Breach and Attack Simulation Versus Pen Testing and Red Teaming
Over the last few weeks, Gartner analysts Augusto Barros and Anton Chuvakin have issued a call to action on threat simulation, and dived into Breach and Attack Simulation technologies. The questions they’ve posed are timely and relevant, and have been brought up by many security leaders we’ve talked to as well. As a result, we thought it would be fitting to kick off a blog series to discuss these topics and our perspective on Breach and Attack Simulation.
Anton posed an interesting question in his first blog- “ What does it even mean “to test one’s security”? As he said, “We want to look into testing of security technologies and processes (such as detection and response processes), with the focus on outcomes, not controls. In essence, we want to look into testing the effectiveness, not the presence, of security controls.”
Let’s take a look at options that are available today:
Penetration testing - A pen test is a point-in-time approach that attempts to evaluate the security of an environment by exploiting weaknesses such as vulnerabilities. These assessments are typically conducted once or twice a year, or every quarter in the case of organizations with stringent regulatory compliance requirements. Pen testing focuses typically on external attacks, and have a bounded set of objectives because of the impact and potential risk to users and systems.
Red teams - Some larger organizations have developed internal red teams that “simulate hackers” and are proactive about finding security risks in their environment. Security red teams are typically available in large organizations with fairly mature security posture. The challenge for most organizations is it can be expensive to build a red team because of a general shortage of these red team engineers with offensive-security skillsets.
Vulnerability scanning - Vulnerability management systems scan systems to identify vulnerabilities that are associated with them. Because vulnerability management systems don’t incorporate context, the output can be incredibly noisy and may not accurately reflect true security risks. Additionally, even if security teams complete the impossible task of patching every single vulnerability, doing so isn’t an indication of a secure environment. There are many other breach methods that a real attacker might use besides taking advantage of a vulnerability, for example, phishing, data exfiltration.
Breach and attack simulation - A new technology defined by Gartner in their 2017 Hype Cycle for Threat Facing Technologies and in our Gartner Cool Vendor report, breach and attack simulation enables organizations to actually quantify security effectiveness by simulating hacker breach methods to ensure security controls are working as expected. The ability to assess security continuously and automatically--in real production environments, across the entire kill chain--eliminates guesswork, incorporates business risk context, and provides actionable results..
The hard reality with attackers is we know they are relentless and trying a variety of techniques to breach our security. Many of these techniques are being reused. The best way for us to ensure our security controls are going to stand up against these attacks is to actually execute these attacks.
The flaw with security validation today is that the testing being performed by specialized pen testers depends on the skill sets of these professionals--which may differ widely--and the time-bound nature of these tests. Automating and executing hacker techniques via breach and attack simulation is one way we keep pace with hacker breach methods and highly dynamic enterprise networks, but it also removes the human variable. How many times can a pen testing or a red teamer try data exfiltration using DNS tunneling? A virtual hacker can incorporate this and thousands of other attacks types,365 days a year.
In fact, breach and attack simulation can assist with the investments that have been made in vulnerability management. Take the example of the recent Meltdown and Spectre vulnerabilities. How can you validate the effectiveness of patches? Why not do it via breach and attack simulation? Our customers have been running our simulations on their respective endpoint systems to ensure patching is conducted correctly.
In fact, there are myriad ways our customers are using breach and attack simulation today.
Getting more from existing security - ensuring that security controls and policies and optimized for the best protection or detection functions.
Minimize security exposure - continuous validation to ensure that new risks from new attacks or due to changes in dynamic environments are being quickly addressed.
Prepare for audits - identifying risks well before audits and maintaining continuous compliance.
Test alerting and action plans - ensuring that people, process and technology (MSSPs or internal teams) are ready and trained before a real attack occurs.
Provide business rationalization - true understanding of how security investments are performing based on real data, and to enable data-driven justification for future investments.