In recent years, more and more providers of so-called Breach and Attack Simulation platforms have emerged in the market. In 2017, Gartner included Breach and Attack Simulation as a new category in the “Hype Cycle for Threat-Facing Technologies” and it was even attested that Breach and Attack Simulation has the potential to become mainstream within the next 10 years. Some even speak of a technological revolution that will fundamentally change the way companies analyze their security status in the future.
In this blog article I would like to answer the following questions about Breach and Attack Simulation:
- What is behind this new technology?
- What problems does BAS try to solve?
- For which companies are BAS solutions particularly suitable?
- Which solutions are on the market and how do they differ from each other?
- How does Breach and Attack Simulation relate to classical penetration testing of enterprise networks?
So, here we go!
What is Breach and Attack Simulation?
Breach and Attack Simulation is a new way of testing IT security efforts that mimics real-world attack actions to determine if the company’s various security measures actually serve their purpose. There are three different types of BAS solutions:
Agent-based BAS solutions:
Agent-based solutions are the simplest form of BAS. Agents are deployed across the LAN and vulnerabilities are identified to determine which routes are open to a potential attacker to move around the network. An agent-based BAS solution is very similar to vulnerability scanning, but offers much more context.
BAS solutions based on “malicious” traffic
These BAS solutions generate intrusive traffic within the network between dedicated virtual machines that serve as targets for a wide range of attack scenarios. An overview is then created of which events have not been detected and blocked by the company’s own security controls. As with agent-based BAS solutions, you get information about how an attacker could move if he enters the network.
Cloud-based BAS solutions
BAS solutions that are cloud-based are the closest to a real attack. They simulate numerous attack scenarios from the outside via different entry points. (so-called multi-vector attacks) and thus also the network perimeter of the company. The cloud platforms are fed with the latest threats from a wide variety of sources and are therefore always very up-to-date. Being SaaS solutions, they can be implemented very quickly.
What problems do BAS tools attempt to solve?
BAS solutions give companies an answer to the question “Do our cybersecurity programs really work? Large companies invest heavily in security products, but still do not have the confidence that they can withstand increasingly sophisticated attacks. For financial and practical reasons it is also not possible to test entire enterprise production environments permanently and manually for security vulnerabilities. Breach and Attack Simulation fills exactly this gap and allows companies to get more out of their existing security solutions by enabling continuous testing of the enterprise network at low risk.
For which companies are BAS solutions suitable?
If you have a look around the BAS market, you will find that many offers are tailored to large enterprise customers with high security requirements, such as financial institutions and insurance companies. It is not surprising that Breach and Attack Simulation is especially interesting for this kind of companies. They typically have numerous security products in use, a dynamic IT landscape and a high level of IT maturity. In addition, there are high demands on IT security and high compliance pressure. High-end solutions like Breach and Attack Simulation are predestined for this environment.
However, there is also the possibility for smaller companies to use BAS technology. Some solution providers have made their BAS tools multi-tenant ready so that smaller companies can also benefit from them via partner companies.
Which products are on the market and how do they differ from each other? In the still very young BAS market, a number of companies and start-ups, mainly from Israel and the USA, are thriving. In the following I would like to introduce some selected solution providers:
SafeBreach was founded in 2014 in Tel Aviv and is therefore one of the “older” players on the market. SafeBreach describes their product as a Continuous Security Validating Platform, which takes over the role of a virtual ethical hacker. The platform consists of two components: the cloud management console and on-premise virtual machines called “Breach Simulators”, which play so-called “War Games” among each other. SafeBreach’s solution is in fact based on “malicious” traffic that flows between the Breach Simulators themselves and the cloud.
SafeBreach is the pioneer in the BAS industry and now has an extensive “Hacker’s Playbook” with thousands of attack methods, which is constantly updated by the SafeBreach Lab.
Cymulate was also founded in Israel in 2016. In 2018, Cymulate was named a “Cool Vendor” by Gartner and is probably the platform in the BAS market that gets the biggest hype. Among its successes, Cymulate has raised considerable amounts of funds from well-known venture capitalists. Cymulate advertises with particularly easy deployment and operation. Only a single agent is required in the network itself. The platform offers numerous attack vectors (e-mail gateway, web gateway, web application firewall, lateral movement, data loss prevention and endpoint security control) and can therefore simulate an Advanced Persistent Threat (APT). Great are the integrations to other security products, such as vulnerability management, SIEM and EDR solutions. Cymulate is very pricy. Currently, the 7-Vector bundle costs 7000 USD per month via the AWS Marketplace. However, there is also a light version with fewer attack vectors available. On Youtube, you can get a good impression of the platform:
XM Cyber (Israel)
XM Cyber is in my opinion another notable player in the BAS market. Since its foundation in 2016 by top leaders of the Israeli cyber intelligence community, the company has gained some attention and is currently expanding globally. The HaXM platform is relatively easy to roll out. A lightweight software agent must be installed on all critical assets, and the platform itself is delivered as Software-as-a-Service. For very security-conscious companies, the solution can also be set up on-premise. The simulations are performed in three steps:
- First, all critical assets are selected
- Secondly, attacks are simulated and all attack vectors to critical assets are revealed (this is done very clearly in the platform’s “Battle Ground” dialogue box)
- Lastly, detailed remediation reports and security evaluations can be exported
This 3-minute demo of XM Cyber gives a very good impression of the platform and shows the impressive user interface.
How does Breach and Attack Simulation relate to manual penetration testing?
The interesting question remains whether Breach and Attack Simulation can replace traditional penetration testing of networks in the future. Currently, the market adoption of Breach and Attack Simulation is not very widespread. As a penetration tester, I believe that you will not have to fear for your job any time soon. In addition, compliance requirements still demand the conducting of classic penetration tests. Last but not least, Breach and Attack Simulation is also a question of your budget – many small and medium-sized companies are already struggling to invest in a small penetration test, so it is quite doubtful if these companies will invest in an expensive BAS solution.
Some BAS tools on the market only offer attack scenarios that do not include exploits and should therefore be supplemented with manual pentesting in case of doubt. It should not be forgotten that a simulation remains a simulation and collected data is analyzed externally to determine what would happen in reality. This increases the probability of false positives and false negatives.
Despite the obstacles that BAS solution providers still have to overcome, I am very confident that Breach and Attack Simulation will, as it matures, greatly reduce the need for traditional network pentesting. With good BAS solutions, it is possible to “execute” exploits that cannot cause any damage. A conscientious pentester would not even address such exploits with typical pentesting tools, because there is always the danger of damaging the customer environment. In addition, Breach and Attack Simulation provides consistent results regardless of a person’s abilities, continuously and not just as a snapshot. I am very confident that soon there will be pentest-as-a-service offerings powered by Breach and Attack Simulation that will be available to organizations of all sizes.
It is worth keeping an eye on the developments on the BAS market. In the future, the importance of BAS solutions will most likely increase significantly. In my opinion, Breach and Attack Simulation has the potential to become a viable alternative to classical Network Penetration Testing with increasing technological maturity and decreasing costs.