We launched our BAS 101 blog series by introducing you to the fundamentals of breach and attack simulation (BAS) in Lesson 1: Back to BASics. Then we broke down the must-have attack capabilities in Lesson 2: Real-World Attacks. In today’s lesson, we explore how BAS turns those real-world attack results into real-time analytical intelligence.
An advanced BAS platform provides insight into your security posture by aggregating and visualizing security-control performance data you can use to analyze what your attack surface looks like, which network segments are most vulnerable, which threat groups present the highest risk, and what mitigation options will be most effective. Continue reading for an overview of the key analysis capabilities a BAS platform should have to enable this value.
Visualization of Real-Time Performance
A modern enterprise technology ecosystem is incredibly complicated, spanning thousands of endpoints, infrastructure elements, software applications, and connected Internet of Things (IoT) devices. Network topologies are also convoluted—a reality that has only increased with the rise of remote work. To quickly and effectively analyze security-control performance based on attack-simulation results, real-time visualization and dashboards are required and should:
- Aggregate effectiveness of security controls: Report what control failures were detected, which types of attacks were missed, which types of attacks were blocked, and other data to quickly identify areas for emphasis. This reporting can be pre-configured or can be anomaly based.
- Visually interpret simulation data: Provide visual tools for analysis of specific simulation exercises to drive easier comprehension of real-time security risk. This may include charts, maps and heat maps, scatter plots, and more. Visual tools allow stakeholders to easily zoom in and out on specific findings and data points. Visual tools enable more rapid digestion and comprehension of information, leading to smarter prioritization and faster mean time to repair (MTTR).
MITRE ATT&CK Heat Mapping & Other Sources
This builds on the previous point but is a more specific requirement mapping to MITRE, which has become the industry standard for threat analysis. The MITRE knowledge base of adversarial tactics, techniques, and common knowledge (ATT&CK) provides a framework that organizes and categorizes thousands of threats into a “landscape map” security teams can use to apply their resources on a more informed basis. A BAS platform should readily enable simulation results to be incorporated into the MITRE ATT&CK framework to develop heat-map exposures that can:
- Produce a threat intelligence-based view of an organization’s security posture against all tested attacks
- Provide highly visual guidance about areas of exposure that security teams can use to select tests that drill down into specific attack techniques for a detailed view of what simulations were prevented or detected
- Help security teams understand and pursue shared remediation goals
While incorporating results into the MITRE ATT&CK framework is valuable, it’s important to note that it is not sufficient. The framework itself is not exhaustive, further underscoring the importance of leveraging a BAS platform with a comprehensive playbook that contains the attack tactics, techniques, and procedures (TTPs) for all advanced persistent threats (APTs). For example, SafeBreach curates and maintains the Hacker’s Playbook, the largest collection of TTPs and attack data based on real-world activities culled from MITRE, the National Vulnerability Database (NVD), and many other data sources.
A commitment to original research is also a fundamental requirement for a BAS provider to drive the platform’s capabilities ahead of fast-evolving security threats. SafeBreach’s dedicated research team actively monitors the hacker underground, sources intelligence feeds, and conducts original research to identify new and emerging threats. And, SafeBreach is the only BAS vendor that actively contributes new techniques to the MITRE ATT&CK knowledgebase and framework. SafeBreach Labs has contributed four new techniques to the framework.
Attack Path Mapping
All attacks are made up of a sequence of logical steps. More sophisticated attacks may incorporate decision trees and attempts against multiple entry points to optimize attack behavior. Organizations that gain a detailed understanding of how attacks may reach an asset from the outside can then control choke points to prevent lateral movement or data exfiltration.
A BAS platform should provide a rich ability to map and visualize potential attack paths across the entire kill chain to help security teams accurately assess the organization’s attack surface. This mapping capability generally covers the entire attack life cycle, from first penetration or compromise through lateral movements and later data exfiltration or system compromise.
By mapping the steps of an attack, from initial infiltration modalities, host compromises, lateral movements, and propagation to exfiltration, sequestration (ransomware), or destruction (wiping attacks), security teams can identify how to break the chain most efficiently. Visualization is even more effective if a team can zoom into or out of different parts of the infrastructure or filter results based on key attributes.
Attack path mapping and visualization also helps with prioritization by enabling teams to see and analyze the kill chains of the highest-threat security risks identified by the BAS platform. For example, visualization can help:
- Identify whether there is a path from the external attacker to the target segment for infiltration or exfiltration
- Determine how exposed the target segment is from other segments
- Discover bottleneck segments or connections that allow many attack paths
Risk Scoring & Gap Prioritization
A BAS solution should bring together critical data to help an organization understand its overall security posture. BAS can also bring together different security teams by applying a risk-rating approach driven by comprehensive data. To make this capability broadly useful, it will include particular consumer-grade features, such as:
- A variety of visual tools including heat maps, lists, scatter plots, and pie charts to quickly communicate risk data
- Top risks and action items customized by stakeholders
- A query engine to enable rapid report and dashboard creation based on risk scores or type of security gap
- A clear way to communicate prioritization of remediations and team focus
Your BAS-Analysis Checklist
As you can see, there’s a lot to unpack and understand just on the analysis side of things. To simplify and summarize, here’s a checklist of the key analysis criteria to look for to find the best-in-BAS solution for your organization:
- Visual tools to analyze findings and comprehend trends faster
- Sufficient data points, such as MITRE ATT&CK and other threat intelligence information, to provide a comprehensive picture of the threat landscape
- The ability to map attack paths through IT and application environments to enable analysts to track and analyze the entire attack life cycle
- Risk scoring and gap prioritization rules that interpret BAS data and other integrated data to clearly indicate which suggested fixes are the most critical
Until next time, class is dismissed. Be sure to watch for more BAS 101 blogs over the coming weeks as we dive deeper into the critical elements of BAS and help you better understand the role of BAS in your security ecosystem. For all you overachievers, feel free to work ahead of the lesson plan by downloading our new white paper: The Four Pillars of BAS.
Want to learn more about why leading organizations—like PayPal, Netflix, Experian, and Johnson & Johnson—have chosen SafeBreach’s industry-pioneering BAS platform to support their continuous security validation programs? Connect with a SafeBreach cybersecurity expert or request a demo of our advanced BAS platform today.