Everything you wanted to know about Breach and Attack Simulation (BAS) vs. Automated Penetration Testing
Better prepared, Right!? Companies are investing a significant amount of resources in building and improving their cybersecurity posture. As the threat landscape continues to evolve and expand, this investment continues to rise dramatically. Per a report by Cybersecurity Ventures, worldwide spending on information security products and services will exceed $1 trillion between 2017-2021. While preventive and detective controls are important, validation of these controls is indispensable. Security testing is said to be one of the areas fueling this rapid growth and the sector itself could well become a $4 billion market by 2025.
Cyber needs testing like everything else
It’s simple math. Every security system with configuration nobs has a probability of human error and misconfiguration. Every application or operating system introduces vulnerabilities as it evolves. As IT networks grow and expand, the probability for misconfigurations of controls and vulnerabilities increases, as does their operational complexity.
Although CIOs and CISOs acknowledge the need for security validation, they are also requested by regulators to perform vulnerability scans and penetration tests on a regular basis by independent third parties.
A choice between two imperfect alternatives
Vulnerability assessment (VA) and management (VM) solutions are software-enabled solutions that suffer from a major drawback around prioritization of the found vulnerabilities. They present you with thousands of potential vulnerabilities, but in reality, a large percent are false alarms. Out of those “real” vulnerabilities, only 5 percent are exploitable. And out of those, only a few may lead to an attack on critical assets.
Simply said, the only way one can ascertain if a vulnerability is critical is by exploiting it and proving it’s part of a full “kill-chain”.
Service-based penetration testing does just that, testing your defenses while correlating the triage of vulnerabilities with existing exploits lacking a compensating security control. Some pen-testers indeed shine a light on major deficiencies that can be chained to a deadly attack vector. However, penetration testing as it stands today cannot scale — its expensive, talent dependent and is limited in time and scope. With these constraints, pen-tests are typically performed on a small segment of the infrastructure deemed most business-critical, leaving most of the attack surface invalidated.
The Overhype of Breach and Attack Simulation (BAS)
Breach and attack simulation (BAS) technology came to our lives three years ago with a great promise of continuous security control validation. It sounded great at the time, but early adopters found themselves with a system that adds yet another agent in the network, limits its scope to controls validation only and requires specific playbook scenarios to be maintained.
More importantly, users found themselves back in the realm of simulation.
In other words, BAS is about collecting security control data and performing offline risk modeling analysis then deducing what would happen in real-life rather than testing for it! Once again users are faced with false alarms and misguided prioritization jointed with the burden of managing yet another system. Even the modern BAS systems that send phishing emails and attempt to download payloads if opened struggle to surpass the value one can get from Checkpoint’s Checkme free utility.
If you want to test, test. Don’t simulate
True security validation is really about challenging your security from a hacker’s perspective and techniques all the way to the endpoint and ranging all your network. What if we could have a penetration test that runs fully automated with no agents, no manual playbooks, no simulations, and no false alarms? What if we could have a system that acts as a hacker and challenges everything — security controls, vulnerabilities, credentials, and privileges? What if the same system could look for passwords and credentials in shared folders and office documents?
What we’re really looking for are vulnerabilities correlated with exploits that are lacking a compensating control. We’re looking to attempt to exploit these weaknesses, at scale, without malicious intent or harm. And we need to do it at a budget that allows for a daily or weekly penetration test. Sounds like a tall order, right?
Automated pentesting goes the next step
Here is the cutting edge: technology that takes on the tall order of harnessing the power of software to perform the ethical hacker task of penetration testing at scale. This technology starts with nothing but network access and performs every action a hacker would — scanning, reconnaissance, sniffing, spoofing, cracking, (harmless) malware injection, file-less exploitation, post-exploitation, lateral movement and privilege exploitation all the way to data exfiltration.
Information security professionals’ routines are actually changing as they use this technology as frequently as a weekly pen-test. Reducing dependencies of third party consultants and focusing on the 1 percent of remediation that matters is becoming within reach.
It’s a matter of choice
It’s time for cybersecurity risk validation. Either you settle with vulnerability management, experiment with BAS or go at it with automated penetration testing. You’re better off being proactive about improving your cyber resilience rather than being target practice for any new malware that’s out there. You can have separate tools and service providers do the job or do-it-yourself with a modern pen-testing platform. The important element is to propel forward and be able to converse the security risk in business terms with upper management, receive the budgets necessary, and ride the continuous improvement curve towards cyber resilience.
Amitai Ratzon, CEO, Pcysys