What is breach and attack simulation and why does your organisation need it?
The simple answer to this question is that breach and attack simulation (BAS) is a form of security control testing. The latter is defined as anything that limits the ability of threat actors to accomplish their goals. It can also be a means of stopping legitimate users from inadvertently doing something they should not be doing.
Security controls can be devices/software or policies – and all are critical to ensuring everything remains safe in the business. Common examples of devices and software include anti-malware tools, firewalls, web filters and e-mail filters. Examples of policies are bring your own device rules and company regulations that inform employees as to which websites are acceptable, or not permitted, to be viewed at work.
Security controls are powerful tools for any organisation, but they can be complex and difficult to manage. An enterprise anti-malware platform may have dozens of pages of settings and configuration options and setting something incorrectly can have consequences, ranging from leaving the company open to attack, to preventing users from getting their jobs done.
Because of the complexity of these solutions and policies, there are times when even the best security and IT teams make mistakes and accidentally weaken security. A single mistake can end up costing the business millions of dollars, not only in lost revenue but also in lost time and loss of reputation.
Add to this the fact that the cyber security landscape changes on a daily – sometimes hourly – basis. A minor bug in an application’s code that caused no problems yesterday can become an easy port of entry for an entrepreneurial cyber criminal to exploit today.
Security controls are powerful tools for any organisation, but they can be complex and difficult to manage.
So, despite all security controls working perfectly, there can still be weaknesses that a threat actor can use to their advantage. Worst of all, it can evolve so quickly that it might go undetected for months, and by the time it is finally spotted, it may be too late to recover.
BAS is the solution that will ensure weaknesses are found and addressed. Having said that, as far back as 2018 – a long time ago in the exponentially changing world of technology – Gartner noted that testing is so challenging for technical professionals focused on security operations that many don't try it. It added that BAS tools help make security postures more consistent and automated.
This is endorsed by Frost & Sullivan research on the global BAS market that shows the technology is gaining acceptance.
In a nutshell, BAS is the method that tests everything that is in place from a security perspective and replaces speculation with certainty in terms of security posture. It is a platform that is designed to perform actions that closely mimic real threat actions to determine if they are picked up by the security controls in place. This can be anything from placing files that are indistinguishable from malware (but not dangerous to your systems) onto a machine to see if the anti-malware tool catches them; through to attempting to send data traffic through a firewall or malicious e-mail through an e-mail filter.
BAS uses a set of complex attack scenarios that attempt to bypass these control systems to reach a specific goal. If that goal can be reached, then the BAS platform has helped to uncover a flaw in that control, which in turn will enable the organisation to remediate it.
This simulation can even execute files so that behavioural-based detection systems will see identifiable activity and jump into action, but in a safe and controlled manner to avoid creating even more risk in the process.
Web application firewall simulations attempt to trick a web server into giving up information or performing actions that it should not – this is an activity that must be stopped before it ever reaches the actual web server itself.
BAS is also designed to be run repeatedly/automated in fact, making the process of keeping security tight and up-to-the-minute and easier for companies to manage. The tests are designed not to interfere with production operations, working quietly behind the scenes so that users don’t even notice them running unless the vector is something like phishing awareness, which tests employee vigilance.
Combined, these two properties of BAS allow IT and/or security teams to test whenever they need to, rather than waiting for scheduled change-control times. This contrasts with manual penetration testing or complex vulnerability scanners which require specialist security skills if they are to be used effectively and efficiently. This means the company can take advantage of a higher level of security without increasing headcount or outsourcing.
While it cannot remove the need for manual pen-testing − especially if this is a compliance requirement − it can dramatically reduce the number of manual pen tests you need to do in many cases, which impacts the overall security posture, not to mention the bottom line.
BAS facilitates a good night’s sleep for chief information security officers, safe in the knowledge that the controls they have implemented are doing what they are expected to do and protecting the business against the latest threats.
In my next article, I will explain what is driving BAS adoption.
Share