Advanced Persistent Threats (APTs) put intolerable pressure on enterprise cybersecurity countermeasures. Generally reactive in nature, today’s standard cybersecurity controls are overly reliant on detecting and responding to immediate incidents. This approach may be suitable for some attacks, but it does not work well with slow-moving, stealthy APTs. For better defense, enterprises are starting to turn to Breach and Attack Simulation (BAS) solutions, which test security on an automated and continual basis.
The Deficiency of Reactive Cybersecurity
The reality is that state-sponsored APTs now routinely outgun security controls. It’s not a fair fight. In the event of a security incident, forensic evidence helps trace what happened but it can’t identify control breakdowns that would keep the attacker away from the crown jewels in the first place. Even when they’re properly configured, security controls can still fail in the face of diligent, stealthy attackers. In the face of APTs, security controls can sometimes prove to be deficient and overly reactive. To get better at risk mitigation, it’s necessary to simulate breaches and attacks to spot (and fix) places where you’re truly vulnerable.
What is Breach and Attack Simulation?
Breach and Attack Simulation Software is an emerging cybersecurity countermeasure that expands on existing “Red Teaming” techniques. Red teaming, a term borrowed from the military, refers to hiring hackers to try to penetrate an enterprise’s defense to reveals weaknesses. BAS tools automate some of the red team attack processes. In this way, the tool simulates continuously and automatically cyber-attacks and highlights where the “Blue Team” of SecOps staffers need to focus their protection efforts.
Advantage of Breach and Attack Simulation include:
> Testing continuously, with automated probing of hidden security holes — The inevitable churn of people and changing cycles leaves gaps in security. These include unpatched servers, misconfigured firewalls, shadow IT and so forth. Periodic testing will be too late in catch the holes that naturally open up over time.
> Simulating multiple, different attacks in a very short period of time — You may be vulnerable to one kind of attack, but not to another. With BAS, you can quickly gauge security based on more than one hypothetical attack type.
> Focusing your red team where they’re most needed — Security always reflects choices about money and resource allocation. BAS gives you the ability to “red team” more broadly and cost-effectively, focusing your actual, human red team on selected areas of your infrastructure that need their attention the most.
> Mimic the attack style of known entities, such as a certain nation state actor — Depending on your industry and location, you may need to orient your cyber defense against a specific attacker. For example, US defense contractors face attacks suspected to originate with Chinese state intelligence services. Such actors have distinctive attack patterns you can test against.
> Testing the security of specific data assets — Databases, applications and network appliances each have unique vulnerabilities and controls that need to be tested continuously to ensure the highest level of protection.
> Testing the efficacy of new security controls, hardening policies and so forth—New controls need thorough, automated attack simulation before they can be trusted in production. BAS lets you test deeply for flaws in controls in advance of deployment.
Cyber-Attack Simulation: Why You Need It. How to Use It.
Breach simulation using a breach and attack simulation platform, also known as cyber-attack simulation software, is (or should be) part of a broader move toward proactive cyber defense. APTs don’t stand still. The attackers move laterally and silently through networks. The best practice is to be on the offensive, constantly probing for vulnerabilities and evidence that attackers are moving around your network.
There are also good and better ways of using BAS techniques. Some BAS platforms and processes focus on determining whether a simulated breach will trigger any system alerts, e.g. cause an Intrusion Detection System (IDS) to “notice” that someone has tried to enter the network. This has value, but it is not an optimal approach. APT attackers are typically good enough to bypass the alarms. You want to know if an attacker is accessing assets inside your network, whether or not the alarm goes off. A strong proactive cyber defense is geared toward detection of suspicious activity regardless of alerts. You want to close the holes in your security before your crown jewels are gone forever.