Reducing Testing Time in Penetration Test Automation by Using EPSS and Parallelization

Reducing Testing Time in Penetration Test Automation by Using EPSS and Parallelization

연구 분야: Strategies

학회: 2024 Twelfth International Symposium on Computing and Networking Workshops (CANDARW)

Penetration tests are difficult to conduct because they are expensive and time-consuming. Moreover, the results may vary depending on the experience of the testers. This study, addresses the time constraints by proposing a method using exploit prediction scoring system (EPSS) vulnerability information instead of port scanning and distributes this vulnerability information across multiple machines to facilitate parallel execution. Experiments are conducted on four targets: Metasploitable3_ubuntu, Metasploitable3_windows, Metasploitable2, and DC-1. The proposed method is evaluated by comparing its execution time to that achieved before its application, that achieved when using EPSS alone, and that achieved when using parallelization alone. The proposed method is found to successfully reduce the execution time compared to the three validations, achieving a reduction of up to 90%. Additionally, compared to the validation performed using parallelization alone, the use of EPSS helps avoid resource conflicts in the test machines for each test execution thread. Therefore, EPSS is more effective at reducing the time required. The results indicate that, by approaching the Scan phase with EPSS and distributing the vulnerability information for parallel execution, the test time can be effectively shortened. However, the success of penetration depends on the EPSS list used and, therefore, the threshold settings have a substantial effect.