Closing the loop with Breach & Attack Simulation
As a CISO you are working day in, day out on a balanced security program that defends your organization against cyberattacks. Setting up your security program is not an easy task, as it typically takes years to reach maturity levels of organizational security. Maintaining your security controls and standards however is even more difficult. How do you ensure you continuously understand the resilience of your organization in the ever evolving world of cybercrime?
The inconvenient truth
At some point you may get a nagging feeling that some of the controls you have implemented may not work as well as advertised. You’re not alone in this feeling. Every CISO is aware of the steady flow of emerging threats, with threat actors coming and going, and new vulnerabilities, exploits, hacking tools and attack techniques being introduced every day. As a defender, you have to be on alert all the time. Your strategy program is never finished, you always have to work on selecting, updating, implementing and fine-tuning relevant security controls. After all, the only way to maintain significant levels of confidence is to constantly validate the resilience of your organization against known and emerging attack methods. This is the inconvenient truth about cybersecurity as we know it today.
Scenario-based penetration tests & red team exercises
To check the state of their security controls, most CISO’s typically perform scenario-based penetration tests or red team exercises. Whilst 99 out of 100 times the output of these tests and exercises warrant further investigation, there are limitations to these tests. They are great to get an understanding of how attack groups might penetrate your systems, yet they:
- Typically represent only a single type of adversary, while there’s a wide variety of threat actors relevant to your organization, with different skill sets and intends;
- Usually follow the path of least resistance to get to your assets, and as a consequence they do not map all possible paths, including the more complex and interdependent paths;
- Do not provide an overview of how well all your controls work, only on the ones that are in the way of the path of least resistance;
- Need to be performed on a regular basis, which is time consuming and expensive.
In the end, a red team will provide you an answer to the question ‘Can adversaries penetrate our systems?’. Whilst very valuable - especially when you avail over strong security controls - it does not answer the question ‘Are our security controls performing as they’re supposed to do?’. Scenario-based penetration tests and red team exercises are a strenuous way to get a measurable answer to the second question. To get this answer, you need to focus on something relatively new in the cyber domain: Breach Attack Simulation (BAS). BAS offers tooling for automated attack simulation to perform attack simulations whenever you like. Your security controls are tested continuously against more common and new threats. You are in the know all the time, and you are being alerted immediately if required.
BAS versus red teaming & scenario-based testing
The simulations offered by Breach Attack Simulation (BAS) tooling typically use a set of variations of the attack method, so that the results are less binary and more quantitative (indicating the percentage of variants that where stopped or effective). BAS offers the potential to validate the effectiveness of your security controls, particularly when combined with frontline knowledge and expertise from red teaming, MDR/XDR and IR specialists.
The below table provides a summary of how red teaming is different to breach attack simulation.
| Red team | Attack simulation |
| Craftmanship | Automation |
| Once a year | Regularly / continuously |
| Depth | Breadth |
| Qualitative | Quantitative |
| ‘Can they get in?’ | ‘How well does my security work?’ |
It is important to note that scenario-based pen tests and red teaming do complement breach attack simulation tools. One does not necessarily replace the other, they provide answers to different but equally relevant questions.
The principle of unit testing
BAS can be compared to a principle in software development called unit testing. In software development, it’s quite common to accompany low level pieces of computer code with a variety of small tests, executed in an automated fashion. These tests are called unit tests. When a complete piece of software is built, all of these tests need to succeed. Even the smallest of changes that negatively affect a seemingly unrelated piece of code will get to the surface. When the full code base is assembled, system tests are required to see if the system works as intended as well as a whole.
Imagine this approach of unit testing being applied to your security program and your underlying security controls. If specific controls are tested regularly on their performance against known past and current attack methods, you would get a much better picture of the performance of your security program. If a change occurs in control efficacy, you will know nearly immediately. In addition to unit testing, BAS can also be used to perform complex system tests by simulating the most complex attack scenario’s, such as ransomware. This approach enables organizations to validate their security posture and to test the effectiveness of the underlying security program and specific security controls. When applied in combination with threat modelling [1] and applied threat diagnostics [2] you’ll have closed the loop to ensure the resilience of your organization against digital adversaries.
How BAS works in practice: deeper knowledge, more resilience
Meet Peter, the CISO at a very R&D heavy organization. Peter is a superman, with (like most CISO’s) many different roles, from business partner to report creator. In his mission to get security higher on the agenda of his board, Peter wants to have a better understanding of the risks emerging ransomware attacks pose to his organization. As you’ll know, a ransomware attack consists of multiple attack phases and the number of attack phases varies per ransomware group. It is essentially a scenario that incorporates various attack techniques such as phishing, lateral movement and privilege escalation, which means that the attacks can be detected and stopped at each step of the attack progression. Peter understands that the better his company is trained at detecting these attacks, the less impact the attack will have on his organization.
Having spent a lot of time and budget in previous years on scenario-based testing and external red teams, Peter decided to invest in tooling for Breach Attack Simulation. This because he didn’t want to limit his testing to one specific group (scenario). He wants to test – in one single run – for all the attack scenario’s, used by all ransomware groups that are publicly known.
With the BAS solution, Peter’s team is now able to run daily tests on different scenario’s. They can test anti-phishing controls by sending 100 variants of phishing e-mails to a predefined inbox, and check the number of e-mails received, which would ideally be 0. But it goes further than this: if the efficacy of the phishing filter changes they notice this immediately. In a similar fashion the team now regularly tests endpoint controls. How well do they perform in detecting known hacking tools such as Mimikatz? How well does lateral movement and privilege escalation work?
The end result of all this is that Peter is now able to fine-tune and optimize the security controls of his organization. He avails over a feedback loop on his security program, which enables him to make data-driven decisions to adjust and improve security controls as well as the cyber security program as a whole. It also demonstrates how the resilience of his entire organization is changing over time.
How Hunt & Hackett helps
We believe in a system-thinking approach to cybersecurity. The constituent parts of a security strategy interrelate and everything needs to work together as a system to form the overall solution. This approach leads to more effective solutions than when technology is applied in isolation. After all, achieving cybersecurity resilience ultimately requires a holistic strategy for prevention, detection, response and validation.
And how valuable it may be, a breach & attack simulation tool is by itself not a silver bullet. The tool needs to fit your controls like a tailored suit and needs to be embedded in the organization. You also need the resources and capabilities to follow-up on the findings to ensure that your specific security controls are optimized. However, if deployed well, it will definitely improve your capabilities to validate security controls, with rich insights into the resilience of an organization against known attack methods.
We help you to get the most value out of BAS-tools through by offering BAS as a managed service. We deploy the tool, validate the payloads for its testing purpose, apply the relevant attack scenario’s and unit tests to your organization and optimize your security controls. Our frontline (offensive) experts ensure that the right controls are tested, with the right set of tests. This way we’ll develop a threat model that incorporates your relevant threat actors, and your most valuable assets. And, if combined with our services for Managed Detection & Response (MDR), Threat Hunting and Threat Diagnostics, you’ll avail over a closed loop. A closed loop that will enable you to outsmart your digital adversaries.
Sources:
[1] https://www.huntandhackett.com/blog/threat-modelling-as-starting-point
[2] https://www.huntandhackett.com/blog/applied-threat-diagnostics