2021 will always be known for the infamous vulnerability Log4j. When the zero-day hit going into a long weekend in December, organizations asked their security teams if they were protected. For most, fear, uncertainty, and doubt (FUD) about their security ecosystem hampered their ability to confidently respond. As a result, security leaders had to call in their teams over the holiday to come up with an answer for the anxious board, key stakeholders, and valuable customers. This begs the question: what good are your controls if you don’t even know how they’ll perform in a real emergency?
It reminds me of January 2009 when US Airways flight 1549 made an emergency landing on the Hudson River. Like all flights in the United States, passengers were greeted before takeoff with the standard safety demonstration, “In the unlikely event of an emergency water landing, you may find a floatation device beneath your seat cushion…” Even with this safety announcement, only 33 passengers managed to get their lifejackets out before exiting the plane, and only four put their floatation device on correctly.
To minimize the time it takes for your security team to answer the question, “Are we safe?” during the next zero-day, a programmatic approach to eliminating FUD is required. This approach provides quick assurance to hot vulnerabilities, but also ensures the security team’s “floatation devices”—aka, security controls like firewalls and endpoint detection and response (EDR)—are properly implemented to respond effectively during an emergency.
As seen with many of the cyber breach stories hitting the news today, you cannot assume your controls are configured correctly for your environment. To properly eliminate FUD, you must test your controls so you can establish a baseline of assurance.
Validating controls through breach and attack simulation (BAS) allows organizations to run targeted attacks against certain controls or run multi-stage attacks drawing in many controls to get a broader understanding of an environment’s current security posture and increase overall cyber resiliency.
Testing your environment and controls regularly like the malicious actors would test them is imperative to accurately understanding your organization’s cybersecurity portfolio. To minimize FUD, cybersecurity teams should test like an attacker. Backdoors, segments currently not being monitored, network configurations, and LANs are just a few examples of mechanisms used by bad actors to access your organization.
A big assumption organizations make is that they cannot test their production environment because they want to protect it. Threat actors do not have this mindset. As a result, it is imperative that the entire breadth of the organization is tested. Finding vulnerabilities before the threat actors scanning your network will eliminate FUD and provide a level of assurance to your organization’s board, key stakeholders, and customers.
Running attacks throughout your entire environment—not just pointed components—allows your security team to have a holistic picture of your security posture. The level of sophistication of attacks today means they often consistent of complex, multi-stage steps. As a result, no part of your environment is safe from compromise.
While it may be nearly impossible to stop every attack from happening, you may be able to stop the attack on the way out of the environment as opposed to on the way in. To prepare for this reality, organizations must invest in running attacks throughout their entire environment. In doing so, you are able to see what tactics trigger which controls and maximize coverage of detection before an attack happens or before an attacker is able to exfiltrate out of your network.
Validating controls continuously minimizes the likelihood of control misconfiguration issues, and allows you to constantly test your environment to meet the ever-changing threat landscape. With an investment in BAS, continuous validation requires minimal work from an organization’s security team. Rather, it allows ongoing tests to be run based on the BAS platform’s attack playbook. By being able to test against the most relevant and up-to-date tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), organizations maximize their control assurance.
A programmatic approach to eliminating FUD requires the right investment in a BAS platform. At SafeBreach, we pride ourselves on our ability to provide a customizable solution that is easily implemented throughout your entire environment. With the largest attack playbook in the industry, that is continuously being updated by our research team to reflect attacks with the most relevant and up-to-date TTPs and IOCs, we are able to optimize your security ecosystem’s ability to respond to an attack.