“By following a few best practices and knowing what to test for, organi- zations can ensure their holistic ap- proach is truly keeping them secure.”
and vulnerability scanning, but on a more automated, non-intru- sive, benign and continuous basis.
In addition to testing exploitation techniques, they can in- clude machine learning and automation of the various steps in an attack chain, such as command and control, lateral movement and resource access and exfiltration.
Simulations can be customized to mimic threats targeting var- ious surface areas and multi-vector attacks. Reporting and post- simulation visualization show security teams how the attacks were conducted and handled.
Building a Foundation
for Attack Simulations
A good attack simulation strategy should start by covering the ba- sic attack factors that do not change. For example, you know that at your office you have a door, lock, camera and other controls.
There are a million ways someone can break into your build- ing, but do you need to try to stop all of them? No. You focus on controlling your environment — being able to see when someone gets in and how, and how you will be alerted so you can respond immediately.
Attack simulation tools should test what we know is true about attacks and attackers. Attackers need to get from point A to point B for a network attack. When they’re in your host sys- tem, we know they need to follow a certain path and how you can follow them.
You need to identify what attackers are going to do in any breach or other type of attack. There is a myth that most attacks are really sophisticated and complex, but in reality many attacks do the same things using the same techniques— and that’s what you can test for.
An attack simulation should cover the entire attack chain from network intrusion to system and network reconnaissance, payloads and behaviors such as creating user accounts, collect- ing and archiving data, encrypting data and exfiltration, as well as escalating privileges and “living off the land” to hide in plain sight with built in tools like Powershell.
Organizations should first figure out what is normal versus ab- normal behavior in your network. You can’t account for all vari- ables in a cyber attack — do the basics super well, and 9 times out of 10, you’ll be successful.
Four Ways to Validate Your
Security Solutions Holistically
In order to bring your security model from zero to hero, you need to identify what tools you have and how to leverage them most effectively.
You also must be able to test all of your solutions to ensure they detect and mitigate the risk that threats pose to the network. Here are four main technology issues that attack simulation tools enable you to test for:
Misconfigurations. Organizations often have major difficulties
WWW.SECURITYTODAY.COM 69
stemming from a suite of security tools that are not configured properly. For example, many teams are so inundated with false positives that they end up turning off or ignoring their alerting from certain sources to their SIEMs.
This can lead to breaches going undetected, which increases adversary dwell time. If security teams can replicate the breaches and finetune the systems beforehand with attack simulation, they can prevent or quickly discover future attacks.
Security decay. Just as new cars lose their ability to function properly over time, security posture can suffer from efficacy de- cay too. Over time, as systems continue to function without being patched and new malware and exploits are developed, the sys- tems and network security posture decays much like wear and tear on a new car.
In information security, the problem is that there’s no way to measure security posture decay, including that of software within an organization’s technology stack, unless you’re testing for it. Attack simulation tools can diagnose and prevent security decay because they allow teams to constantly test systems to ensure they are up-to-date and remain secure.
Overlap. Another vendor sprawl challenge comes from tools that duplicate capabilities. Companies end up spending resources on tools they don’t need because they can’t measure the coverage they have.
By using attack simulations, companies can see the overlap and reduce the cost of their product spend. For example, organi- zations can utilize the MITRE attack framework to map cover- age of mitigation for attack techniques, which can show capabil- ity overlap.
Tools That Don’t Work
in Your Environment
Every organization has a unique security environment they must account for. Not all tools will work effectively. Thus, it’s impor- tant to validate potential tools in your own environment before making the purchase instead of only testing them in the vendor’s lab environment.
Use attack simulations to set up your tools under normal working conditions and test common attack techniques. This is the best method of ensuring that your network is adequately pre- pared for the common attacks perpetrated by a growing amount of hackers operating across the globe.
For example, simulate a network attack to make sure the device can respond, whether it’s signature or anomaly-based at- tacks. To simulate an endpoint attack you can imitate a hacker on the box to ensure that the solution effectively blocks and responds.
Attack simulations are vital tools that can help an organiza- tion see if its security model has holes or weaknesses. But don’t wait to start testing.
Too many organizations get breached, and then find that it’s the first time they ever looked at their logs or discover that key security tools aren’t working properly. Every organization
has the capability to do this – there is no such
thing as “we’re not ready.” In this way, attack
simulations are the great security equalizer.
Marcus Carey is the enterprise architect at ReliaQuest.