The war against cybercriminals resembles a race between the hare and the hedgehog.
Always, as soon as the hare sees itself at the finish line first, the hedgehog reports with a cheeky “I’m already here!”. The fact is, cybercriminals are usually one step ahead of IT managers these days.
Therefore, the frequent and targeted reassessments of IT risks, as well as the technical and organizational security precautions taken, are an indispensable basis for companies. In addition to penetration tests and vulnerability scans like what Oxeye do, breach and attack simulations are therefore being used more and more frequently in many places.
In our following article you can read what is hidden here, what advantages it offers in contrast to penetration tests and why every company should deal with the topic.
The global IT security situation has changed drastically in the recent past: With the growing degree of digitization, increasing cloud connectivity and increasing connection of mobile and Internet-capable end devices, company networks are becoming more extensive, complex and dynamic – and thus also more susceptible to IT threats. At the same time, cybercrime is experiencing increasing development. A well-managed criminal network with diverse actors and different methods and services has been thriving underground for a long time.
In order to effectively counter this complex and dynamic threat situation, comprehensive defense mechanisms are required. In addition to robust IT security precautions and high IT security standards, this also includes tools with which the quality and efficiency of the existing security infrastructure can be constantly assessed, determined and evaluated.
This is exactly where the so-called breach and attack simulation solution, or BAS for short , comes into play.
Table of Contents
Think Like A Hacker!
Breach-and-attack simulation solutions are all about advanced test methods that constantly simulate realistic attacks on the IT security technologies used in real time in order to test a company’s threat and attack detection, mitigation and prevention capabilities, and risk prevention.
In this way, IT managers are able to determine exactly how effective the existing IT security environment is against real attack attempts and where organizational, procedural or technical deficiencies are hidden.
Here, breach-and-attack simulation systems are positioned to attack different vectors, just like an attacker will. These range from phishing attempts to attack e-mail structures, to attacks on the firewall, to the simulation of possible data exfiltration .
To keep attack vectors up-to-date, most breach-and-attack systems feed themselves with the latest threats from a variety of sources.
At the same time, the details of these self-triggered mock attacks are meticulously recorded.
Breach And Attack Simulation: How It Works!
First, let’s take a look at how a breach and attack simulation solution works in general.
In the first step, BAS agents are laid out in the network. In the simplest case, this involves narrow-gauge fictitious devices, almost VMs, or software packages that have to be installed on the clients and servers in the network.
In the second step, the conceivable attack paths are defined and the breach-and-attack simulation system is taught how the corporate network is structured and which IT security controls are found between which agents.
In this way, the system is qualified to propose a rule optimization for the respective security components.
In the next step, the “attack” between the agents is planned and executed .
For this purpose, a number of possible attacks are defined by hand or using templates according to the breach-and-attack simulation solution.
This can look very different:
An agent in the client network tries to attack multiple TCP connections on some ports of the agent in the database VLAN
An agent in a server network sends packets to the agent in the database VLAN which match a trusted IPS signature (IPS: Abbreviated for Intrusion Prevention System), for example an exploit against a known vulnerability.
An agent from the Internet sends an HTTP request with an SQL injection through the wireless application firewall, or WAF for short, to the agent that is adjacent to the “XYZ” web application
Various potential attack scenarios can be drilled through using this model. The effectiveness of the results, on the other hand, depends on how the respective producer processes them in his product.
Breach And Attack Simulation Systems At A Glance!
Successfully simulated attacks are helpful in identifying vulnerabilities, taking the right measures and closing them before actual damage occurs.
There are three different types of breach and attack simulation tools:
- Agent-based breach and attack simulation tools:
Agent-based attack simulation solutions are the simplest form of breach and attack simulation. Agents are used in the entire LAN and the vulnerabilities found are used to determine which attack paths are open to possible threat actors in order to move around the company network. Agent-based breach-and-attack simulation tools show immense parallels to vulnerability scans, but offer significantly more context.
- Agent-based breach and attack simulation tools:
Agent-based attack simulation solutions are the simplest form of breach and attack simulation. Agents are used in the entire LAN and the vulnerabilities found are used to determine which attack paths are open to possible threat actors in order to move within the company network. Agent-based breach-and-attack simulation tools show immense parallels to vulnerability scans, but offer significantly more context.
- Breach-and-attack simulation tools based on “malicious” traffic:
These attack simulation solutions create significant traffic between dedicated virtual machines in the middle of the corporate network, which act as targets for various attack scenarios. An overall view is then created of which incidents were not uncovered and prevented by the company’s own security precautions. This is also where companies get information about how threat actors get into the corporate network and act.
- Cloud-based breach-and-attack simulation tools:
When using cloud-based breach-and-attack simulation models, the IT infrastructure to be secured is penetrated from the outside continuously and around the clock in real time with simulated attacks.
After The Penetration Test Is Before The Penetration Test!
So far, many companies have hired mostly external service companies to implement penetration tests. However, this is about precise checks, which only provide information about the security status at the time of the test. If changes are made after this penetration procedure, this almost always means a modification of the security status. In this way, security gaps remain undetected, which are caused by even minimal changes to the company systems. In addition, previously patched vulnerabilities are exploited by attackers.
That Is Why More And More Companies Are Relying On Breach-And-Attack Simulation Methods
The big advantage of attack simulations compared to penetration tests or vulnerability scans is that they provide certainty about the fact which attacks take place and how. This increases transparency and the success rate when eliminating security deficiencies, vulnerabilities and misconfigurations. Furthermore, IT managers can protect the infrastructure better, since simulated attacks lead to an improved perception of IT security risks and help to reduce the concerns of those involved in making the necessary decisions in an emergency.
Nip Complex IT Dangers In The Bud And Create Planning Security!
In order to be able to cope with the current dynamic threat landscape, companies are well advised to implement effective security mechanisms.
The best defence against sophisticated attacks by criminal threat actors is therefore to take the same approach as threat actors and to proactively research possible attack vectors.
Breach-and-attack simulation solutions provide a modern and agile tool for this. With constant fake attacks on the IT security landscape in real time, they not only show an up-to-date and detailed overview of the risk situation in a company – they also make it clear where weaknesses hide and how an intruder can enter and act on the corporate network.