Breach & Attack Simulation: “Next-Generation” Vulnerability Management?

In the ongoing game of cat-and-mouse in the cybersecurity space, the dimensions of defense strategies evolve, especially for enterprise-grade organizations. Since attackers are becoming gradually more organized and are focusing on strategic, economic, or nation-state goals, IT security products providers and their customers need to focus on an integrated security environment that covers large parts of common kill chain models. However, assessing the efficacy of implemented measures still poses a challenge. Although penetration tests provide valuable insight, they can only show selective results on a company’s posture, even if conducted regularly. Addressing these issues, products focusing on “Breach and Attack Simulation” (BAS) and “Automated Penetration Testing” are aiming to close the gap of missing reporting channels in terms of the efficiency of security environments.

Breach and Attack Simulation embeds itself into established vulnerability management processes to minimize vulnerability-induced risk. Traditional vulnerability management generally comprises Asset Management, Patch Management, Vulnerability Intelligence (Verification) and Penetration Tests. Unfortunately, proper verification of vulnerability data and penetration test suffer from the fact that many steps need to be executed manually. Additionally, those measures often only provide intermittent insight.

To counteract, Breach and Attack Simulation tools focus on the automated assessment of an IT environment and its security infrastructure continuously. They incorporate current attack and vulnerability information in order to deliver accurate threat models and to mimic human approaches to penetration testing. As a result, customers obtain prioritized vulnerability reports with weighted action items and mitigation options.

Use Cases and Capabilities

As observed in recent market development, BAS solutions leverage various techniques of vulnerability management’s four principles in order to address the following use cases:

  • Efficiency of in-place defense measures: BAS products cover both, an IT security product’s effectiveness (i.e., the right capabilities) and its efficiency (i.e., capabilities in the best possible way) as well as achieved technological improvements. By combining threat intelligence and advanced attack scenarios, BAS tools mainly focus on identifying misconfigurations and misconceptions in the usage of IT security products while also delivering insight into architectural optimization potential.
  • Qualification of potential breach impact: In case of a successfully executed attack, BAS solutions also try qualifying its potential impact. BAS solutions approach this terrain by automatically assessing attack-affected data and by providing related data to analysts for a manual investigation. Equipped with reporting and prioritization features, they provide guidance and high-priority action items to increase the overall security level of the organization.
  • Automated, continuous evaluation: As BAS products focus on the automated attack, users can continuously test the network’s resiliency against emerging threats and evaluate their security posture. By running automated attacks, obvious attack vectors can be checked automatically while specialists are able to focus on more sophisticated or compound strategies.
  • Shadow IT discovery: BAS tools usually also try to discover and to detect assets within the organization, while focusing on those being vulnerable to subsequent attacks. To achieve this, many BAS products leverage network scanning techniques, asset and configuration databases, or real-time states and configurations of network devices.

Current Approaches

When determining the strategies taken by current vulnerability management or breach and attack simulation systems, two main philosophies need to be taken into account. In general, the tools differ depending on whether the attacks are carried out intrusively or simulated in a safeguard environment.

Model-based Attack Simulation

Looking at the first way of simulating or automating penetration tests, products often offer to genuinely depict the customer’s network to carry out attack simulations in a derived network model. By doing so, it is possible to ensure that no productive environment suffers any harm.

To incorporate the network’s architecture, the products leverage two approaches (or a combination):

  • Actively gathering information about the particular environment leveraging both passive and active techniques, including network and port scanners, or they take advantage of deposited connections to further assets/network segments.
  • Incorporating information of asset management databases and by directly connecting to network devices to obtain and parse their respective configuration.

In a simulation, the respective network segment is logically rebuilt to depict the real-world surface of each asset. Additional information about the criticality of contained data or the application running is either provided manually by the customer or determined automatically based on metadata. Thus, model-based BAS products can identify high-value assets whose compromise may have a high impact on a production environment, and react with proper priorities. For the simulation of an attack, those products usually leverage current intelligence and vulnerability data to assess potential exploits. Furthermore, they examine connections to further systems to showcase possible lateral movement gaps or the posture against of self-propagating malware.

Intrusive Attack Simulation

More intrusive BAS solutions are capable of attacking actual assets in the live network, applying techniques inspired by real-world attack scenarios to allow for an assessment of the current security posture. The current state of the network (and all activities happening as the simulation is conducted) directly affect the simulation’s outcome. This may reduce overhead in simulation preparation and enables prompt feedback to the network’s current security posture.

Usually, users need to deploy additional assets (such as fake endpoints or additional web servers) in a tactically smart manner to cover all valuable targets. As an alternative to vendor-provided virtual appliances, customers can also deploy dedicated endpoint agents on actual machines. With the deployment of local components in the customer’s network, breach and attack simulation products can test both, externally-driven attack scenarios and those emerging from the inside (e.g., lateral movement attempts). For external attacks, the management component is often provided as SaaS, allowing for a full black-box approach against the user’s security posture. A major advantage of testing against “real” assets is the permanent monitoring of the customer’s IT security infrastructure: customers can continuously track changes of their security posture (including unintended errors in temporary misconfigurations) and react accordingly. However, in-place detection mechanisms need to be aware of BAS-related campaigns so as not to flood analysts with further alerts.

More rigorous services aim to test directly against productive environments in an automated or semi-automated fashion. By leveraging an initial foothold in the enterprise’s network, available network assets are probed and tried for exploitation; in most cases, users have to confirm potentially breaking actions.

Outlook

The whole market is still in its early stage of emergence; many disparate approaches are covering partly overlapping use cases. Therefore, the desired benefit of the services might not be entirely deduced yet. Also, the current state of the product cluster leaves space for market and feature consolidation, including already established vulnerability management vendors. It remains to be seen, whether a single approach will prevail or whether there is enough room for multiple deployment types and strategies.

Prior to implementation, potential customers should analyze upfront which strategy they want to invest in. To test an actual security infrastructure and managing devices altogether, an intrusive approach (either using vendor-deployed “fake” infrastructure or productive assets) would be favorable most of the times since whole environment segments can be tested at once. Individual assessments of single endpoints with regard to their patch level and vulnerability state as well as the impact of those to breaches can be achieved best when using a model-based approach. However, BAS tools, in general, can only support users by doing their duty to question implemented security measures. The identification of more sophisticated attack vectors, zero-day attacks and blind spots regarding social engineering cannot be conducted as the product are usually executed without human interaction or supervision.

The main objective of the products is not to add another layer of defense, since measuring the current posture and reducing the attack surface is the main focus. In contrast to more traditional approaches, results obtained from a simulation can be much more actionable and timely, especially with regard to the automated prioritization of issues as well as scheduled campaigns or continuously running attacks. Also notable is that Breach and Attack Simulation products do not release users from the obligation of implementing operational processes needed for successful vulnerability management. Furthermore, identified weaknesses still need to be taken care of – it is not sufficient to just identify them.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.