Breach and Attack Simulations: How to

Find the Gaps in Your Cyber Defenses

Why Do Gaps in Security Exist?

Simply put, there’s no perfect technology. Software including
operating systems, applications, and even security solutions often
contain bugs that can be exploited by attackers. Since software
applications continually receive changes and updates, there’s always
a possibility that flaws will be introduced to your network.
In addition, poor implementation is another risk. It’s common for
some organizations and IT teams to rush their adoption of security
tools. In doing so, it’s possible that certain steps or configurations
may be overlooked when setting up security solutions. Even the most
expensive top-of-the-line solutions may be rendered useless if badly
deployed.
For example, you may have the most stringent firewall policies in
place to prevent hackers from breaching your network from the
outside. However, if your endpoint protection is lacking, it’s possible
for malware to still find its way into your network. For example, if a
careless staff member inserts an infected USB thumb drive into a
workstation, malware can easily spread from there.
Cybersecurity Vulnerabilities: How We
Typically Find Gaps
To find these gaps, it’s crucial to regularly test your defenses by going
on the offensive on your own networks. Conventionally, this is done
through the following security validation methods:
  Vulnerability Scanning. You can use vulnerability scanners to
identify the various vulnerabilities across your infrastructure
components. They can check for outdated software, open ports, and
expired certificates found across your network.
 Penetration Testing. With penetration tests, testers look to see how
far they can go in breaching your network by employing similar
tactics used by real-world hackers.
 Red and Blue Teaming. This is like war games played on your
infrastructure. The red team plays the role of hackers by trying to
breach your system. The blue team acts in your defense by
preventing the success of the red team’s attack.
These methods, however, have limitations. Reports from vulnerability
scans often simply list found vulnerabilities, leaving you to figure out
what action is needed to remedy the issues. Furthermore, they can
also produce false positives and flag certain issues that might not
have much impact to security.
However, penetration tests and red team are resource-intensive
activities. While penetration testing tools such
as Metasploit and Kali are free, tests still have to be carried out by
highly-skilled security professionals. The effectiveness of these tests is
largely dependent on the skills of those individuals. A single network
penetration test can easily cost $5,000 — and that estimate is on the
low end of the ballpark. Needless to say, routinely performing such
tests can be quite expensive, especially if you have a limited security
budget.
What Are Breach and Attack
Simulations (BAS)?
According to Cymulate, BAS platforms simplify testing by allowing
users to perform a variety of automated and customizable simulated
attacks for a full security validation. Breach and attack simulations are
a great way for enterprises and other large organizations to emulate
and better understand real world cyber attacks. BAS technologies
help organizations embrace automation in cybersecurity and allow
organizations to perform consistent assessments while tying up fewer
resources.
AlthoughBAS technologies have existed for many years, Gartner
appears to have been the ones to coin the phrase in their report Hype
Circle for Threat-Facing Technologies, 2017:
“Breach and attack simulation (BAS) technologies use agents and other
means to simulate attacks against enterprise infrastructure. BAS can
effectively emulate insider threats, lateral move or data exfiltration
techniques without the risks to production environments inherent with
other testing approaches.”
Don’t Get Breached
91% of cyber attacks start with an email, which can leave your
business open to devastating data breaches. Not securing your email
is like leaving the front door open for hackers.
Download the eBook

How BAS Works: An Overview

Breach and attack simulations look to improve upon traditional
testing methods by making it easy for users to perform checks on their
security controls easily and quickly. In a way, BAS can be viewed as
the combination of vulnerability scanning and penetration testing
packaged as a do-it-yourself solution.
BAS platforms are mostly available today as software-as-a-service
(SaaS). These cloud-based applications host the variety of modules
that carry out the tests automatically, unlike with penetration tests
where actual human resources perform the hack attempts. With BAS,
a software agent is typically installed on a computer that sits within
the network and is responsible for interacting with the cloud solution
during testing.
The simulated attacks technically use malware and hack tools that
are specially configured to trigger and monitor responses from your
security solutions. However, unlike malware from real-world cyber
attacks, those used in BAS do no real damage to your infrastructure.
Image Source: Cymulate

The Nitty-Gritty of Breach and Attack

Simulations
Here are several ways BAS tests the various attack vectors and the
solutions that protect them:
 Test Your Email Defenses. The breach and attack simulation
platform sends a variety of messages to your email service that
contain different types of infected file attachments (such as malware,
ransomware, worms, and other payloads). This can test email filters,
antivirus software, and sanitization solutions.
 Identify Gaps in Your Browser and Website Defenses. The
platform connects to dummy websites and pages containing
malicious forms and scripts via HTTP/HTTPS protocols. The tests
can check what pages make it past internet security filters and if
endpoint protection can prevent malicious files from being
successfully downloaded by the browser.
  Check the Strength of Your Firewall(s). The platform can attack a
specific URL (such as your company’s web portal or application) to
find ways to circumvent the firewall that protects it. It tests whether
the firewall can deter incoming malicious traffic. To take these
attacks to the next level, BAS can also attempt to mine sensitive
information and carry out cross-site scripting (XSS) and injection
attacks to breach the firewall.
 Test Common Social Engineering Tactics. BAS can launch
dummy phishing campaigns on your own email systems to emulate
social engineering attacks. Phishing emails, which can be customized
for authenticity, are sent to real users within your organization. The
test checks if users will actually click on malicious links. This helps
you to identify which staff members need more training in social
engineering awareness.
 Test the Effectiveness of Endpoint Security Solutions. BAS
platforms can check if malware — including viruses, ransomware,
spyware, and worms — are able to exist and execute on
workstations. They can also test and map out how malware can
spread across your devices. This allows you to verify whether your
solutions can detect and prevent the spread of malware within your
network.
 Identify Potential Network Attack Vectors. BAS can also simulate
scenarios in which an attacker successfully breaches your network.
This simulation helps you see whether an attacker can move laterally
across devices using exploits, privilege escalation, and pass the hash
validation requirements. The platform can also test if data can be
exfiltrated and sent to a destination outside the network.
Some BAS technologies draw from knowledge bases like MITRE
ATT&CK as references to the many possible tactics and techniques
that hackers can employ. This makes the simulated attacks as realistic
as possible.
Image Source: MITRE ATT&CK

BAS Technology Features, Reports, and

Recommendations
The test results from breach and attack simulations come in the form
of comprehensive reports and scorecards that identify the gaps and
vulnerabilities across your infrastructure components. They also
provide information on how well or poorly your solutions perform
against the simulated attack.
But rather than simply generating a list of vulnerabilities, the results
offer recommendations on how to plug the gaps and strengthen your
defenses.
Image Source: Cymulate
Sometimes, it’s nice to be able to “set it and forget it.” So, the fact
that BAS platforms also allow tests to be scheduled helps you to
ensure that important testing simulations isn’t a task that falls
between the cracks. This way, you can periodically check if any of
your security measures are failing or suffering from any faults and
downtime.
Some tools even provide notification and alerts features that warn
you of new and emerging vulnerabilities and threats. This way, you
can stay informed about whether any of your components are
affected.
Image Source: Cymulate

The Advantages of Using BAS Within

Your Organization
While BAS platforms essentially combine the capabilities of
conventional cybersecurity testing and assessment methods, it holds
several advantages over them. These advantages include:
 Comprehensiveness. While penetration tests and red teaming are
often limited by the scope agreed upon with the testers, BAS allows
for a wider range of tests to be performed across all potential vectors.
BAS even scales up both methods as it allows for repeated and
continuous testing, which is difficult to do through conventional
methods.
 Actionability. Vulnerability scanning often simply lists found
vulnerabilities, requiring you to sift through and make sense of
information before you can actually do anything. BAS provides
actionable insights in the reports so you’d be able to make more
targeted adjustments to your security measures immediately.
 Timeliness. Penetration tests and red team exercises have to be
coordinated and scheduled. With software and systems receiving
daily updates, reports from these tests may quickly become outdated.
 Since BAS tests give quick results, they can give you a more
accurate picture of your defenses.
 Convenience and Ease of Use. Many BAS platforms are intuitive,
offering easy-to-use interfaces and dashboards. This means that you
don’t have to be a highly skilled white hat hacker to see whether your
defenses are vulnerable. Some services are available as cloud-based
platforms, which allows you to run tests from basically anywhere.
 Cost-Effectiveness. Although not necessarily cheap, BAS allows
multiple tests to be run both on-demand and on schedule. Penetration
tests and red team exercises are tough to conduct on a whim, and
doing them often comes with a big price tag. Running a penetration
test, even on a monthly basis, can easily cost tens of thousands of
dollars per year. BAS doesn’t have such limitations because it uses
automated simulations.