Setting the Record Straight on Breach and Attack Simulation, Purple Teaming and Continuous Security Validation

As a twenty-plus year cybersecurity professional I can count on a single hand the times I had to respond to a vendor who made crazy, unsubstantiated claims. As practitioner in Breach and Attack Simulation (BAS) and Purple Teaming, I wanted to counter some really misleading “marketecture” that I heard another vendor make. I am going to take the high road and not call that vendor out by name and set the record straight by giving my experience with specifically the Cymulate Continuous Security Validation Platform that includes BAS and Purple Teaming solution.

 

What is Cymulate Breach and Attack Simulation?

BAS is using real world exploits and techniques along the entire kill chain to test enterprise environments real security controls, environments, and people. By doing such you get the most accurate picture of how the enterprise would respond to a real attack. Starting with reconnaissance these solutions moving onto mail, web, application reverse proxying and spear fishing techniques. Then it moves through endpoint, escalation, and lateral movement. Ending in data exfiltration. All along the way results come from the enterprises’ real security control interactions with the attacks and follow the entire kill chain from beginning to end and include pre-, during and post-execution. These solutions can be set up to run in a continuous security validation fashion where the results are more than scores but are also trends over time. This is how you assess how changes to your environment, vulnerabilities and new threats effect your enterprise. This prevents lateral drift and includes almost daily updates by our researchers with the latest threat intelligence information, attacks and behaviors. It also by design comes with very prescriptive remediation information that can be used to fix any gaps that are found. It also comes with executive level reporting so that the business decision-makers can clearly understand, measure and explain risk as well as to see the value they are getting out of their existing security controls and processes. These same BAS techniques that can be run in a continuous security validation fashion can be used and further customized by red and blue teams for purple teaming exercises. BAS is used to validate and optimize existing and new security controls, incident response plans and to help shore-up the skill set of your individuals. For the business decision-maker, there is a clear-cut capability to see the value of one’s security spend, to quantify, measure and convey risk.

 

Cymulate BAS Negates the Need for Emulation

We have seen people extol the concept of using emulation solutions and that somehow this is better than BAS. In emulation, real attacks are run in isolated environments on vendor not enterprise-controlled instances. These emulations are resource intensive to configure and maintain and are not the real enterprise environment they portend. They may also be restricted by limitations run by the vendor. It means you have no real idea if your real security controls, environment and instances are configured correctly and how they would truly respond. The importance of BAS is it is run in the real environment with real attack simulations and actual results. This allows to be automated, fast, comprehensive with accessible results. Also, if a customer wants emulated versus real environment it is possible to set up with BAS by using any virtualization and isolation technology already in use by the organization. This also means you are using a virtualization and isolation technology you and your staff are already familiar with and do not have any vendor-imposed restrictions. A robust BAS solution has no need for this. The scenario (AKA the attack simulations) themselves are restricted in a way they do not hurt anything. They are very much real attacks, simply constrained to avoid disruptions. Cymulate can show the veracity of our attacks proving that they are identical to techniques used by threat actors.

 

Cymulate BAS Works Across the Entire Kill-Chain, Works Pre-, During and Post-Exploit and Ties into All of Your Security Controls and Beyond

To be the most comprehensive and effective, BAS does four things very well.

1. It works across the entire kill chain. Starting with reconnaissance BAS looks at real-world data from darknet and OSINT (Open-Source Intelligence) to pull in data that it can find in the wild about your enterprise. Attacks are orchestrated to hit your perimeter whether via spear phishing through your email and web gateways and even by performing direct assaults on applications even when protected by reverse proxies. Then the attack is tested on your endpoints as well. Then the lateral movement is attempted to spread the attack further and finally data exfiltration tests your DLP (Data Loss Prevention) and outbound capabilities.
2. It works pre-, during and post-exploit. Since techniques and attacks begin and propagate as described above. BAS covers the entire kill chain it works from the very beginning of the attack far before, during and post- exploit.
3. It integrates and works with the widest array of security controls possible as well as provides you modules that can scan real world reconnaissance and launch spearfishing campaigns to test your enterprises staff.
4. It provides excellent customization. The platform is an open framework for the creation and automation of custom attack scenarios. Leveraging the MITRE ATT&CK® framework extensively, enabling security teams to create both simple and complex scenarios from pre-built resources and custom binaries and executions. These can be used to exercise IR playbooks, pro-active threat hunting and to automate security assurance procedures and health checks.

Cymulate BAS is Constantly Being Updated and Backed by Real-Time Threat data and Breach Intelligence

One of the biggest things a BAS vendor like us provide is a dedicated research team and white hackers providing often daily updates on real world, current TTPs. It is the only way enterprises can clearly see if they are vulnerable to these real-world attacks, capabilities, and techniques. Clearly explained, mapped to the MITRE ATT&CK® framework, and run, the module provides the broadest coverage, chaining various actor techniques to safely target the various attack vectors from email, web, endpoint, and other vectors. The attacks include all the steps and variations comprehensively tested. Beyond this there are times where our research team finds new ways to deliver or execute techniques seen in the wild and in some cases even brand-new vulnerabilities and exploit techniques unrelated to anything seen before.

 

Continuous Monitoring and Protection Against Environmental Drift

Just as attackers and their attacks change daily, so do enterprises. With a single playbook and a few mouse clicks Cymulate platform can push out thousands of new images, configurations, and even whole new environments with a click. Thousands of vulnerabilities are discovered daily, third parties as a service or in other ways tie into our enterprises. It is the reason as seen in our 2020 Yearly Cymulate Usage Report[1] showed that all Cymulate customers ran simulations daily. It is a critical capability. Adding our inclusion of prescriptive, technical and executive reports our customers’ security controls, incident response plans and people are optimized. Risk is lowered and they are more secure.

Is Anything Missing in BAS?

As I said earlier, I wrote this in the context of my experience with Cymulate BAS. We have spent a lot of time working on the platform to make it as comprehensive yet simple to use as possible. The fact we cover the entire kill chain, include pre-, during and post-exploit, include reconnaissance, lateral movement, anti-phishing campaigns and are so integrated into thousands of security controls, run in a continuous security validation perspective, and even include automated purple teaming sets us apart from most.

I hope you have found this blog constructive and insightful. I do not swipe at other vendors but tells you what I know and hope you will do your due diligence and homework to accurately get a full picture of the terrain.