What is a Breach and Attack Simulation?
BAS — maybe you’ve heard of it. It’s gaining steam in cybersecurity now that the MITRE ATT&CK framework is being adopted by blue teams and red teams. We’ve talked to everyone from penetration testers to bank executives who are leveraging Breach and Attack Simulation (BAS) to influence their craft.
Pentesters are using it to define what techniques they leverage on engagements. Security teams are using it to measure their defensive capabilities. This includes using breach and attack simulations as a part of threat hunting and incident response preparedness or even security product bake-offs.
But… what exactly is BAS?
Why is it useful?
What do you need to know about it?
Luckily, we have some quick answers for you. After reading this post, you’ll be a regular BAS pro (and, no, we’re not talking about the hunting and fishing company).
BAS stands for Breach and Attack Simulation, and it’s a new category of cybersecurity products that, up until Gartner officially came up with the acronym earlier in 2018, was nameless.
BAS, as Gartner defines it, is a category of tools that “simulate a broad range of malicious activities (including attacks that would circumvent their current controls), enabling customers to determine the current state of their security posture.”1
So, what does that mean exactly?
At a high level, BAS solutions simulate (and automate) adversary behavior in a non-malicious manner, helping your organization gain insights into areas of potential vulnerability.
When people hear “Breach and Attack Simulation,” the first thing they think of is red teams and penetration testing. Before BAS, a vendor might suggest using Nessus or Metasploit to test their product in production. It’s possible to test rules with port scanners, vulnerability scanners, and exploitation tools, but that’s not feasible in many production environments. The risk of taking systems down or causing denial of service is too real to be ignored.
In some orgs, merely running a Nessus plugin against production infra can require literally 10s of person-days of meetings to authorise.
— Alex Butcher (@alexjbutcher) September 17, 2017
Questions that Breach and Attack Simulation solutions help to answer
We’ve seen a lot of security professionals test scenarios that don’t necessarily align with their security goals or program. They’re doing the best they can with the tools they have. But in order to reap the benefits of BAS listed below, it’s important to first understand what resources need protecting and how an adversary might compromise those resources.
Are your security controls configured properly?
Unfortunately, cybersecurity isn’t a set-it-and-forget-it field. Many organizations find that their security controls may be impaired or completely degraded over time.
Not one, but two new (but admittedly cheaper) Netgear products failed to stand in for a failed firewall this weekend. Kill them with fire?
— Troy Johnson (@troyj) November 3, 2008
Sometimes, the only time an organization checks a control is when the original install occurs, and even then, configuration errors happen. Controls can fail after system patches. Organizations can now use BAS to ensure proper configuration at first install and on an ongoing basis.
As you update and tweak security controls, are you introducing errors and vulnerabilities?
With the ever-changing cyber landscape, security drift or decay is inevitable. By implementing a BAS program, you’re helping your organization stay ahead of problems associated with security decay.
Are you able to accurately assess potential vendors?
Evaluating whether new vendors you’re considering will play nicely with your current security stack is difficult to objectively assess.
Additionally, how do you really know that potential vendors are trying to sell you a product that actually does what they say?
Luckily, BAS solutions give you the ability to test proof-of-concepts against simulated adversary scenarios.
How well-prepared is your staff to respond to an active threat?
This is a question you don’t want to find out the answer to after you discover a breach or active threat. By having your team respond to BAS simulations as though they were malicious events, BAS solutions offer a unique method of training to help your team better detect and defend attacks before they happen.
If and when a situation does arise, threat response is faster, smoother, and better orchestrated.
- Barros, Augusto; Chuvakin, Anton. “Utilizing Breach and Attack Simulation Tools to Test and Improve Security.” Gartner, Inc. May 17, 2018.