December 19, 2022
What is breach and attack simulation (BAS)?
Breach and attack simulation is an offensive security testing method in which security professionals, along with automated tools, continuously assess organizations systems' preparedness to actual threats. This is done following likely attack paths and techniques of adversarial actors.
How does breach and attack simulation work?
A breach and attack simulation solution assesses security controls across different systems (e.g., applications, networks, cloud infrastructure, containers). Some of the controls that have gained the most attention could be summarized in the following categories:
Application security testing: These are controls to identify vulnerabilities in proprietary and third-party software.
Identity and access management: These are controls to manage subjects and ensure proper authentication and authorizations to access specific objects.
Network protection: These are controls to detect and counter intrusion and malicious traffic, restrict access and monitor data, among other functions.
Data storage security: These are controls to ensure the confidentiality, integrity and availability of stored data.
Accordingly, the attack simulations include malware attacks on endpoints, delivery of malicious email attachments, web-based attacks, data exfiltration, system abuse and lateral movement through the network. The attacks are comprehensive and continuous, evolving with threats.
Admittedly, most breach and attack simulation services in the market rely only on automation. The most basic services assess internal network security, scanning for issues that match a database of known vulnerabilities. Other tools are able to generate malicious traffic following the logical steps of known techniques. They check the readiness of organizations' technologies, such as intrusion prevention systems (IPS) and security information and event management (SIEM), to detect and block such traffic. Yet another set of tools simulate studied attack tactics, techniques and procedures (TTPs) across systems to check whether security defenses can be bypassed. Some providers liken the latter tools' capabilities to the work of a purple team by articulating red and blue team exercises (though automated). We will expand on this in a future blog post.
Breach and attack simulation tools may produce results faster than humans, but accuracy is a concern. Automation is prone to lies (false positives) and omissions (false negatives). What's more, these technologies have to be updated constantly after understanding the latest TTPs of advanced persistent threats (APT). The precious time between the updates and fixing the security issues can be the opportunity for adversarial attackers to test their luck in gaining access to sensitive resources. That's why we at Fluid Attacks recommend a combination of automation and manual assessments by security professionals.
Our BAS solution employs highly certified ethical hackers, whose work is aided by our automated tool and AI. These professionals are up to date on the TTPs of malicious threat actors, after which they conduct analyses and create custom exploits to bypass defenses. Unlike tools, our hackers can get to work as soon as the threats are announced by cybersecurity researchers and response teams, among other entities (e.g., the US Computer Emergency Readiness Team).
In their assessments, our professionals check that systems comply with our rich catalog of security requirements curated from several international standards. So, unlike most solutions, we do not limit our assessments to the controls from the MITRE ATT&CK (adversarial tactics, techniques and common knowledge) framework and the NVD (National Vulnerability Database).
As expected, our hackers probe our clients' systems continuously and provide evidence of exploitation and information about its impact, as well as recommendations to fix the issues. This is all shown on a single pane of glass: our Attack Resistance Management (ARM) platform.
Why do we need breach and attack simulation?
What are the implications of vulnerable systems? Those include risks of successful attacks whose impacts range from compromised information and data breaches to the temporary shutdown of critical services.
With the global costs of cyberattacks only getting higher (estimated to be 8 trillion dollars in 2023), technology development companies must take measures. What they look for is a solution to detect security issues that could compromise their system's availability and their data and that of users.
For this purpose, there are several security testing tools in the market. High rates of false positives and false negatives aside, automated tools can identify known vulnerabilities and issues. Some of which may have been exploited already by malicious threat actors. But the tools cannot say whether the assessed systems can withstand real attacks.
Being up to date on actual and current threats is a priority, since the cybersecurity environment is constantly evolving. Just think of the advancing technological trends that connect us more and more to a digital world. For example, new Internet of Things devices flood the market (doorbells, speakers, toothbrushes, you name it), and they are generally lacking in terms of security or improperly configured by users. Threat actors move at the speed of software innovation, testing ways to exploit vulnerable new technology. In this landscape, teams validating the security of these products are required to think like hackers.
What BAS brings organizations is a methodology for challenging their security controls with the purpose of optimizing them. The relentless simulated attacks are specially crafted and done along the whole cyber kill chain targeting critical assets. To prevent a breach, attack simulation is the best path. Embracing this proactive approach, organizations can keep a security stance that is preventive rather than reactive.
What are the benefits of breach and attack simulations?
The following are the main benefits teams can expect from a proficient BAS solution, all of which they can enjoy with Fluid Attacks:
It conducts security testing reproducing scenarios in which real threat actors today would attempt to bypass the systems' defenses.
It offers continuous coverage throughout the software development lifecycle (SDLC), since technology evolves, and so do threats.
It tests a wide variety of security requirements in different systems (i.e., not only internal networks but also in the enterprise perimeter).
It enables organizations to enhance their security stance, as they defend preventively instead of reactively.
It helps organizations validate areas of most exposure to risk so they can prioritize cybersecurity spend.
It offers expert support throughout the SDLC, helping the development team understand the security issues and guiding remediation.
Recommended blog posts
You might be interested in the following related posts.
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting
For which security standards is pentesting a must-have?
Pentesting is a system-agnostic approach to security
Injecting JS into one site is harmful, into all, lethal
Differences between these security testing approaches
Our CLI is an approved AST tool to secure cloud apps
Disclosure rules proposed by SEC may soon take effect