Thought Leadership

Feb 22, 2023

The Not-So Obvious Benefits of Breach and Attack Simulation

Learn more about the often overlooked applications of breach and attack simulation (BAS) that can help organizations address pressing real-world security challenges.

Breach and attack simulation (BAS) platforms provide immense value for the modern organization. Their four key capabilities—attack, analyze, remediate, report—grant unparalleled insight into security infrastructure. By safely executing real-world attack simulations across the cyber kill chain, BAS solutions can continuously, and in near real-time, validate security controls are in place, properly configured, and working as intended. This provides visibility into an organization’s security ecosystem, enabling security teams to continuously validate control effectiveness at all layers and stages of the attack process. In short, BAS helps identify critical threats, uncover vulnerabilities, share findings with key stakeholders, and prioritize remediation methods. However, BAS has a great many benefits outside of the obvious, for both the consumer and the cybersecurity industry at large. 

Cyber Insurance Salvation – Standardizing the Sector

Cyber insurance is one the most hotly debated topics in the tech sector. Whether you’re on the side of the believers or the naysayers, extortionate and ever-increasing premiums are a problem that simply can’t be ignored. If the many benefits of cyber insurance are to be realized, it’s imperative that premiums are cut down to an attainable level. 

The problem lies in the inevitability of cyberattacks, as well as the relative lack of insight into the efficacy of cybersecurity protections, especially when compared to more traditional insurance lines. If we think of it in terms of home insurance, the security of a house is relatively easy to establish by answering some simple questions. For example: Does it have burglar alarms installed? Do the locks meet regulatory standards? What’s the crime rate of the area? This approach, however, doesn’t really translate to cybersecurity. 

The complexity inherent with cybersecurity means it’s difficult to assess the security of an organization. If you walked into a home insurance provider looking for coverage on a house that was certain to be burgled, and the insurer was unable to accurately assess the security of that home, you would either be charged an exorbitant rate, or laughed out of the building. Such is the case with cyber insurance. 

This is where BAS comes in. 

BAS platforms provide organizations and insurers with an unparalleled level of insight into their security posture. Instead of having to make assumptions, insurers are provided with empirical, data-driven insights about the efficacy of an organization’s security controls, informing underwriting and bringing premiums down to an attainable level. 

What’s more, BAS insight could even work to promote much needed standardization within the cyber-insurance sector. While there is a very basic level of standardization in the industry, much more needs to be done to bring cyber insurance up to the level of its traditional counterparts. As insurers use BAS to gain a better idea of just what is needed to protect an organization, they can work together to standardize those controls across the industry. 

If organizations want to reap the benefits of cyber insurance, they should consider implementing BAS tools. In addition to continuous security validation, BAS provides valuable assurance to cyber insurance providers about the status of an organization’s security controls that will likely bring down premiums and potentially save organizations millions in the long run. 

Try Before You Buy – Reducing Third-Party Risk 

Once upon a time, the security posture of an organization made next to no impact on merger and acquisition (M&A) activities. Even recently, studies have found that a mere 40% of respondents think a failure to identify cybersecurity risks could prevent an M&A deal from going through. Worse still, only 26% of respondents think that cybersecurity is an important area for due diligence. 

But the fact of the matter is cybersecurity is enormously important for M&A. A good example can be seen with the 2016 merger between Marriott Hotels and Starwood, a rival hotel chain. The merger made waves in the hospitality industry, further cementing Marriott as a major player in the luxury hotel space and kicking off a period of growth for the hospitality giant. However, Marriott hadn’t done their cybersecurity due diligence. In 2018, two full years after the merger went ahead, Marriott discovered an attacker burrowed deep in Starwood’s databases. Further digging revealed the hacker had been there since 2014 with access to email addresses, passport details, phone numbers, and other information. Recent estimates suggest the hack affected 500 million guests.  

In 2019, the UK data protection watchdog ICO slapped Marriott with a £99 million fine. While the fine was reduced to £18.4 million, the incident serves as a dire warning for organizations that fail to properly assess the security posture of M&A prospects. Had BAS been run on the security infrastructure of Starwood, the vulnerability that enabled the attacker to gain access would likely have been discovered, saving Marriott from a considerable fine and PR disaster.  

So, we’ve established that cybersecurity due diligence is essential for contemporary M&A activity. But is BAS really the best way to do this? What makes BAS such an essential tool for M&A?

As opposed to manual testing, BAS enables continuous and automated testing that streamlines the M&A process and prevents IT from becoming a bottleneck. Major corporations, like PayPal for example, have recognised the value that BAS provides, making it an essential element of their growth plans. BAS platforms enhance speed and efficiency for security teams, eradicating the need for multiple people running manual tests. Staff are therefore freed up to focus on more strategic, ongoing security efforts. Automated test execution then ensures consistent testing that yields invaluable insights. 

In addition to M&A events, third-party risk also presents itself in an organization’s supply-chain security. Recent hacks on Okta, GitHub, and the NHS all stemmed from attacks on a less-secure supply chain organization. Again, running BAS on third-party providers would likely have prevented these attacks. Why spend millions on bolstering your own defenses, only to be hacked because your partners didn’t bother? 

What’s more, with vendor consolidation taking the cybersecurity industry by storm, BAS can be used to determine which tools truly provide the value that vendors are promising. As security vendors scramble to keep up with market demand and consolidate, some will smash together tools into a poorly integrated patchwork, leaving gaps for attackers to squeeze through. BAS allows organizations to determine which tools provide adequate coverage and which don’t.

The crux of the matter is that BAS platforms ensure organizations get what they pay for. Running BAS on M&A prospects, supply-chain partners, and security providers will help organizations determine their level of risk, identify opportunities for improvement, and hold vendors accountable. A relatively small spend on a BAS platform could prevent an attack, potentially preventing enormous financial impacts and a major reputation hit as well. 

Don’t Repeat History – Verify Your Security Tools 

As the dust settled on World War One, French military big-wigs began plans for a “Great Wall of France” along the border with Germany. By 1936, it was complete. Named “The Maginot Line” after France’s late Minister of War, Andre Maginot, it stretched 280 miles, housed thousands of soldiers, and boasted state-of-the-art weaponry. To this day, it is considered one of the most formidable defensive fortifications in history. 

And yet, in 1940, it did little to protect France from the oncoming German army and Hitler’s infamous “blitzkrieg” style of war. Instead of launching a doomed attack on the Maginot line, Nazi invaders circumvented it. They stormed the low countries, meeting little opposition in the fields of Belgium, Luxembourg, and the Netherlands, before launching a surprise attack in the Ardennes. In a matter of weeks, Paris would fall.

CISOs and other cybersecurity professionals have much to learn from France’s mistakes. Just because you have an impressive arsenal, it doesn’t mean you’re impervious to attack. As any self-respecting cyber-pro knows, there’s always another way in.  

BAS platforms ensure that mistakes like this don’t happen. They execute attack simulations to validate real attack paths to help organizations understand where there are gaps and take remedial action before hackers can exploit vulnerabilities. What’s the point in boarding up the front of your house, just to leave the back door unlocked? Run BAS to cover your rear.

Regulation is Coming – Stay Compliant With BAS 

Geopolitical relations haven’t been this tense since the Cold War. As conflict flares up across the globe, economies have been destabilized, thousands have been left without power, and the threat of nuclear war has been dredged from the annals of history. On top of all that, critical national infrastructure (CNI) is under threat from malicious actors. 

As governments wake up to the notion of cyber as a genuine avenue of war, a wave of regulation will sweep the private sector. We’ve already seen precursors to this in the UK—a proposal for new regulations and codes of practice for the telecoms sector was released in August 2022, with its content set to be mandated by March 2023. 

One of the most significant requirements set out in this proposal is number fourteen: testing. Upcoming regulation will “mandate the use of testing that simulates, so far as is possible, techniques that might be expected to be used by a person seeking to cause a security compromise.” What’s more, “the draft code of practice contains measures that include the use of appropriate threat-based penetration testing such as the TBEST scheme run by Ofcom.” 

While the proposal doesn’t explicitly mention BAS, the testing requirements it lays out are best met with a BAS platform. While manual testing would meet said requirements, BAS automates the process, providing around-the-clock risk assessments, while easing the strain on security teams. The comprehensive attack playbooks that the best BAS platforms provide also ensures that telecoms are resilient against a huge range of threats and threat techniques—something that cannot be achieved with manual testing. 

Incoming regulation, while necessary, will be a strain on UK telecoms. More resources, time, and staff will be required to ensure compliance. Purchasing a BAS platform will ease that strain. 

To conclude, BAS provides a whole host of benefits beyond pure security control validation. It has the potential to democratize cyber insurance, streamline the M&A process, ensure the security of supply-chain partners, hold security tool vendors accountable, and ease the strain of compliance in the face of stringent regulation. What’s more, BAS provides huge value for the money—in fact, it’s a mere drop in the ocean when looked at within the context of the wider security stack. Far from serving a single, isolated function, BAS ensures that all of your security tools are working as they should. Spend a fraction of your security budget on verifying your defenses, and save thousands by jettisoning dead weight. 

This article first appeared in Teiss.

Get the latest
research and news