Can SOAR Platforms Be Used in Penetration Testing?
by Jonathan Zhang
When we hear about security orchestration, automation, and response (SOAR) platforms, we think about beefing up one’s security posture automatically, pun intended. Apart from security orchestration and automation, however, SOAR also joins together two other technologies, namely a threat intelligence platform (TIP) and a security incident response platform (SIRP).
SOAR platforms are inherently useful in threat hunting, preventing cyber attacks, and strengthening the overall cybersecurity infrastructure of organizations. It comes as no surprise then that the technology can also figure in penetration testing, most notably in the reconnaissance and vulnerability identification stages. In particular, here are some ways to use SOAR platforms in penetration testing.
Footprinting Using SOAR Platforms
The footprinting or reconnaissance phase of penetration testing involves getting all possible details about a target system, which takes up a huge chunk of every pentester’s time. Gathering data about a target organization and its systems that can serve as an entry point involves researching key personnel and all the technologies used. It may also include using social media to find out personnel’s positions and email addresses. You’d be surprised how people can be so trusting with the information they disclose.
The footprinting stage also involves threat intelligence gathering by researching domain names. That can be done via WHOIS searches, reverse WHOIS lookups, host configuration analyses, and the like. The goal is to get all possible details about a target’s host and infrastructure.
Several tools may be useful during this stage, but the threat intelligence functionality of SOAR platforms makes them a complete go-to tool. What’s even more appealing is the fact that SOAR can automate these functions, saving users much time.
SOAR Platform Use in Vulnerability Identification
After getting a view of a target’s overall infrastructure, you can see potential threat vectors and identify vulnerabilities. SOAR platforms can automate the detection of malware, live hosts, open ports, and Secure Sockets Layer (SSL) certificate vulnerabilities, among other issues.
A threat intelligence analysis on a site we picked at random, for instance, revealed several warnings related to its configuration, SSL settings and certificates, WHOIS records, and mail and name server configurations.
Zooming in to the threat intelligence platform’s analysis of the website, we see that although it has no links to .apk and .exe files, it does redirect to other websites.
Redirects can, of course, serve legitimate reasons, but threat actors may also redirect users to malicious websites, for example, in phishing campaigns. Pentesters can try to exploit this vulnerability that a threat intelligence platform integrated into a SOAR platform can detect.
Reporting Issues Using SOAR Platforms
After identifying vulnerabilities, the next step is to conduct the actual exploitation. At this point, pentesters do everything to attack the target using the data they gathered in the reconnaissance and vulnerability identification stages. Penetration testing does not end there, though.
After the exploitation, pentesters need to submit reports to the client. These reports show system weaknesses, how they exploited vulnerabilities, and how they propose to mitigate risks and prevent real attacks.
These are just three ways by which SOAR platforms can aid in three different phases of penetration testing. Depending on who you ask, there are other phases, but the most common ones are:
- Pretesting documentation where the pentesters protect themselves from legalities since what they will do may not be strictly legal in some regions
- Reconnaissance or footprinting where they unearth everything they can about a target organization and its systems
- Vulnerability identification, which is also known as “scanning” since, at this point, they scan all systems for potential entry points
- The exploitation phase where they gain access to vulnerable systems
- The reporting phase where they detail everything they did to hack systems and how to prevent attacks
SOAR platforms, with their integrated orchestration and automation solutions and threat intelligence and security incident response platforms, can be used in several of these phases.
About the Author
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the Whois XML API family, a trusted intelligence vendor by over 50,000 clients.