Breach and Attack Simulation Tools: 3 Approaches [Discussed]

After Gartner introduced the new domain — Breach and Attack Simulation (BAS) — in its Hype Cycle for Threat-Facing Technologies 2017, BAS is growing rapidly. The reason being cyberattacks are on the rise. It is no wonder that the World Economic Forum’s 2018 Global Risks Report named cyberattacks among the top three risks to global stability (yes, you read it right: global stability).

Moreover, cybercriminals are continuously learning and creating new ways of breaching the security of organizations and sabotaging their crucial data. That’s not all; “the financial impact of cybersecurity breaches is rising … Notable examples included the WannaCry attack—which affected 300,000 computers across 150 countries—and NotPetya, which caused quarterly losses of US$300 million for a number of affected businesses,” per World Economic Forum.

However, Breach and Attack Simulation (BAS) is not perfect. Whether you are a business owner or a security specialist, you must understand its fundamentals to make the best of this emerging technology. In total, there are three approaches utilized in Breach and Attack Simulation — all with their own set of capabilities, advantages, and disadvantages. In this guide, you will learn about the basics of Breach and Attack Simulation, its approaches, and their pros and cons.

What is Breach and Attack Simulation?

Breach and Attack Simulation (BAS) is the set of technologies and tools that “allow enterprises to continually and consistently simulate the full attack cycle (including insider threats, lateral movement and data exfiltration) against enterprise infrastructure, using software agents, virtual machines, and other means,” according to Gartner. That is, BAS is the modern set of tools that helps you test and validate the security infrastructure of your organization.

The traditional application security technologies include intrusion detection and prevention systems, manual or automated penetration testing, and vulnerability scanners. These technologies — combinedly — help to detect and prevent breaches as well as test for security vulnerabilities. However, Breach and Attack Simulation provides one major advantage over these traditional technologies: BAS-based tools simulate and test attacks continually and consistently.

That is why Breach and Attack Simulation solutions are taking the market by storm. “The Global Automated Breach and Attack Simulation market accounted for $93.94 million in 2018 and is expected to reach $1,683.07 million by 2027 growing at a CAGR of 37.8% during the forecast period. Some of the factors such as demand for prioritizing security investments and complexity in managing vulnerabilities from various sources are driving the market,” according to Business Wire.

3 Approaches used by the BAS Solutions

Since you have read and understood the basics of Breach and Attack Simulation, let’s get to understand the three approaches utilized by such solutions. You will learn about their fundamental features and their benefits and drawbacks.

1] Agent-based Vulnerability Scanning Solutions

A number of vendors took the vulnerability scanning tools and improved them to fit the features of Breach and Attack Simulation. They modify those scanners into agent-based solutions that cover internal network security. These agents are deployed inside an organization’s networks as well as physical and virtual machines or servers based on a standard vulnerability database.

These agents scan the systems for thousands of vulnerabilities, identify systems with potential issues, and map the probable attack routes. However, these tools mostly focus on the potential breach of an organization’s networks. They neither exploit and/or validate the security bugs nor test the security perimeter, making them hardly better than the old vulnerability scanning solutions.

2] Malicious Traffic-based Testing Solutions

The second approach followed by the security vendors is triggering malicious traffic inside an organization’s network. This approach follows the standard attack vendor of malicious traffic arriving at an application’s endpoint. In these attack scenarios, traditional security solutions monitor the incoming traffic, detect malicious network packets, then block, filter, or quarantine them.

The idea is to set up various virtual machines inside the organization’s network, make them the targets for the test, then direct the malicious traffic towards them. BAS solutions try to assess the efficiency and performance of installed security solutions like Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM), Web Application Firewall (WAF), and more.

The benefit is your organization’s in-house or production machines and servers work as usual while the tests are performed using BAS. Finally, the security events are reported to the security team, providing an overview of the security guaranteed by the installed security solutions. As an additional benefit, BAS tools also suggest configuration changes and rules for hardening the security.

3] Blackbox Multi-vector Testing Solutions

The third approach followed by some security vendors is the all-round, most powerful approach under Breach and Attack Simulation. This approach packs and simulates multi-vector attacks towards an organization’s network as well as its security perimeter, making it an all-round solution. This approach tests the security infrastructure of an organization as realistically as cyber attackers. Also, these solutions mostly run from the cloud and avoid using any complex hardware setup like virtual machines, unlike the other two approaches.

The BAS solutions with this approach install their agent on the machines in the organization. These agents connect with the platform, run the tests, collect the results, and update the platform. These tests simulate multi-vector attacks using numerous types of payloads and vulnerabilities, making them closest to the attacks performed by cybercriminals. Since they vary in specifics, they cover most of the ground while testing the security infrastructure of the organization. Thus, their reports cover most of the potential security vulnerabilities present in the security posture of the organization — network as well as perimeter.

These BAS solutions implement different approaches with multiple ways of simulating the attacks, thus validating various security levels and settings. Also, their reports suggest probable tips and tricks including configuration changes and software fixes to upgrade the security with the installed solutions. Lastly, if they are successful at breaching your organization’s security infrastructure, then it is most likely that cybercriminals will also be able to launch a successful attack on your organization. And if they cannot, then the security is pretty good.