure, it also provides advice to help fix problems.

Enterprise networks are amazingly complex these days, to the point where one misconfiguration can potentially expose an entire organization to dangerous vulnerabilities and attacks. To find those problems before a hacker could uncover them, cybersecurity teams traditionally conduct so-called red team exercises where trained attackers would try to compromise a network and then report their findings. But those exercises are likely too infrequent in today’s world of constantly-changing configurations, cloud computing and even software-defined networking.

To fill that gap, many cybersecurity firms developed penetration testing tools that are supposed to be able to perform the job of a red team at any time. We’ve reviewed several on CSO. All of them we evaluated were good at what they did, but most required at least some knowledge of the kinds of vulnerabilities users wanted to scan for, and few offered to help fix the problems that they discovered.

The HaXM program from XM Cyber aims to make automated penetration testing more reliable and accessible by improving on the current state of similar programs in several ways. First, HaXM does not require any knowledge of attack techniques. For example, you don’t have to scan for a specific code injection vulnerability on a web server. You simply need to tell the program that the web server is an important asset in your network and then let HaXM discover all the ways that it could be compromised. Second, HaXM offers continuous scanning, so results are never aged out over time. And finally, in addition to performing red team type exercises, HaXM offers detailed advice on how to fix problems it discovers and which ones should be fixed first, effectively taking on the role of a so-called blue team in security exercises.

Getting started

Installing XM Cyber’s HaXM is a relatively simple process. There is a main server that houses the brains of the program. It can be deployed locally for extremely security-conscious organizations or it can be accessed through the cloud in a software as a service model. And then there are the software agents, which are extremely lightweight, and need to be installed on every critical asset you want HaXM to protect. The agents allow the program to run simulated attacks against those assets.

Pricing for HaXM is based on a yearly subscription model that scales up based on how many endpoints an organization owns overall. However, users can have as many agents as they want deployed on critical assets, and adding more does not affect the pricing.

Setting up HaXM isn't complicated, though it is normally done with the help of XM Cyber as part of the yearly subscription cost. Most of the setup time involves defining the critical assets that the program will protect, deploying agents, and then telling the program what security questions you need it to answer. For example, you might ask, "Can my database be accessed by unauthorized users?" or "Could an attacker use other exploits in order to move laterally to the server?" This will generate several tests that can be set to keep running over a certain period of time, anything from minutes to days or weeks. Tests can also be set to repeat at regular intervals.

Testing HaXM

Once an attack runs, users are given a report, which is accessed through the main HaXM server. HaXM can be configured to alert a security information and event manager (SIEM) about the results of a scan, but users still need to look at the actual report through the main interface. The attack report screen is called The Battleground; it looks a bit like one of those wargaming combat maps with hexagons representing different network assets and diamonds representing the critical assets (i.e., the crown jewels) that the program is trying to protect.

XM Cyber HaXM Battleground CSO

The XM Cyber HaXM attack simulation can be displayed in movie-like fashion in the battleground section of the program. Controls are used to fast forward or rewind to important parts of an attack once the test is complete. (Click image to enlarge.)

The attack simulation is represented by a series of arrows that slowly shoot from asset to asset, turning it from blue to red if it would be comprised by a real attack using a particular technique. The simulation plays out graphically like a movie in real time, with play, fast forward, rewind and pause buttons at the bottom of the screen to control it. In our first test, a critical server was compromised in just over three minutes, and it was fascinating to see how a real hacker might accomplish that feat.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!