The Human Touch in Cybersecurity: Why AI Can’t Fully Replace Penetration Testers
The rise in popularity of automated penetration testing tools and services signifies a tech-forward shift in our efforts to fortify cybersecurity. Promising to scour networks and systems for vulnerabilities, these tools have brought a level of efficiency and scale previously unthinkable. But as we journey deeper into the digital frontier, we realize a sobering truth: automation, while a powerful ally, cannot fully replace the human element of penetration testing.
The intricacies of today’s networks and systems are vast, like an interconnected web comprising vast numbers of devices, diverse subnets, and a blend of both modern and legacy systems spanning multiple operating systems and software. Think of it as an incredibly complicated jigsaw puzzle featuring servers and all their routers, switches, firewalls, web applications, databases, IoT devices, and cloud services. A Bayesian diagram representing such a network would be of astronomical proportions.
This complexity might be likened to the myriad of variations of games on a chess board, after 4 moves by each player there are 288 Billion possible combinations (More on chess here) but even this comparison has its limitations. Unlike chess, which operates on an 8×8 grid with set rules and a finite number of pieces, modern technical environments resemble vast, multidimensional chess boards. Each cell can have different initial states and rules, and the network is in a constant state of flux. This network is continuously changing – devices are added or removed, software is updated, configurations are altered, and user behaviors shift. It’s like a chess game where the rules, pieces, and board shape keep changing mid-game, but the objective of checkmating the opponent remains the same.
In a game of chess, after 4 moves by each player there are 288 Billion possible combinations – this is nothing compared to the complexity of a typical organizations network.
The human interaction factor further adds a layer of unpredictability to this equation. Each login, each opened email, each downloaded file, each web browsing session alters the state of the network, often in ways that are unforeseeable. The multitude of devices and software, coupled with constant, unpredictable human engagement, create a level of complexity that automation struggles to comprehensively tackle.
While automation effectively tests common default configurations, it struggles when faced with the sheer diversity and peculiarities of real-world network setups. The vast array of possible configurations, including custom setups, legacy systems, and non-standard technologies, lie beyond its reach.
Additionally, the human element – a mix of errors, habits, and unpredictability – remains elusive for automation. For example, an absent network administrator’s lax security practices or a manager’s penchant for using the same password across platforms can’t be accounted for by automated systems.
Advanced persistent threats (APTs) and zero-day vulnerabilities also present a significant challenge. Designed to evade common security tools, APT tactics such as custom malware, phishing for initial access, and stealthy network movement often slip under the radar of systems relying on known vulnerabilities and techniques.
Artificial intelligence and automation, for all their advancements, cannot mimic the intuition, creativity, and expertise of human penetration testers. The ability to join the dots to find an attack path, or the creative insight to explore network compromise via nearby WiFi access, is a uniquely human trait that automation, no matter its state, will capture any time soon.
Additionally, we must recognize that automation is a double-edged sword. The same tools that defenders use to try to identify vulnerabilities can also be utilized by attackers to find potential targets and infiltration points in an automated fashion (Read about wormGPT here). Adversaries are already incorporating automation like vulnerability scanners and exploit kits into their arsenal. If defenders become over-reliant on automated penetration testing, they leave themselves vulnerable to attackers who are doing the same thing.
As we embrace the promise of automation, let’s not overlook the value of the human touch in cybersecurity. In a landscape of near-infinite initial states, continuous change, and human unpredictability, human penetration testers are still an essential part of the puzzle, offering their unique skills where automation can only attempt to follow.
Humans and AI working together
Automation is undoubtedly a complementary tool, and one that will undoubtedly improve security in many areas, but human penetration testers remain the key players in this chess game – They find complicated issues like this.