Skip to content

Page266

Breach Attack Simulations

Many organizations conduct one third-party penetration test each year, often for compliance reasons. This is a useful, but infrequent test. Breach attack simulations (BAS) seek to automate penetration tests, and often run 24/7/365. The goal is to test both an organization’s preventive and detective capabilities. For example: were the automated penetration tests successful (prevention: were systems compromised)? Detection: did the SOC notice? This is a form of purple teaming that combines red teaming (penetration testing) with blue teaming (detecting and defending against intrusions):

While red and blue team techniques have long been an important security tool, they suffer from two key disadvantages: They are highly manual and resource intensive. This means that most organizations can only run these tests episodically. This means that during the weeks or months between tests, vulnerabilities may arise undetected and defenders have little visibility into the true state of their security environment ...

By combining red and blue team techniques (a practice known as "purple teaming") and automating them, breach and attack platforms provide continuous coverage. These simulations can be run on a 24/7, 365 basis, which ensures that organizations maintain much deeper visibility into the true state of their defense readiness. This is critical, as attackers can defeat any security setup given enough time, making continuous testing the most effective way to mitigate risk [2].

Vulnerability Assessment

Vulnerability assessment (also called vulnerability scanning) scans a network or system for a list of predefined vulnerabilities such as system misconfiguration, outdated software, or a lack of patching. A vulnerability testing tool such as Nessus (https://www.tenable.com/products/nessus-vulnerability-scanner) or OpenVAS (https://www.openvas.org) may be used to identify the vulnerabilities.

We learned that Risk = Threat Ă— Vulnerability in Chapter 2, Domain 1: Security and Risk Management. It is important to remember that vulnerability scanners only show half of the risk equation: their output must be matched to threats to map true risk. This is an important half to identify, but these tools only perform part of the total job. Many organizations fall into the trap of viewing vulnerabilities without matching them to threats, and thus do not understand or mitigate true business risk.

Security Audits

A security audit is a test against a published standard. Organizations may be audited for PCI-DSS (Payment Card Industry Data Security Standard, discussed in Chapter 3, Domain 2: Asset Security) compliance, for example. PCI-DSS includes many required controls, such as firewalls, specific access control models, and wireless encryption. An auditor then verifies whether a site or organization meets the published standard.