Validate Your Security Model

Validate Your Security Model

Amid growing threats, organizations must evaluate the holes and weaknesses in their systems

As security threats grow in complexity and scale, organizations are spending major resources to address the threats and minimize risk, including hiring top security talent and purchasing sevenfigure security solutions. But how do teams know their overall security model is working and that they are reducing the business risk?

Every organization’s security environment is dynamic and therefore, to keep up with the latest threats, must be continually evaluated. Doing so is complicated because of “vendor sprawl,” which refers to the growing number of often redundant and sometimes underused security solutions that end up in an organization’s technology stack. Businesses may be eager to address threats, but do not have the expertise necessary to decide which products will accomplish their goals.

When these disparate tools and processes overlap or leave gaps in a security model, organizations are left vulnerable to the very threats the products are designed to protect against, particularly when it comes to the increasing complex cyber threat landscape facing small and large businesses alike.

Fortunately, advances in attack simulation tools have made it possible for organizations to truly validate their security model across all solutions through continuous, automated testing.

By following a few best practices and knowing what to test for, organizations can ensure their holistic approach is truly keeping them secure.

Attack Simulation Basics

Attack simulation software mimics real-world threats to show organizations where they have gaps in their security systems and to enable them to improve their security controls and prepare incident response plans.

The simulations can include a variety of techniques and tactics that an adversary may use when compromising endpoints and applications. The testing operates under the assumption that most hackers and malicious actors are using a similar set of tools to try to penetrate networks and take advantage of either inexperienced business owners or their over-taxed IT providers, whether those are in-house or outsourced.

Attack simulations can include functions like penetration tests and vulnerability scanning, but on a more automated, non-intrusive, benign and continuous basis.

In addition to testing exploitation techniques, they can include machine learning and automation of the various steps in an attack chain, such as command and control, lateral movement and resource access and exfiltration.

Simulations can be customized to mimic threats targeting various surface areas and multi-vector attacks. Reporting and postsimulation visualization show security teams how the attacks were conducted and handled.

Building a Foundation for Attack Simulations

A good attack simulation strategy should start by covering the basic attack factors that do not change. For example, you know that at your office you have a door, lock, camera and other controls.

There are a million ways someone can break into your building, but do you need to try to stop all of them? No. You focus on controlling your environment — being able to see when someone gets in and how, and how you will be alerted so you can respond immediately.

Attack simulation tools should test what we know is true about attacks and attackers. Attackers need to get from point A to point B for a network attack. When they’re in your host system, we know they need to follow a certain path and how you can follow them.

You need to identify what attackers are going to do in any breach or other type of attack. There is a myth that most attacks are really sophisticated and complex, but in reality many attacks do the same things using the same techniques— and that’s what you can test for.

An attack simulation should cover the entire attack chain from network intrusion to system and network reconnaissance, payloads and behaviors such as creating user accounts, collecting and archiving data, encrypting data and exfiltration, as well as escalating privileges and “living off the land” to hide in plain sight with built in tools like Powershell.

Organizations should first figure out what is normal versus abnormal behavior in your network. You can’t account for all variables in a cyber attack — do the basics super well, and 9 times out of 10, you’ll be successful.

Four Ways to Validate Your Security Solutions Holistically

In order to bring your security model from zero to hero, you need to identify what tools you have and how to leverage them most effectively.

You also must be able to test all of your solutions to ensure they detect and mitigate the risk that threats pose to the network. Here are four main technology issues that attack simulation tools enable you to test for:

Misconfigurations. Organizations often have major difficulties stemming from a suite of security tools that are not configured properly. For example, many teams are so inundated with false positives that they end up turning off or ignoring their alerting from certain sources to their SIEMs.

This can lead to breaches going undetected, which increases adversary dwell time. If security teams can replicate the breaches and finetune the systems beforehand with attack simulation, they can prevent or quickly discover future attacks.

Security decay. Just as new cars lose their ability to function properly over time, security posture can suffer from efficacy decay too. Over time, as systems continue to function without being patched and new malware and exploits are developed, the systems and network security posture decays much like wear and tear on a new car.

In information security, the problem is that there’s no way to measure security posture decay, including that of software within an organization’s technology stack, unless you’re testing for it. Attack simulation tools can diagnose and prevent security decay because they allow teams to constantly test systems to ensure they are up-to-date and remain secure.

Overlap. Another vendor sprawl challenge comes from tools that duplicate capabilities. Companies end up spending resources on tools they don’t need because they can’t measure the coverage they have.

By using attack simulations, companies can see the overlap and reduce the cost of their product spend. For example, organizations can utilize the MITRE attack framework to map coverage of mitigation for attack techniques, which can show capability overlap.

Tools That Don’t Work in Your Environment

Every organization has a unique security environment they must account for. Not all tools will work effectively. Thus, it’s important to validate potential tools in your own environment before making the purchase instead of only testing them in the vendor’s lab environment.

Use attack simulations to set up your tools under normal working conditions and test common attack techniques. This is the best method of ensuring that your network is adequately prepared for the common attacks perpetrated by a growing amount of hackers operating across the globe.

For example, simulate a network attack to make sure the device can respond, whether it’s signature or anomaly-based attacks. To simulate an endpoint attack you can imitate a hacker on the box to ensure that the solution effectively blocks and responds.

Attack simulations are vital tools that can help an organization see if its security model has holes or weaknesses. But don’t wait to start testing.

Too many organizations get breached, and then find that it’s the first time they ever looked at their logs or discover that key security tools aren’t working properly. Every organization has the capability to do this – there is no such thing as “we’re not ready.” In this way, attack simulations are the great security equalizer.

This article originally appeared in the March 2020 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3