As the threat intelligence landscape grows and evolves, so does the need for tools that help us defend against evolving threats. Tools alone, mind you, will not be sufficient enough for us to defend our assets and keep our organizations operational. Organizations that manage to do it understand that there is more to Cyber Security than just having security controls in place. The goal post is constantly being moved and to keep up with it so must we.
Out of that need a plethora of tools and solutions were born, among which Breach & Attack Simulation (BAS) tools and solutions have become widely popular in the industry over the recent years. Attack simulation refers to the ability to simulate the tactics, techniques and procedures (TTP’s) of a threat actor. The business focus of most attack simulation tools and platforms is to provide a (semi) automated means of accomplishing the attacker’s view or perspective of the target organization. While traditional vulnerability scanning technology focuses on the identification of systems, networks and application vulnerabilities, attack BAS solutions go the extra mile by allowing to simulate the different phases of the security kill-chain while at the same time providing recommendations on how to secure the target organization.
Most importantly though, a BAS solution would aim to see if the security controls of the organization have been correctly configured and if they are able to discover and catch attacks.
A good breach simulator would simulate, assess, and validate the most current attack techniques used by advanced persistent threats (APT’s). This is of course not limited just to the techniques but also to the tools these threat actors would use. An even better breach simulator would then leverage these attack behaviours against a standard, such as the MITRE ATT&CK Framework, to give you a better understanding of the progression path an APT would take by following every step in their attack, what is referred to as the Cyber Kill-Chain.
Tools for Attack Simulations
As we mentioned before, there are several tools out there and each one of these works a little bit differently. Below are some examples:
Infection Monkey – it allows you to automatically simulate and attack for credentials theft or check for compromised assets or misconfigured security controls to mention a few of its features;
NeSSi2 – this tool focuses mainly on testing intrusion algorithms, network analysis and profile-based automated attacks.
AttackIQ – it allows you to customize attack scenarios to mimic real-world threats. It makes use of lightweight agents deployed at your endpoints;
Cymulate – it allows you to simulate attacks at every stage of the cyber kill-chain and reports back how well your security controls did. Like AttackIQ Cymulate does this through the use of agents deployed at your endpoints.
When looking at BAS solutions, it is important to understand how they actually work. What makes them sure that the results they get are not just false positives and how they really relate to the tools actually used by the organization’s SOC team?
Well, it turns out that they do this in a rather smart way. For instance, let us assume that we want to run an attack simulation using Cymulate and that, in a given scenario, we want to validate the following:
- Can we gain access to the assets (computers or devices connected to the network)?
- Can we escalate our privileges to gain more control?
- Are we able to infect the assets or endpoints?
- What about encrypting files to simulate a ransomware attack?
Of course, infecting production systems with live malicious code is never a good idea and it would set you back a lot more than help you prevent the attacks in the first place.
What BAS solutions generally do is to use agent-based technology deployed on production systems. Commands are then sent to the agents to perform certain attacks without actually using malicious code.
For instance, to check and see if we can gain access to a system and escalate privileges what the agent will attempt to do is to see if we are able to open a window and type a message or open an app such as the calculator.
To check and see if we are able to infect a machine or deploy a payload the agent will try to write files to the machine the agent is attached to.
For the ransomware attack it would attempt to create a directory, write files to it and then encrypt these files.
In essence, the BAS solution will attempt to emulate an APT behaviour through the actions it takes through the simulation.
Another matter to address is about understanding the effect that such attack simulations, managed and generated by the BAS platform, have on the security controls of the oranization. What do such controls are able to see and report to the end users. Remember, BAS solutions perform attack simulations directly on production systems and therefore it is important to understand what visibility we can obtain from such attacks.