Fitting Breach Attack Simulation (BAS) into your security assurance program

Today we have three main strands of infrastructure technical security assurance testing:

1. Identification and analysis of asset software vulnerabilities - Vulnerability Assessment & Management
2. Exploitation of identified vulnerabilities - Penetration Testing
3. Real world simulations of a Cyber Attack against People-Tech-Process - Red Teaming

Breach Attack Simulation solutions present the market with a highly compelling value proposition but often they raise questions such as 'why BAS when we have Pen testing?' 'why BAS when we do Red Teaming, occasionally'

To answer this in a simple way refer to the diagram above which joins up the strands in terms of breadth of coverage and depth of risk context. Lets lay out each strand of testing:

• Vulnerability assessments tend to be broad in coverage but narrow depth of risk context. Consider a vulnerability assessment of all enterprise workstations & Servers. The scope is very broad, but not very deep in context of organizational risks. What can be said about risk when vulnerabilities are identified? Organizational risk can only be understood at the asset level? Overall risk to an organization may be extrapolated to a small degree, but generally stays at the asset level. Vulnerability assessments are good at reducing the asset attack surface but do not provide further value in terms of overall security posture risk.
• Penetrations testing takes vulnerability assessments to the next level by exploiting and proving out potential attack paths. Penetration tests can often look and feel like a red team engagement and even use some of the same tools or techniques. The key difference lies in the scope. The scope of a penetration test is to execute an attack against a target system to identify and measure risks associated with the exploitation of that target’s attack surface. Organizational risks can be indirectly measured and are typically extrapolated from some technical attack. What about the people and processes? and, what about all those Security controls that should be detecting, protecting and mitigating the exploitation of your assets?
• A blind spot is presented
• Red Team Engagements are scenario based engagements driven by specific threat goals/objectives. Red teaming focuses on security posture as a whole and includes people, processes, and technology. Red teaming specifically focuses on goals related to training SOC defence (Blue) teams or measuring how security operations perform against a threat actors ability to execute on their tactical goals via purple teaming. Technical flaws are secondary to understanding how the threat was able to manifest and impact an organisation’s defensive security operations. The problem is that Red teams, now more than ever, need to spend more time on R&D of novel techniques to evade defences and are not able to scale to continually assure a plethora of deployed security controls and IR processes to test their efficacy, or help to optimise them continuously as they are primarily objective driven (think TIBER)
• A blind spot is presented
• A Red Team's real value is at the apex of the inverted pyramid of the diagram, which is focused on Defensive evasion and Unknown Unknowns (Zero day, as they say). the cat & mouse playbook!
• Breach Attack Simulation fills the void where pen testing is blind to security controls and people, process. It also force multiplies a Red Teams limited ability to conduct testing at scale right across an organisations IT, on demand. BAS platforms also provide an opportunity to work with centralised dashboards for MITRE ATT&CK tracking, live CISO dashboards and reporting that help explain the context of overall risk to non technical audiences by using metrics that speak clearer to the question 'what does all this mean?' more so than a technical Red Team report with lots of jargon. BAS platforms contain a large catalogue of attack techniques & procedures that have been utilised by real APT's, E-crime, Ransomware groups in the wild over several years (known Knowns) and are also continually fed with emerging techniques and procedures of newly observed Threats, identified by leading Threat intelligence agencies and global TI communities. There is usually an SLA defined by BAS vendors that defines how quickly emerging Threats get deployed into the platform. This presents an additional key feature by turning the BAS platform into a Threat Intelligence led testing capability, all-in-one.

Joining it up

BAS is not a replacement of the 3 strands, it is the missing piece of the Technical Security assurance jigsaw that commoditises elements of Red Teaming whilst also nudging Offensive and Defensive specialists into the same camp tent (Threat technique exchange=Threat informed defence). It's primary objective is to optimise an organisations end-end security posture and prove out value and ROI in security technology investments and security architecture program assurance.

Finally, as things progress, we see BAS platforms innovating to extend their reach; EDR tool auto remediation, Threat exposure management (assessing asset vulnerability risks against deployed security controls efficacy) Azure AD (now Entra) attack path analysis and External attack surface analysis (the outside in view). Interesting times ahead!

for further information on how Alchemmy Security & Resilience can bring all this to life as well as advisory and validation services, contact our sales directly.