top of page

Penetration Testing is dead .. Long live Breach and Attack Simulation

Stop if you have heard this before


A CISO budgets for a penetration test for their company covering all the key assets that a cybercriminal might target. This covers both internal systems and internet-facing assets.


An experienced cybersecurity company boasting a huge list of references comes in, does a penetration test, and gives a nice little report which is usually several hundred pages long.


The issues are fixed, patches are applied, and life goes on .. until a data breach happens to the company, and CISOs find themselves in the crossfire trying to figure out what went wrong.


Do not get me wrong .. penetration tests are an amazing way to find low-hanging security issues to fix, but they do not take into account the following:


  • Today’s environments are heavily DevOps driven, with hundreds of changes being made to production environments daily. A six-month-old pen test report will be obsolete in just one week!

  • Attackers and advanced malware do not care about your scope. They will compromise a non-critical system that was never pen tested (due to budgetary constraints) and use it as a stepping stone to your critical systems.

  • Cybercriminals are heavily investing in A.I. and machine learning tools to learn and automate their attacks. This means companies are under attack 24/7 and not once or twice a year.


This is why penetration tests, although a good practice, do not reflect the current threat environment in which companies find themselves.


More effective CISOs recognize this and carry out red and blue team exercises in addition to penetration tests in which the red team role-plays as the attacker while the blue team plays defence and tries to stop these attacks.


While this is more effective than pen tests, they are manual and time intensive and cannot be carried out continuously.


Consider Breach and Attack Simulation


Breach and Attack Simulation or BAS solutions are not there to test your systems for open ports, missing patches, and default passwords.


Instead, they mimic the path an attacker or an ATP would take when trying to compromise your system. For example, placing a malicious file on your SFTP server or attempting to bypass your email and internet filtering systems to see if malware can be downloaded.


Think of it as a continuous red-and-blue exercise that is completely automated and updated with the latest attacks as soon as they appear. There is no manual resource waiting to be upskilled or trained, as the BAS solution is immediately updated with the latest techniques and attack methods.

If the BAS solution succeeds in its attack method, then it has identified an attack method that can be successfully used to compromise your environment, which requires immediate attention. You can have multiple attack scenarios running against your environment in a continuous fashion 24/7 to see where potential security loopholes might be present.


BAS solutions are the future of Cyber Defense


Automation and scale are something that cybercrime has fully embraced, with attackers offloading their common attacks onto bots that are on the job 24/7 to try and breach your defenses.

A BAS solution effectively levels the playing field and gives CISOs continuous assessments of their security controls without requiring an increase in headcounts or delays between tests.

Penetration tests will (and should) continue and are a great control, but BAS fills in the gaps where these exercises fail and give CISOs a full view of their vulnerability posture. It also has the added benefit of reducing pen test findings by proactively highlighting vulnerabilities before they are caught in a scan.


In the next part of this series, we will go over what you should look for in a BAS solution if you want it to be effective and organically fit into your security strategy.

14 views0 comments

Recent Posts

See All

How to protect against supply chain attacks

Cybercriminals are a clever bunch when it comes to attacking their targets. Previously it used to be easy to target a particular company...

Comments


bottom of page