What is breach and attack simulation?

Breach and attack simulation (BAS) is an automated and continuous software-based approach to offensive security. Similar to other forms of security validation such as red teaming and penetration testing, BAS complements more traditional security tools by simulating cyberattacks to test security controls and provide actionable insights.

Like a red team exercise, breach and attack simulations use the real-world attack tactics, techniques, and procedures (TTPs) employed by hackers to proactively identify and mitigate security vulnerabilities before they can be exploited by actual threat actors. However, unlike red teaming and pen testing, BAS tools are fully automated and can provide more comprehensive results with fewer resources in the time between more hands-on security tests. Providers such as SafeBreach, XM Cyber, and Cymulate, offer cloud-based solutions which allow for the easy integration of BAS tools without implementing any new hardware.

As a security control validation tool, BAS solutions help organizations gain a better understanding of their security gaps, as well as provide valuable guidance for prioritized remediation.

Breach and attack simulation helps security teams to:

• Mitigate potential cyber risk: Provides early warning for possible internal or external threats empowering security teams to prioritize remediation efforts before experiencing any critical data exfiltration, loss of access, or similar adverse outcomes.
• Minimize the likelihood of successful cyberattacks: In a constantly shifting threat landscape, automation increases resiliency through continuous testing.

BAS solutions replicate many different types of attack paths, attack vectors and attack scenarios. Based on the real-world TTPs used by threat actors as outlined in the threat intelligence found in the MITRE ATT&CK and Cyber Killchain frameworks, BAS solutions can simulate:

• Network and infiltration attacks
• Lateral movement
• Phishing
• Endpoint and gateway attacks
• Malware attacks
• Ransomware attacks

Regardless of the type of attack, BAS platforms simulate, assess and validate the most current attack techniques used by advanced persistent threats (APTs) and other malicious entities along the entire attack path. Once an attack is completed, a BAS platform will then provide a detailed report including a prioritized list of remediation steps should any critical vulnerabilities be discovered.

The BAS process begins with the selection of a specific attack scenario from a customizable dashboard. Besides running many types of known attack patterns derived from emerging threats or custom-defined situations, they can also perform attack simulations based on the strategies of known APT groups, whose methods may vary depending on an organization’s given industry.

After an attack scenario is initiated, BAS tools deploy virtual agents within an organization’s network. These agents attempt to breach protected systems and move laterally to access critical assets or sensitive data. Unlike traditional penetration testing or red teaming, BAS programs can use credentials and internal system knowledge that attackers may not have. In this way, BAS software can simulate both outsider and insider attacks in a process that is similar to purple teaming.

After completing a simulation, the BAS platform generates a comprehensive vulnerability report validating the efficacy of various security controls from firewalls to endpoint security, including:

1. Network security controls
2. Endpoint detection and response (EDR)
3. Email security controls
4. Access control measures
5. Vulnerability management policies
6. Data security controls
7. Incident response controls

While not intended to replace other cybersecurity protocols, BAS solutions can significantly improve an organization’s security posture. According to a Gartner research report, BAS can help security teams uncover up to 30-50% more vulnerabilities compared to traditional vulnerability assessment tools. The main benefits of breach and attack simulation are:

1. Automation: As the persistent threat of cyberattacks grows year over year, security teams are under constant pressure to operate at increased levels of efficiency. BAS solutions have the ability to run continuous testing 24 hours a day, 7 days a week, 365 days a year, without the need for any additional staff either on premises or offsite. BAS can also be used to run on-demand tests, as well as provide feedback in real time.
2. Accuracy: For any security team, especially ones with limited resources, accurate reporting is crucial for efficient resource allocation—time spent investigating non-critical or falsely identified security incidents is wasted time. According to a study by the Ponemon Institute, organizations using advanced threat detection tools such as BAS experienced a 37% reduction in false positive alerts.
3. Actionable insights: As a security control validation tool, BAS solutions can produce valuable insights highlighting specific vulnerabilities and misconfigurations, as well as contextual mitigation recommendations tailored to an organization’s existing infrastructure. Additionally, data-driven prioritization helps SOC teams address their most critical vulnerabilities first.
4. Improved detection and response: Built on APT knowledge bases like MITRE ATT&CK and the Cyber Killchain, and also integrating well with other security technologies (e.g., SIEM, SOAR), BAS tools can contribute to significantly improved detection and response rates for cybersecurity incidents. A study by the Enterprise Strategy Group (ESG) found that 68% of organizations using BAS and SOAR together experienced improved incident response times. Gartner predicts that by 2025, organizations using SOAR and BAS together will experience a 50% reduction in the time it takes to detect and respond to incidents.

While integrating well with many different types of security tools, industry data indicates a growing trend toward integrating breach and attack simulation and attack surface management (ASM) tools in the near future. As Security and Trust Research Director of the International Data Corporation, Michelle Abraham said, “Attack surface management and breach and attack simulation allow security defenders to be more proactive in managing risk.”

Whereas vulnerability management and vulnerability scanning tools assess an organization from within, attack surface management is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface. Similar to other attack simulation tools, ASM assumes the perspective of an outside attacker and assesses an organization’s outward-facing presence.

Accelerating trends toward increased cloud computing, IoT devices, and shadow IT (i.e., the unsanctioned use of unsecured devices) all increase an organization’s potential cyber exposure. ASM solutions scan these attack vectors for potential vulnerabilities, while BAS solutions incorporate that data to better perform attack simulations and security testing to determine the effectiveness of security controls in place.

The overall result is a much clearer understanding of an organization’s defenses, from internal employee awareness to sophisticated cloud security concerns. When knowing is more than half the battle, this critical insight is invaluable for organizations seeking to fortify their security.