Not all security teams are born equal. Each organization has a different objective.
In cybersecurity, adopting a proactive approach is not just a buzzword. It actually is what makes the difference between staying behind attackers and getting ahead of them. And the solutions to do that do exist!
Most attacks succeed by taking advantage of common failures in their target’s systems. Whether new or not, known, unknown, or even unknown, attacks leverage security gaps such as
unpatched or uncharted vulnerabilities, misconfigurations, out-of-date systems, expired certificates, human errors, etc.
As attackers rely on a range of automated offensive testing tools to scan their targets’ attack surfaces and propagate inside their network, a purely reactive defensive stance based on detection and response is increasingly likely to be overwhelmed by an attack.
The logical tactical move is to emulate attackers’ TTPs and behaviors beforehand by integrating attack simulation tools to continuously validate the impermeability of the attack surface as a whole, the efficacy of security controls, as well as access management and segmentation policies, etc.
As cyber attackers typically move on to the next target when they meet a challenge, organizations that have already implemented proactive tools and processes benefit twice. Run-of-the-mill cyber attackers are frustrated and deterred, and attackers targeting them specifically have to work much harder to find a way in without detection and progress unimpeded within the network.
These organizations’ mature, forward-looking cyber security thinking puts them ahead of the curve in terms of impregnability.
Practically, there are different angles from which to look at and integrate attack simulation tools that can vary depending on your objectives, such as, for example.
► Boosting prevention capabilities
► Strengthening Detection and Response
Running automated recon attacks shores up your attack surface management procedure by uncovering all exposed assets, including long-forgotten or clandestinely added shadow IT, while integrating continuous outside-in attack simulation capabilities with your SIEM/SOAR tool stack shines a bright light on its limits and flaws. By granularly comparing the progression of simulated attacks launched with the proportion of those detected and stopped, it gives a clear, comprehensive picture of the detection and response array’s actual efficacy.
With a detailed map of security gaps and capability redundancies, rationalizing the tool stack by implementing recommended tool configuration fixes and eliminating redundant tools positively impacts detection and response and, as a bonus, prevents environmental drift.
Once integrated, these capabilities can also be used to run in-house Incident Response exercises with minimal preparation required and at zero extra cost.
► Customizing risk management
Incorporating security validation into organizational risk management and GRC procedures and providing continuous security assurance accordingly might require a certain level of customizing the available off-the-shelf attack scenarios validating the security controls and outside-in attack campaigns.
A Purple Teaming Framework with template attacks and modulable widgets to facilitate ad hoc attack mapping saves red teams hours of grunt work which maximizes the use of in-house red teams and accelerates scaling up their operations without requiring additional resources.
When starting from zero in-house adversarial capabilities, the recommended progression to integrate security validation solutions is to:
1 — Add security control validation capabilities
Tightening security controls configuration is a crucial element of preventing an attacker who gained an initial foothold in your system from propagating through your network. It also provides some protection against zero-day attacks and some vulnerabilities that take advantage of misconfigurations or leverage security gaps found in vendors’ default configurations.
2 — Integrate with SIEM/SOAR and verify SOC procedures’ efficacy
As mentioned in the “Strengthening Detection and Response” section above, integrating security validation solutions with your SIEM/SOAR array streamlines its efficacy and improves security. The data produced can also be used to optimize the people and process aspects of the SOC by ensuring that the team’s time is focused on the tasks with the highest impact instead of investing their best energy in protecting low-value assets.
3 — Prioritize remediation
Operationalizing the remediation guidance included in the data collected in steps 1 and 2 should be correlated with the attack likelihood and impact factors associated with each uncovered security gap. Integrating the results of the simulated attacks in the vulnerability prioritization process is key to streamlining the process and maximizing the positive impact of each mitigation performed
4 — Verify the enforcement of segmentation policies and hygiene
Running end-to-end attack scenarios maps the attack route and identifies where segmentation gaps allow attackers to propagate through your network and achieve their goals.
5 — Evaluate the overall breach feasibility
Running recon and end-to-end outside-in attack campaigns to validate how a cyber attacker can progress through your environment from gaining access all the way to exfiltrating the crown jewels.
Typically, forward-thinking organizations already try to control their fate by adopting a proactive approach towards cyber security where they leverage breach and attack simulation and attack surface management to identify gaps in advance. Usually, they would begin the journey with the goal of prevention – making sure they finetune all security controls and maximize their effectiveness against known and immediate threats. The next step would be running SOC and incident response exercises to make sure nothing goes undetected, moving onwards to vulnerability patching prioritization.
Most mature enterprises with plenty of resources are also interested in automating, customizing, and scaling up their red team activities.
The bottom line is that when you are looking at incorporating a continuous threat exposure management program, you are likely to find many different point solutions but eventually, regardless of the particular objective of each team, like in real-life, it is best to find a partner that with whom you can scale up.
Note — This article is written and contributed by Ben Zilberman, Product Marketing Director at Cymulate.