Achieve SecOps Success with Breach and Attack Simulation

With the non-stop rise in network breaches, SecOps teams often ask themselves: Am I making a difference? It’s a vexing question. You work hard every day, but it can sometimes be hard to prove that you’re making a measurable impact until now.

By now, you’ve heard about breach and attack simulation (BAS) and how it’s helping SecOps teams improve their network defences by safely emulating attacks on their live network.

To help you understand the impact BAS can have, you might be interested in this article. We even deconstructed a kill-chain assessment using Keysight Threat Simulator! It’ll take you one step closer to measuring your security effectiveness and proving that your team is making a difference.

Get an in-depth look at breach and attack simulation (BAS) platforms. Using Keysight’s Threat Simulator as an example, you’ll discover how these tools work and why SecOps teams rely on them.

Table of contents

Why Are Enterprises Still Getting Breached — and How Are SecOps Tools Helping? Go Hack …Yourself?
What Are Breach and Attack Simulation Tools?
Deconstructing a Kill Chain Assessment: A Real-World Example Using Keysight Threat Simulator
Why Security Tools Fail — and How BAS Tools Address These Problems
SecOps Will Always Be Important Because There Will Always Be Vulnerabilities
Prove You Are Making a Measurable Impact

Why Are Enterprises Still Getting Breached — and How Are SecOps Tools Helping?

Despite advancements in security, data and security breaches are occurring at an ever-increasing rate and severity. Yet, although the sophisticated range of exploits attackers can employ, they often opt for the path of least resistance. In fact, according to Ponemon, nearly half of all breaches stem from human error, system glitches, and misconfigurations.

Most enterprises rely on security operations (SecOps) teams to defend against these kinds of threats. One of their fundamental goals is to use security tools to protect network resources. Tools strengthen SecOps through the faithful execution of critical security tasks so that network and security engineers can address inevitable problems faster, use their time more effectively, and better understand their overall risk model. Moreover, hybrid production networks are increasingly becoming an enterprise standard. That means enterprises need to deploy security tools in both physical and virtual locations (such as major cloud providers) so that network and security operations center (NoC / SoC) engineers can effectively secure them.

However, managing a seemingly endless list of patches, updates, and new releases can prove near impossible. Attackers are persistent. Without a way to continuously probe for vulnerable misconfigurations and gaps, it’s only a matter of time until they find their way in.

Go Hack …Yourself?

To get in front of attackers, many SecOps teams have flipped the script and started hacking themselves. Simulating attacks on preproduction and live network environments helps teams assess what is working and identify vulnerable misconfigurations and gaps. Multiple approaches abound, including the following:

• Breach and attack simulation: These tools enable continuous attack emulation for production networks. Comprehensive and safe, it’s preferred by enterprise teams that want to balance low risk with high effectiveness.
• Penetration testing and red teams: This “white hat” approach involves teams that actively try to get past a production network’s defences. However, this approach is a higher risk (because the attacks could damage the production network) and provides insights from a single point in time only.
• Predeployment security testing: Network equipment manufacturers favour this comprehensive, low-risk security validation technique. Tools such as Keysight BreakingPoint offer detailed insights.
• Vulnerability scanning tools: These computer programs scan networks and applications for known weaknesses. While this approach does not pose any risk to security tools, its effectiveness is significantly more limited. Since the results of these scans maybe thousands of pages long and don’t always contain remediations, SecOps teams are often unable to take comprehensive action.

While each approach has its merits, this white paper focuses on breach and attack simulation (BAS) platforms. Using Keysight’s Threat Simulator as a real-world example, you’ll discover how these tools work and why enterprise SecOps teams rely on them.

What Are Breach and Attack Simulation Tools?

BAS tools enable users to send relevant, targeted attacks from an untrusted zone to container-based software agents deployed within protected zones. By performing automated assessments, SecOps teams can readily assess critical security solutions in their production networks — such as next-generation firewalls (NGFWs), web application firewalls (WAFs), and data loss prevention (DLP) solutions. Moreover, should inline security solutions fail to mitigate a simulated attack, the tool will immediately alert SecOps teams to the vulnerability.

Simulated attack categories include the following:

• malware campaigns
• spear-phishing campaigns
• data exfiltration
• cross-site scripting
• malware
• database exploits (such as SQL injections)
• advanced persistent threats (such as Numbered Panda, PLA Unit 61398, and Lazarus Group)

This is a valuable service on its own, but some tools go a step further. Upon discovering a vulnerability, platforms such as Threat Simulator also include step-by-step remediation instructions. This way, security teams get more than a notification of a potential problem — they receive actionable intelligence that empowers them to close whatever gaps they find.

Unlike penetration testing and red teams (which offer insights from a single point in time), SecOps teams with BAS tools can continuously assess their security tools. Between patches, releases, and threat intelligence data feeds, security solutions, network applications, and other tools face a near-continuous stream of updates. However, these changes require constant verification to ensure that attackers cannot exploit misconfigurations.

To provide timely alerts, SecOps teams often run automated assessments to stay up to date on emerging failures in critical solutions. In most cases, a central dashboard offers a single-pane-of-glass view of assessment results, insights, and alarms — but security information and event management (SIEM) integration are also available for most tools.

In addition to standard reporting, certain platforms (including Threat Simulator) also offer advanced metrics such as data analysis. These detailed insights into network security posture effectiveness enable security teams to make critical adjustments and build data-based plans for future deployments and expansions. Continuous improvement has always been an objective for SoCs, but it has not always been easy to make time for. However, when armed with actionable intelligence, fixes are more apparent, simpler to implement, and faster to deploy.

Deconstructing a Kill Chain Assessment: A Real-World Example Using Keysight Threat Simulator

A kill chain is the complete set of steps that a malicious actor takes to perform an attack. These steps typically start with the initial exploitation, then expand to secondary actions (such as network mapping and enumeration), and end with an objective (such as data exfiltration or installation of a remote-access Trojan). How do BAS tools conduct an assessment like this? Here’s an example of how Threat Simulator emulates Lazarus APT, a complex financial attack executed by North Korean hackers, in four phases:

Delivery

The initial attack occurs via a phishing email described by MITRE Att&ck technique T1192: “Spear Phishing with a Link.” This is an evasive technique, as a link circumvents inline security solutions that analyze files in transit, especially emailed files (instead of a malicious file attachment). An inline system attempting to prevent this technique would need to have a threat intelligence gateway (like Keysight ThreatARMOR) deployed with a rule set to thwart traffic from the link. Otherwise, the email will land in the victim’s inbox.

In this case, the email will arrive at the Threat Simulator agent within the trusted zone — unless a security solution stops it.

Installation phase 1

This stage relies on MITRE Att&ck technique T1204: “User Execution.” In this case, the onus is on the user to click on the link provided in the spear-phishing email. The Threat Simulator agent will make an HTTPS connection back to the malicious actor designating this user action.

Installation phase 2

This phase is a continuation of the MITRE Att&ck technique T1204. The user downloads the PowerRatankba.B malware in the form of a PDF file in the HTTPS socket created during Installation phase 1.

Objective

In this phase, the Threat Simulator agent uses MITRE Att&ck technique T1047: “Infiltration and Augmentation of the Windows Management Instrumentation” — setting up continuous, admin-level remote access to the targeted Threat Simulator agent.

The Threat Simulator agent works in concert with the platform’s malicious actor to perform each of these four steps. At each stage, it logs whether the inline security solution thwarted the attack — and captures the stage at which the solution thwarted the attack. Should any stage of the attack succeed, the tool provides detailed remediation techniques so the SoC team can take immediate action to fortify its defensive posture and avert future attacks. Remediations are unique to every assessment — offering valuable guidance to implement defensive security best practices.

Why Security Tools Fail — and How BAS Tools Address These Problems

One of the most common causes of network breaches is the successful exploitation of common misconfigurations, known defects, and established vulnerabilities. Effective patch management and a wide array of security tools are not enough. With BAS tools, SecOps teams can finally prevent two of the most common tool failures that occur during attacks:

• Deployed security solutions did not mitigate the initial exploitation. BAS tools can ensure that proper security rules are initiated when attacks start. Also, automated assessments ensure that overnight changes to security rules get proper vetting before taking effect.
• Deployed security solutions did not mitigate the lateral movement of the attacker after the initial breach. Organizations can deploy BAS tool agents in multiple network zones. If attacks are traversing those zones, alerts will notify the SoC team that security solutions are not scrubbing network traffic.

SecOps Will Always Be Important Because There Will Always Be Vulnerabilities

In a perfect world, you would never have to worry about latent threats, tool misconfigurations, and an ever-changing list of potential vulnerabilities. Unfortunately, the nature of software development makes that all but impossible.

The premise of developing a network software or hardware solution is to create a profitable revenue stream or useful utility. During development, efficient use of expensive resources (the individuals creating and testing the solution) is always top of mind. The more time it takes them to build a version suitable for release, the higher the cost for the business. Moreover, the revenue created upon release needs to cover — and hopefully exceed — additional costs such as those for facilities, support staff, sales, and marketing.

Throughout development, the primary focus of quality assurance (QA) is on functional testing — not the discovery and eradication of exploitable security vulnerabilities. A minimally viable product can, potentially, have zero security testing done upon release. After all, every week spent security testing is a week the solution is not being used functionally or creating revenue. As a result, businesses face tremendous pressure to go to market as soon as possible.

However, QA is an ongoing process. Even small code changes — such as patches or updates — require regression testing to ensure that they do not introduce new security vulnerabilities. Functional testing is much the same. QA teams must revisit all the checks that ensure that the primary function of the application is still accurate.

Ultimately, the sheer level of effort to ensure that every patch, release, and update is free of vulnerabilities is too great an expense for any company to bear. The diminishing returns do not justify the cost — even for the Fortune 100 tech companies that dedicate huge budgets and highly skilled individuals to solving this problem. That’s why you will continue to find new CVE entries for almost any software solution in existence. It is the same reason that SoC engineers will continue to trust BAS tools, such as Threat Simulator, to protect their most critical networked resources.

But applications are not the only things that change. Networks are never static — and improperly deployed infrastructure, security solutions, and applications cause plenty of breaches on their own. Even networks architected with best practices face a constant stream of adjustments based on the growth of the organization, the volume of users, and the changing needs of both groups. With multiple physical locations and cloud deployments in use, ensuring that best practices remain in place is an increasingly uphill battle.

It is surprisingly common for errant cabling to expose a protected network by unintentionally circumventing security solutions that scrubbed malicious network traffic. Unfortunately, by the time SecOps discovers a latent risk like this, most networks (and any critical data contained therein) have already been compromised.

This scenario is where BAS tools prove their worth. By continuously monitoring production networks, they can quickly discover avenues for security breaches — and ultimately help SecOps mitigate them as fast as possible. For instance, in the example above, a BAS tool would have seen that previously mitigated attacks were freely traversing into protected zones and immediately alerted the SoC to the threat.

Prove You Are Making a Measurable Impact

Every day, SecOps teams ask themselves the same question: Am I making a difference? Unfortunately, that has never been easy to answer. Measuring security means actively assessing its strengths and weaknesses. However, before the advent of BAS tools, there was never a viable way to safely attack a production network in a continuous, controlled fashion.

The last thing any security team wants to do is purchase, deploy, and manage a new tool. But when properly deployed, BAS platforms can actually help SecOps teams spend less on subsequent tools. After all, you cannot manage what you do not measure. With BAS tools, you get the insight you need to optimize your posture and validate future tool purchases.

Change is constant. New vulnerabilities will continue to spring up, and attackers will continue to exploit them. But, with the right tools in place, you can take control of an ever-changing threat landscape, maximize your security posture, and optimize your spending. With breach and attack simulation, you can be ready for whatever comes next.

Source: Keysight Technologies