Podcast: BAS, APTs, AEV, and CTEM Explained: A Practical Guide to Cybersecurity Acronyms

Hey there, and welcome to the cyber resilience brief, a safe reach podcast. The podcast is all about helping you build real world cyber resilience. I’m Tova Devoreen. In every episode, we unpack what’s working, what’s evolving, and what you can actually do to stay one step ahead of attackers. In today’s episode, we will be speaking with SafeReach’s senior sales engineer, Adrian Culley, who is also our main contact point in the EU. Today, we’re going to cover the different acronyms that we find in the industry, whether that’s BAS, that’s breach and attack simulation, AAV, APT, and CTEM. Happy listening. Okay. So let’s talk a little bit about what I call the acronyms. We talk about BAST, we talk about APT, we talk about AUV, we throw out the word CTEM. What do all these mean? Let’s talk about it a little bit more. I think well, I think it’s it’s helpful to people to to get some concrete, rock solid definitions down. And there is, you know, it’s a common advice in report writing that you should always define something before you use the acronym for it. Unfortunately, our industry is very bad at throwing acronyms around and assuming that everybody knows what they mean. And so let’s start with what’s commonly referred to as bars, breach attack simulation. Very straightforward. A breach means a compromise of a machine. It means somebody that is not friendly or not approved, because it can be a lawful breach, which is such as legacy penetration testing Security testing, red teaming, and by the way, penetration testing and red teaming aren’t the same thing, but that’s a whole other discussion. We got some overlap, but they’re not synonyms for each other. But breach means somebody gets access to a computer system in in this context that they shouldn’t have. Attack means hostile. And simulation, I like to use the the analogy all the time that we we generally say in life that we don’t let children play with matches. Well, in this space, we do, but we make sure that the matches are dump, and they can’t light fires and cause trouble. And that’s how we simulate. We’re copying general attacks on general IT systems, but we do it in a way, the clues in our company name, to be fair, that’s safe safe breach. We breach safely. So that that’s what Buzz is, and again, our old friend Dora, there’s a reason why Dora requires this to be undertaken against critical live production systems. Many many partners that we speak to are very uncomfortable with allowing legacy penetration testing individuals. It’s not a comment on them. It’s about it’s about the industry anywhere near critical high value live production systems. We’re very lucky at SafeBreach as we’ve been around for quite some time. We have a a number of very mature financial entity customers who are using SafeBreach for testing critical live production systems all the time. And and that’s what we’re doing in simulation. We’re simulating the attack. We’re not identically copying every step of the attack, because we don’t want to cause damage. We do leave artifacts. We do also automatically clear them up. But we don’t, for example, I always joke with customers that whilst we fully simulate ransomware kill chain, we don’t send out ransom notes and ask for money. So there are there are some bits of the attack missing. So what what was the other acronym that you mentioned? We wanted to talk about APTs. APTs. That’s thank you for jogging my memory. So advanced persistent threats. And that’s a huge part of the breach and attack simulation industry, and and some other parts of the cybersecurity industry that we’ll be talking about. And cybersecurity in in its whole is is very much driven by advanced persistent threats. So let’s pull that apart. What does advanced mean? Well, it’s it’s fairly simple. Given that we just talked about breach, somebody gets into a system that they shouldn’t, it’s implicit in the word advanced as defenders that the person under undertaking this attack knows more than we do. That’s how they’ve got in. That’s what advanced means. They’re more advanced than us. It’s it’s a relative term. Persistent means they won’t give up. Let’s pull that apart. There’s more to that. Where does that come from? Why is that in there? The APT groups in general, particularly when we’re referring about North Korea, Iran, China, and Russia, are nation state backed. Now the way that intelligence agencies work around the world is almost all intelligence agencies, with very few exceptions, are not self tusking. Intelligence agencies are tasked by their governments, and they’re given a a a list that to focus on for every twelve months. It can be longer term, but it’s generally refreshed and revisited every twelve months. That list is referred to as a collection plan. That collection plan gives from the politicians and and the heads of military to the intelligence agencies targets for their intelligence activities for the next twelve months. That is coupled with budgets. Now, unfortunately, if you find yourself named in somebody else’s collection plan, the agencies undertaking that activity don’t get to choose what they’re doing because they’re tasked, that’s why they have a collection plan, but also they have funding. And as long as they’re told to keep targeting you and they still have resources, first and foremost, funds, they will remain persistent. And that’s what we really mean by persistent. An attacker that’s not only going to go away, but has the resources to keep going. It’s it’s the evil twin of resilience, if you think of it. Now, threat is really straightforward as well, but again, it’s worth pulling out. Threat means they’re hostile. You’ll rarely if ever hear anybody talking about their advanced persistent friend. Except maybe on some very specialist stalking forums, but that’s not what’s what we’re talking about today. It’s implicit in threat that they’re hostile. They do not mean us well. So you’re saying that, in essence, APTs have means, motive, and opportunity to want to hack into our systems. Exactly that, Tovar. And and the reason the reason that they’re they’re skilled because they get trained, they’re skilled because they have experience, their training is very and their entire teams, their training is very exacting. They write their own tools from scratch. We’ll talk in a future podcast about the origins of zero day and why that’s sometimes helpful and sometimes not helpful, and but they they they write their own attacks. They’re they’re very good at exploits. They’re very often they’ve been inside systems without invitation for some time before they’re discovered, and they just won’t go away. And and the difficulty for defenders is even if you close off one avenue of attack, it’s difficult to be sure that it’s like the ancient Greek myth of the Hydra where every time you cut off one head, another sudden grow back. And experienced incident responders will be aware of this. It actually takes a very long time to be certain that you’ve cleared an APT threat out of your systems. Dwell time, we’ve mentioned before, is is the length of time between breach and exposure, breach and discovery. It’s it’s not trivial and not for the faint hearted. It’s it’s why attackers are very often successful. It’s also why cybersecurity is difficult because it’s easy to get wrong, and it’s quite frankly why cybersecurity is a high value industry because the impact of not being cybersecurity is fatal to businesses today. So so that’s that that helps, I hope I hope, people understand exactly what we mean when we’re referring to advanced persistent threat APT groups. Especially since there’s another APT, which is automatic pen testing, and that’s easy to confuse as well. It’s it certainly is. And and also, you know, if you come across that term, do rigorously ask what do people mean by automated penetration testing. You you you know, it’s it’s trivial to have code that is recursive or iterative, Just because some of the endlessly something endlessly repeats, it technically would make it repeat repeat automatic. Is it useful? That’s a whole other question. Right. Well, that brings us to the next evolution. Right? Because we’ve been talking about BaaS for pretty much the last seven to ten years, and penetration testing perhaps even longer than that. But now we’re seeing yet another acronym in the market, which is adversarial exposure validation or AAV. What can you tell us about that? Great great question and great point, Tovar. AAV often gets misquoted as adversary emulation validation. It isn’t it’s adversary exposure validation. We’ll come back to simulation and emulation in a little while. But adversary emulation see, exposure, I’m doing it myself here. Obviously, exposure is about making sure and and there’s another acronym comes into play here, which is continuous threat exposure management. They’re two sides of the same coin. It’s about trying to be intelligence driven in what we’re doing. A great example of this is the European Central Bank, the ECB’s TIBER framework for penetration testing. Tiber framework, I know we’re drowning in acronyms here, but the TIBER framework is the threat intelligence based ethical red teaming, t I b e r, threat intelligence based ethical red teaming. And the whole point of that is to be trying to unpick and uncover adversary exposure by making sure that your actions are based upon threat intelligence. And what what why do we want to do that? Well, because the the holy grail of that is our threat intelligence is the latest indicators of compromise, IOCs, tactics, techniques, and procedures, TTPs, and the the the cutting bleeding edge of that, which is what we we aim to deliver on the service level agreement within twenty four hours of a actionable advisory is actually attack code. The the actual script and or binaries to fully unpick and test our assets against what an adversary would be attacking. The and we’re we’re why are we doing that? Well, we’re trying to it’s basically another way of saying hack yourself. We’re trying to expose our weaknesses before an attacker does. So exposure sort of has a double meaning. It’s partly finding things that are exposed, but it’s partly as well seeking to uncover those exposures for ourselves before anybody else does. You know, if you think of, obviously, exposure validation as being a twin, a cousin of continuous threat exposure management, that they’re intimately connected, very closely connected, but not identically the same thing, But that then loops me back around nicely to two terms that are often conflated and confused, which is simulation and emulation. Now simulate, unlike continuous and automatic, which aren’t congruent and can occur together but are different things, simulation and emulation are actually closely connected, bit like AV and CTEM. And emulation is a subset of simulation. So the analogy I like to use all the time is for anybody who’s ever seen the Rocky movies or has had any exposure to boxing whatsoever. Simulation is like the general gym training for a price fighter boxer. Their coach, their trainer, the tools in the gym, the punch bag, their skip rope, their going out running, all all the things that you’ve seen in the movie, Rocky. That’s general fitness and that’s simulation. They’re making sure that they’re as much ready as possible for their next fight and for fights in general. Emulation, however, is like a sparring partner. It’s a subset of simulation. And rather than than doing that generic exercise and training and coaching and philosophy, emulation is the sparring partner that’s not secret in boxing, but it’s often overlooked. Professional price fight boxers, their teams seek out other boxers who are very close in ability and skill to the next opponent for them to train and fight against so that they’re emulating their opponent. They don’t have the luxury of fighting the real opponent in the ring, so they seek out another very highly skilled boxer that’s as close as possible. That’s adversary emulation, attack emulation. So it’s a subset of simulation. When we’re simulating attacks, we’re looking at broad things. A great example is we we have a behavioral endpoint attack scenario that has no IOCs or URLs, and it is all living off the land code techniques. It’s a hype uber hyper hacking master class that’s very very successful because you can’t you can’t block easily raw code. I mentioned earlier, it’s it’s all dual use. Mean Yeah. Early podcast. And and for that reason, applying cybersecurity to actual raw code is is very difficult. You can go to great lengths with things like PowerShell, for example, to make sure that only appropriate members of stuff have got access to the PowerShell. And a a top tip here is also Microsoft can be a little bit naughty. When they upgrade you to a new version of PowerShell, they leave the older versions behind. A very good housekeeping tip is to make sure you’ve disabled and cleared out all old versions of PowerShell. Because even the earliest version of PowerShell is very useful to a hacker. And if you don’t even know it’s there, that’s the hacker’s favorite thing. But but even if we really pin down PowerShell in terms of permissions, the the the other reason that hackers are doing credential harvesting is they only need to be looking once. They only need to get one account that gives them access to your PowerShell instance and they’re up and running. So we’ve talked about advanced persistent threats. We’ve talked about adversary exposure validation. All these things are interconnected. We’ve talked about continuous threat exposure management. We’ve talked about simulation and emulation. Again, all of these things are now a benchmark standard at the heart of mature cybersecurity that are necessary for securing any data estate, whether it’s a small to medium enterprise, whether it’s a larger, more mature global organization. We’re constantly seeking to reverse the upper street advantage. That’s why we have all these acronyms, why we have all these areas of focus. I mean, it it is possible. We do achieve it on a day to day basis, but it requires heavy lifting. It requires hard work. It requires skilled staff across the board. Not only red teams, blue teams, and and purple teams, but we need to be using the attackers are now harnessing AI. We need to be harnessing AI to do as much heavy lifting on our behalf as possible. Attackers never sleep. Certainly, their AI attack modules never sleep. Therefore, our response now has to be twenty four seven three six five. That needs to be coupled with, as we previously discussed, zero trust in zero trust, and we’re effectively validating everything as far as we can. You know, we have we have a number of customers, partners, very interesting, use our platform for their larger companies who are doing mergers and acquisitions. They use our platform for checking doing a health check on IT assets that they’ve bought in a merger. Interesting. You you know, it’s it’s a very, very interesting use case as to great you’re growing your business in the marketplace, but if you approach this from a risk management, risk appetite, risk mitigation aspect to and back to the exposure word, when you buy that other company and connect your systems, what are you exposing yourself to? And a a great way of approaching that is validate. Trust but validate. Trust but validate. The Cyber Resilience Brief is a SafeBreach podcast produced by Toba Devoren and executive produced by Adrian Culley. Sound design provided by Adobe Podcasts. Distribution provided by Podbean, an extra support and love from the SafeBreach team. For more information on how adversarial exposure validation through SafeBreach can protect you and your business, no matter where you reside or what industry you’re in, please visit us at w w w dot safe breach dot com. In today’s episode, we speak with SafeBreach’s senior sales engineer, Adrian Culley, who’s also our main contact point in the EU, about the different acronyms that we find in our industry, whether that’s AAV, BAS, APT, CTEM, all the different terminology you might have heard thrown around. We’re going to untangle the myths, clarify some things, and laugh a little along the way. Happy listening.