What is breach and attack simulation (BAS)?
Breach and attack simulation is an offensive security testing method in which security professionals, along with automated tools, continuously assess organizations systems' preparedness to actual threats. This is done following likely attack paths and techniques of adversarial actors.
How does breach and attack simulation work?
A breach and attack simulation solution assesses security controls across different systems (e.g., applications, networks, cloud infrastructure, containers). Some of the controls that have gained the most attention could be summarized in the following categories:
Application security testing: These are controls to identify vulnerabilities in proprietary and third-party software.
Identity and access management: These are controls to manage subjects and ensure proper authentication and authorizations to access specific objects.
Network protection: These are controls to detect and counter intrusion and malicious traffic, restrict access and monitor data, among other functions.
Data storage security: These are controls to ensure the confidentiality, integrity and availability of stored data.
Accordingly, the attack simulations include malware attacks on endpoints, delivery of malicious email attachments, web-based attacks, data exfiltration, system abuse and lateral movement through the network. The attacks are comprehensive and continuous, evolving with threats.
Admittedly, most breach and attack simulation services in the market rely only on automation. The most basic services assess internal network security, scanning for issues that match a database of known vulnerabilities. Other tools are able to generate malicious traffic following the logical steps of known techniques. They check the readiness of organizations' technologies, such as intrusion prevention systems (IPS) and security information and event management (SIEM), to detect and block such traffic. Yet another set of tools simulate studied attack tactics, techniques and procedures (TTPs) across systems to check whether security defenses can be bypassed. Some providers liken the latter tools' capabilities to the work of a purple team by articulating red and blue team exercises (though automated). We expand on this in another blog post.
Breach and attack simulation tools may produce results faster than humans, but accuracy is a concern. Automation is prone to errors in its reports (false positives and false negatives). What's more, these technologies have to be updated constantly after understanding the latest TTPs of advanced persistent threats (APT). The precious time between the updates and fixing the security issues can be the opportunity for adversarial attackers to test their luck in gaining access to sensitive resources. That's why we at Fluid Attacks recommend a combination of automation and manual assessments by security professionals.
Highly certified ethical hackers' work can be aided by automated tools. These professionals are up to date on the TTPs of malicious threat actors, after which they conduct analyses and create custom exploits to bypass defenses. Unlike tools, hackers can get to work as soon as the threats are announced by cybersecurity researchers and response teams, among other entities (e.g., the US Computer Emergency Readiness Team). And their assessments might not be limited to the controls from the MITRE ATT&CK (adversarial tactics, techniques and common knowledge) framework and the NVD (National Vulnerability Database).
Why do organizations conduct breach and attack simulations?
What are the implications of vulnerable systems? Those include risks of successful attacks whose impacts range from compromised information and data breaches to the temporary shutdown of critical services.
With the global costs of cyberattacks only getting higher (estimated to be 8 trillion dollars in 2023), technology development companies must take measures. What they look for is a solution to detect security issues that could compromise their system's availability and their data and that of users.
For this purpose, there are several security testing tools in the market. High rates of false positives and false negatives aside, automated tools can identify known vulnerabilities and issues. Some of which may have been exploited already by malicious threat actors. But the tools cannot say whether the assessed systems can withstand real attacks.
Being up to date on actual and current threats is a priority, since the cybersecurity environment is constantly evolving. Just think of the advancing technological trends that connect us more and more to a digital world. For example, new Internet of Things devices flood the market (doorbells, speakers, toothbrushes, you name it), and they are generally lacking in terms of security or improperly configured by users. Threat actors move at the speed of software innovation, testing ways to exploit vulnerable new technology. In this landscape, teams validating the security of these products are required to think like hackers.
What BAS brings organizations is a methodology for challenging their security controls with the purpose of optimizing them. The relentless simulated attacks are specially crafted and done along the whole cyber kill chain targeting critical assets. To prevent a breach, attack simulation is a possible path.
What are the benefits of breach and attack simulations?
The following are the main benefits teams can expect from an advanced BAS solution:
It conducts security testing reproducing scenarios in which real threat actors today would attempt to bypass networks' defenses.
It tests a wide variety of security requirements, not only in internal networks but also in the enterprise perimeter.
It helps organizations validate areas of most exposure to risk in their networks so they can prioritize cybersecurity spend.
Recommended blog posts
You might be interested in the following related posts.
Watch out for keylogging/keyloggers
There's not an only way but here's a good one
Benefits and risks of these increasingly used programs
A hacker's view of the performance of Researcher CNAs
Why so many are switching to Rust
Description and critique of CEH certifications
An OffSec Experienced Pentester review
Or what makes the ethical hacker