Continuously test the integrity of potential attack pathways.
GARTNER® THREAT EXPOSURE ROADMAPBreach and attack simulation (BAS) is the process of a security operations center (SOC) maintaining vigilance over the security posture of the various pathways – or vectors – by which an attacker could breach an enterprise network. Staying on top of the current “state of strength” of an organization’s defenses could be the difference between a thwarted breach attempt and a successful one.
According to Gartner®, “BAS tools enable organizations to gain a deeper understanding of security posture vulnerabilities by automating testing of threat vectors such as external and insider, lateral movement, and data exfiltration. BAS complements red teaming and penetration testing, but cannot completely replace them.”
That last thought is critical because it places an emphasis on the importance of leveraging a well-rounded set of network-integrity testing tools to ensure a strong security posture that can fend off the latest threats from sophisticated attackers. Cybersecurity providers commonly offer suites of attack-simulation tools, platforms, and services.
Incident response (IR) personnel from those providers will typically use the latest and most pertinent breach scenarios to perform threat simulation sessions that help their clients to walk through the process of a breach. This includes identifying key sources of evidence, performing mock communications, and providing post-simulation optimization recommendations.
BAS tools work by aligning to certain attacker tactics, techniques, and procedures (TTPs) so that organizations can run specific simulations to ascertain the effectiveness of their response actions and create/automate playbooks in case of those scenarios.
Specifically, Gartner states that “automated validation using technology or service capabilities, such as breach and attack simulation (BAS), or automated penetration testing tools will:
From this we can infer that validation and speed are likely the two most critical aspects of BAS and other attack-simulation tools. That latter aspect – speed – begs questions concerning workforce capabilities. Will those specialized in threat detection and response be able to act efficiently to expunge the threat to the best of their abilities and limit potential fallout?
BAS tools can help to identify those gap areas before the real thing inevitably occurs, to whatever extent. The last thing any organization wants to be is caught off guard without the skillset to address an attack.
Of course, many security organizations simply don’t have the luxury of addressing those skill gaps, especially in any sort of timely manner – thus the upward trend in adoption of managed security services providers (MSSPs).
BAS differs from other cybersecurity testing in that it is a more sophisticated assessment of a security organization's ability to withstand and win in the event of an equally – or more – sophisticated attack.
It can be difficult for security stakeholders to know which solution is the best for testing their defenses as well as readiness to respond, so let’s take a look at some of the differences between the major functionalities.
A vulnerability assessment will scan for vulnerabilities across an organization’s network but not attempt to exploit them. This functionality is a core operation for security teams, and is usually the best way to get an initial idea of how vulnerable a network is to an attack. After a vulnerability assessment, it is incumbent upon the organization to decide how to proceed as far as prioritization and remediation.
While not a simple process by any means, a cybersecurity firm will perform a penetration test (pentest) to specifically look for vulnerabilities in a client’s network, attempt to exploit them, and determine the overall risk to the organization. This process is an important part of a company’s security controls, hopefully motivating the organization to adopt widespread remediation of all discovered vulnerabilities. It will not, however, automate a specific outside attacker strategy beyond discovery of those vulnerabilities.
A Red Team attack simulation focuses on an organization’s defense, detection, and response capabilities. Red Team operators will typically carry out real-world adversarial behavior and commonly used TTPs so an organization can measure the effectiveness of its security program. The main difference between BAS and Red Teaming, however, is that of automation vs. real people. BAS automates the process of real-world attacker behaviors while Red Teaming employs actual people to perform the simulated attacks.
Businesses need BAS because their IT and security professionals should always know the current status and strength of their breach-response capabilities. In this day and age, SOCs need to consider more existential questions like the following:
The best way to get a thorough sense of where evasive, defensive, and remediative capabilities lie across the IT and security organizations is to perform stress tests, also known as breach and attack simulation.
Cybersecurity risk management programs can incorporate methodologies like BAS, pentesting, Red Teaming and others so that a SOC can reduce overall cyber risk and achieve a stronger security posture to better respond to attacks.
Other techniques have more fine-tuned methods of testing IR readiness. Honeypots, for example, can act as a lure for threat actors and an important test of the SOC’s readiness to deal with that threat.
Some testing methods are for specific areas, like Internet of Things (IoT) security testing. From testing actual hardware to device network pentesting, a company’s IoT activities could also come into consideration in an attack simulation.
In addition to lowering cyber risk, what are some of the major benefits BAS-enabled transparency can provide? Let's take a look beyond the potential to just the network itself.
Knowing the current state of a network’s vulnerabilities and weaknesses can help to mitigate present and future security complications so that business as usual is the standard – not security emergencies.