We recently launched our BAS 101 blog series by introducing the fundamentals of breach and attack simulation (BAS) in Lesson 1: Back to BASics. Now that we’ve explained what BAS is, let’s explore the range of customizable capabilities an advanced BAS solution should have to effectively improve security posture and scalability in complex enterprise environments.
While there’s a long list of innovative features and user-friendly functions we’d love to rattle off about the SafeBreach BAS platform, we’ve narrowed things down to the most critical four capabilities of a good BAS solution:
- Attack: Generate highly realistic attack simulations indistinguishable from actual attacks
- Analyze: Provide real-time analysis of security control performance
- Remediate: Accelerate and focus remediation efforts to continuously reduce risk
- Report: Communicate results clearly with stakeholders via dashboards and automated findings
We’ll go into points 2–4 more in future lessons, but today, let’s delve into the primary role of a BAS platform: simulating advanced attacks to help an organization continuously test the efficacy of existing security controls. The BAS attack process is designed to provide instant feedback on an organization’s level of preparedness against known and new threats. By providing these insights, a BAS solution can enhance the efficacy and breadth of security coverage and remediation activities. Keep reading as we detail the requisite attack capabilities of a modern and effective BAS solution.
Coverage of Major Attack Surfaces
A complete BAS platform must cover the major attack surfaces, including network, endpoint, cloud, applications, and email. For example, it will test all major operating systems run on-premises, on local and distributed machines, and in the cloud. The BAS platform should cover all security controls, as they are often subject to inadvertent misconfigurations or drift as part of normal IT processes—like patching and updating—that can make them vulnerable to attackers.
As organizations move to the cloud, it is imperative that a BAS solution simulates attacks against public and private cloud infrastructure (IaaS), addressing the control plane that includes identity and access management (IAM), network, storage, and administrator access. It is also crucial to move up the cloud technology stack and address the data plane, covering lateral movement, system abuse, privilege escalation, and running unapproved processes. With many attacks now focusing on container-based applications, a BAS platform should also have attacks geared specifically toward Docker containers and public cloud environments where containers are prevalent.
Fast Coverage of New Threats
The volatile and ever-changing nature of the threat landscape means a BAS platform must have a documented process in place to quickly add coverage for newly identified threats. When a new threat is identified and announced—via a US-CERT or FBI Flash alert for instance—a security team must be able to quickly understand the threat, test against it, and identify what security gaps exist that may make an organization more vulnerable.
In these situations, timing is critical, so the service level agreement (SLA) and response-time guarantees of a BAS vendor with regard to covering known threats is important. A BAS vendor should be able to ship a comprehensive set of simulations covering any new threats within a day or two, so an organization can immediately validate its defenses against the threat. BAS platforms that take a week or more to add simulations against new warnings should be viewed with caution. During that period of time, hackers can capitalize on newly released warnings to compromise an organization’s infrastructure and wreak significant business impact.
Exhaustive Coverage of Known Threats
Because 99% of attacks are the result of known security vulnerabilities, a BAS platform must have a comprehensive playbook to draw from that contains the attack tactics, techniques, and procedures (TTPs) for all advanced persistent threats (APTs), including but not limited to the TTPs of the MITRE ATT&CK framework.
Having thousands of attack scenarios readily available to test across the enterprise frees up testing time for security teams and ensures red teams no longer have to build out every attack. But it is important to ensure the BAS platform does not require complex configurations in order to run attack simulations properly in the network, as this could burden security teams and slow down reporting.
Easy Attack Customizations
For efficiency and better interpretation of results, the BAS platform should emphasize and give testing priority to attack methods most relevant and potentially damaging within today’s infrastructure. It should also provide the flexibility to allow security teams to focus on specific TTPs and threat groups that are a high priority for an organization. For example, a security team should be able to run all TTPs associated with a specific threat group across all simulators in the enterprise to quickly answer inquiries from the executive suite or board members about the level of protection against specific threats.
While existing information about attack methods and vulnerabilities can help ensure protection against known threats, it can also be used to make educated predictions and simulations against future threats. Toward this end, a BAS platform should enable security teams to:
- Leverage the building blocks of known attacks within the platform to develop new attack combinations that may be relevant to an organization
- Build or upload its own attacks to the platform to better anticipate novel TTPs and attack progressions
- Add new attacks to the platform leveraging network recording packet capture (PCAP) or programming languages like Python
- Integrate with preferred threat intelligence providers—and other attack information sources like Securityfocus, GitHub, and Reddit—to update and inform personalized attack playbooks
- This extensibility allows security teams—and red teams specifically—to quickly develop attacks, increase their testing coverage, and better scale their exercises. It also allows them to better address organization-specific risks that may not be covered in the various frameworks and to innovate around identifying new and undiscovered risks.
A continuous simulation process is only as good as the speed at which it can execute. This is particularly important in a modern technology environment, where new code may be shipping multiple times per day and virtual infrastructure may deploy and shut down every few minutes. For a BAS tool to be effective, it must execute quickly with minimal load on compute and network resources.
Rapid execution enables faster iteration on security stance, constant control validation, and up-to-the-hour detection and remediation of security gaps that may be created by security drift, patching failures, or control misconfiguration. BAS should be able to run continuously, multiple times per day to keep pace with modern infrastructure deployment and software update practices.
Your BAS-Attack Checklist
As you can see, there’s a lot to unpack and understand just on the attack side of things. To simplify and summarize, here’s a checklist of the key attack criteria to look for to find the best-in-BAS solution for your organization:
- Coverage of all major types of attack surfaces, including device or asset type (e.g., hardware, software, software-as-a-service [SaaS]) and function (e.g., application, networking, cloud workload)
- Guaranteed SLAs for rapid coverage of new threats
- Exhaustive coverage of the largest possible number and type of proven TTPs and attack playbooks to ensure coverage of both major attacks and edge cases
- Customizable BAS attack simulations that enable security teams to design attacks specific to their needs
- The ability to run simulations quickly and continuously to provide comprehensive coverage, rather than snapshots of security posture
Until next time, class is dismissed. Be sure to watch for more BAS 101 blogs over the coming weeks as we dive deeper into the critical elements of BAS and help you better understand the role of BAS in your security ecosystem. For all you overachievers, feel free to work ahead of the lesson plan by downloading our new white paper: The Four Pillars of BAS.
Want to learn more about why leading organizations—like PayPal, Netflix, Experian, and Johnson & Johnson—have chosen SafeBreach’s industry-pioneering BAS platform to support their continuous security validation programs? Connect with a SafeBreach cybersecurity expert or request a demo of our advanced BAS platform today.