Breach and Attack Simulation vs. Pen test
Breach and Attack Simulation (BAS) is growing in popularity within the cybersecurity space. While this simulation-centric approach is gaining ground, a large majority of cybersecurity professionals have yet to adopt the technology. This is largely due to the fact that most cybersecurity professionals primarily utilize penetration tests to validate the network security posture and controls.
What is a penetration test?
A penetration test attempts to seek out and exploit vulnerabilities that lie within an organization. However, these tests are limited by time, scope, and a specific objective. Of course, adding to the time, scope, or objective similarly adds to the cost of the test. The typical penetration test lasts 1-2 weeks. After the test, the red team makes recommendations to improve security.
Do you need one?
Organizations operating in industries like financial, retail, and healthcare are obligated to comply with standards and regulations put in place by the federal government. Most of these regulations require regular penetration tests.
PCI compliant means they have also successfully completed Requirement 11.3, Pen Testing. So yes, they need a pen test to be compliant and, depending on who performs the test, they still might not be secure. Not everyone who does these tests knows what they’re doing.
— Joseph Pierini – OG Twizzlebit (@jpierini) January 15, 2018
So, yes. You probably need one.
What are the limits of penetration tests?
Pen testers are limited by the scope of the project. If the objective at hand is to hack into the CEO’s computer, other endpoints won’t be tested because they aren’t outlined specifically as a project goal.
A pentest is also inherently limited by time. The test is a point-in-time test, so it may only run for two weeks out of the year. Additionally, with security controls evolving as rapidly as they do, pentests can’t keep up with security decay since they’re typically only conducted one to four times a year.
Since penetration tests are carried out by third-party assessors, they can also weigh heavy on organizations due to the cost and disruption of business. Some organizations may be able to afford their own internal red team, but that type of talent is rare and expensive.
How do you overcome those limits?
This is where Breach and Attack Simulations come in. BAS aren’t limited by a project scope and can validate security controls on a much larger scale. While pen tests are only conducted once to a handful of times a year, Breach and Attack Simulations can be scheduled to run continuously.
Breach and Attack Simulations are also less burdensome on organizations because they don’t disrupt business activities and can be run at a fraction of the cost, or even for free through open-source solutions. BAS can be run internally by blue teams which reduces the need to bring in third parties for testing.
So, will Breach and Attack Simulations replace penetration tests?
Penetration testing for cybersecurity purposes has been around for over twenty years, and while technologies come and go, we believe BAS are not meant to replace the traditional penetration test. Breach and Attack Simulations are designed to continuously monitor the security controls already in place, evaluate new systems before they’re installed, and prepare teams for real-world attacks.
Check out some of our other Breach and Attack and cybersecurity content while you’re at it: