Breach and attack simulation (BAS)—the three-letter acronym can be spoken as one word and pronounced like the fish “bass”—has emerged as a highly effective way for cybersecurity leaders to proactively defend against an increasingly volatile threat landscape. By safely executing real-world attack simulations across the cyber kill chain, BAS solutions give security teams unmatched visibility into their security ecosystem, enabling them to continuously validate control effectiveness at all layers and stages of the attack process. BAS helps identify critical threats, uncover vulnerabilities, share findings with key stakeholders, and prioritize remediation efforts.
BAS has swiftly become one of the fastest rising cybersecurity technologies, quickly moving from best-kept secret to must-have tool of leading CISOs and security teams around the world. And as the economy and security budgets wobble, it’s no wonder Gartner has named BAS technology at peak interest with a high benefit rating. Whatever level of BAS knowledge you possess, there’s always more to be learned, and now is the time to brush up on all things BAS.
So sharpen your pencils because by the end of this BAS 101 blog miniseries, you’ll possess the knowledge needed to:
- Comprehend the processes and outcomes enabled by BAS
- Understand the unique role BAS will play in your security ecosystem
- Evaluate the critical capabilities needed in a scalable BAS solution
- Make the case for BAS in your organization
Today we’ll create a starting framework by exploring some of the most elementary questions: What is BAS? What value does it provide? Who does it benefit? And how is it different from other methods of security control validation?
What Is BAS?
Automated BAS solutions leverage threat intelligence to run real-world attack scenarios against production applications and infrastructure within your environment—safely and at scale. They test if systems are vulnerable to attacks by continuously validating security control effectiveness while providing visibility into how the entire security ecosystem responds at each stage of defense.
While often called “simulations,” BAS scenarios utilize real exploits, tools, behaviors, and scripts to mimic real-world attacks that can be customized to focus on specific industries, attack methods, and actor types. BAS solutions can also be further tuned using integrations with:
- Security controls and security information and event management (SIEM) solutions to provide visibility and context around defense mechanisms and process effectiveness
- Threat intelligence and attack frameworks to operationalize threat intelligence and focus on the threats that matter most to an organization
- Vulnerability management solutions to help prioritize remediation activities
- Workflow and SIEM solutions to streamline remediation processes and improve security posture
What Value Does BAS Provide?
BAS enables continuous security validation that improves security operations efficiency, enabling a faster and more effective way to reduce critical business risk. Rather than putting out fires or wasting time with manual and semi-manual control validation—like penetration testing—security teams can accomplish more with fewer resources and remain focused on new high-priority attacks and suspected vulnerabilities. By integrating with other parts of the security ecosystem, including SIEM solutions, security orchestration, automation, and response (SOAR) solutions, threat intelligence, and vulnerability management (VM) solutions, BAS can also generate a holistic view of security posture across the entire enterprise attack surface that is not otherwise available.
From a strategic perspective, this level of visibility enables stakeholders to formulate long-term security plans and inform resourcing decisions. It can also help justify security investments, secure additional budget, and ensure strategic alignment. The continuous nature of simulations also enables enterprises to progressively track, improve, and clearly communicate about their security posture over time. Taken together, BAS provides mission-critical functionality to help organizations quickly address gaps in security controls, gain unmatched visibility into how their security ecosystem is performing, and, ultimately, strengthen cyber resilience.
Who Benefits from BAS?
BAS is a platform technology with myriad users not only in security, but also IT, finance and procurement, and compliance.
The core users of BAS have jobs that require them to interact daily or even hourly with BAS dashboards and remediation guidance.
- Red teams use BAS to automate and streamline testing processes and allow them to focus on new ways to attack, while spending less time probing for flaws to exploit.
- Blue teams use BAS to validate security control effectiveness, prioritize remediation requests to security engineers, and target rapid response exercises.
- Security operations use BAS to validate, monitor, and improve SIEM and security operations center (SOC) detection capabilities.
- Threat intelligence personnel integrate their tools to automatically inform BAS administrators and security engineers on what simulations to run, using which TTPs and playbooks, and report on the organization’s effectiveness against tracked threats.
- Vulnerability management uses BAS to identify the most critical vulnerability areas and security gaps and appropriately target patching where compensating controls are not effective
- Security engineers use BAS to guard against security drift and to validate that security controls are protecting properly and are not misconfigured
Working in conjunction with the security team, IT teams are in charge of applying patches and handling hardware and endpoint protection configurations. IT teams use BAS to guide patching prioritization and to identify which employees require updates to their hardware and systems.
Finance & Procurement
Finance and procurement teams might use BAS data to create metrics measuring the value of different security control solutions and determine where money is best spent for expanding existing solutions or replacing them with better technology.
Compliance teams can use the empirical data provided by BAS results to prove validation of security controls, which is a key component of compliance requirements for many organizations. BAS also continuously tests the entire security ecosystem, not just environments under compliance, which can help compliance teams ensure blindspots do not form from following compliance requirements alone.
How Is BAS Different from Alternative Methods?
There are a number of approaches to security control validation. However, by and large, these approaches come with limitations, requiring significant time and expense, while offering limited coverage. Below, we have provided a brief description of each method and its limitations as compared to BAS.
Penetration testing—also known as pen testing—is the process of evaluating the security of an environment by attempting to exploit weaknesses that may exist. This form of testing is inherently dependent on successful infiltration, meaning it will only continue to the next stages of an attack (e.g., lateral movement inside your network or attempted data exfiltration) if infiltration is successful. Pen testing is also reliant upon the relative skills and expertise of the people conducting the efforts. This means the scope, quality, efficacy, and results of pen testing can vary substantially, making it difficult to compare the results of different tests and track progress. Further, the manual nature of these tests means they can be costly, unscalable, time-consuming, and error-prone. Due to the high cost, these assessments can typically only be conducted annually or semi-annually and, as such, only provide point-in-time insights.
Red teams work together to simulate a team of cyberattackers. These teams take an offensive approach, seeking to pursue vulnerabilities and conduct attacks. Typically, the types of experts needed to staff effective red teams are in short supply and demand high salaries, making the prospect of building a new red team costly and daunting. Also, due to the nature of red teaming, it can be difficult to scale out attacks or run multiple scenarios.
Attack Path Management
Attack path management is the process of validating external attack surfaces to understand how an attacker might leverage assets to gain access into your network—this generally includes solutions like attack surface management (ASM) and VM. Unlike pen testing, these forms of testing do focus on infiltration and lateral movement inside your network; however, they do not execute actual attacks. Instead, they run heuristics to deduce possible attack paths and do not, as a result, trigger controls or enable the evaluation of control efficacy. They also typically lack context about the likelihood of a vulnerability being exploited or the risks associated with an identified exposure. Consequently, the output of these systems can create a lot of “noise,” while offering minimal insight to guide prioritization or consideration of overall business risk.
Until next time, class is dismissed. Be sure to watch for more BAS 101 blogs over the coming weeks as we dive deeper into the critical elements of BAS and help you better understand the role of BAS in your security ecosystem. For all you overachievers, feel free to work ahead of the lesson plan by downloading our new white paper: The Four Pillars of BAS.
Want to learn more about why leading organizations—like PayPal, Netflix, Experian, and Johnson & Johnson—have chosen SafeBreach’s industry-pioneering BAS platform to support their continuous security validation programs? Connect with a SafeBreach cybersecurity expert or request a demo of our advanced BAS platform today.