Validate Your Security Model
Amid growing threats, organizations must evaluate the holes and weaknesses in their systems
- By Marcus Carey
- Mar 01, 2020
As security threats grow in complexity and scale,
organizations are spending major resources to
address the threats and minimize risk, including
hiring top security talent and purchasing sevenfigure
security solutions. But how do teams know
their overall security model is working and that they are reducing
the business risk?
Every organization’s security environment is dynamic and
therefore, to keep up with the latest threats, must be continually
evaluated. Doing so is complicated because of “vendor sprawl,”
which refers to the growing number of often redundant and
sometimes underused security solutions that end up in an organization’s
technology stack. Businesses may be eager to address
threats, but do not have the expertise necessary to decide which
products will accomplish their goals.
When these disparate tools and processes overlap or leave gaps
in a security model, organizations are left vulnerable to the very
threats the products are designed to protect against, particularly
when it comes to the increasing complex cyber threat landscape
facing small and large businesses alike.
Fortunately, advances in attack simulation tools have made it
possible for organizations to truly validate their security model
across all solutions through continuous, automated testing.
By following a few best practices and knowing what to test for,
organizations can ensure their holistic approach is truly keeping
them secure.
Attack Simulation Basics
Attack simulation software mimics real-world threats to show
organizations where they have gaps in their security systems and
to enable them to improve their security controls and prepare incident
response plans.
The simulations can include a variety of techniques and tactics
that an adversary may use when compromising endpoints
and applications. The testing operates under the assumption that
most hackers and malicious actors are using a similar set of tools
to try to penetrate networks and take advantage of either inexperienced
business owners or their over-taxed IT providers, whether
those are in-house or outsourced.
Attack simulations can include functions like penetration tests and vulnerability scanning, but on a more automated, non-intrusive,
benign and continuous basis.
In addition to testing exploitation techniques, they can include
machine learning and automation of the various steps in
an attack chain, such as command and control, lateral movement
and resource access and exfiltration.
Simulations can be customized to mimic threats targeting various
surface areas and multi-vector attacks. Reporting and postsimulation
visualization show security teams how the attacks
were conducted and handled.
Building a Foundation
for Attack Simulations
A good attack simulation strategy should start by covering the basic
attack factors that do not change. For example, you know that
at your office you have a door, lock, camera and other controls.
There are a million ways someone can break into your building,
but do you need to try to stop all of them? No. You focus on
controlling your environment — being able to see when someone
gets in and how, and how you will be alerted so you can respond
immediately.
Attack simulation tools should test what we know is true
about attacks and attackers. Attackers need to get from point A
to point B for a network attack. When they’re in your host system,
we know they need to follow a certain path and how you can
follow them.
You need to identify what attackers are going to do in any
breach or other type of attack. There is a myth that most attacks
are really sophisticated and complex, but in reality many attacks
do the same things using the same techniques— and that’s what
you can test for.
An attack simulation should cover the entire attack chain
from network intrusion to system and network reconnaissance,
payloads and behaviors such as creating user accounts, collecting
and archiving data, encrypting data and exfiltration, as well
as escalating privileges and “living off the land” to hide in plain
sight with built in tools like Powershell.
Organizations should first figure out what is normal versus abnormal
behavior in your network. You can’t account for all variables
in a cyber attack — do the basics super well, and 9 times out
of 10, you’ll be successful.
Four Ways to Validate Your
Security Solutions Holistically
In order to bring your security model from zero to hero, you need
to identify what tools you have and how to leverage them most
effectively.
You also must be able to test all of your solutions to ensure
they detect and mitigate the risk that threats pose to the network.
Here are four main technology issues that attack simulation tools
enable you to test for:
Misconfigurations. Organizations often have major difficulties
stemming from a suite of security tools that are not configured
properly. For example, many teams are so inundated with false
positives that they end up turning off or ignoring their alerting
from certain sources to their SIEMs.
This can lead to breaches going undetected, which increases
adversary dwell time. If security teams can replicate the breaches
and finetune the systems beforehand with attack simulation, they
can prevent or quickly discover future attacks.
Security decay. Just as new cars lose their ability to function
properly over time, security posture can suffer from efficacy decay
too. Over time, as systems continue to function without being
patched and new malware and exploits are developed, the systems
and network security posture decays much like wear and
tear on a new car.
In information security, the problem is that there’s no way to
measure security posture decay, including that of software within
an organization’s technology stack, unless you’re testing for it.
Attack simulation tools can diagnose and prevent security decay
because they allow teams to constantly test systems to ensure
they are up-to-date and remain secure.
Overlap. Another vendor sprawl challenge comes from tools
that duplicate capabilities. Companies end up spending resources
on tools they don’t need because they can’t measure the coverage
they have.
By using attack simulations, companies can see the overlap
and reduce the cost of their product spend. For example, organizations
can utilize the MITRE attack framework to map coverage
of mitigation for attack techniques, which can show capability
overlap.
Tools That Don’t Work
in Your Environment
Every organization has a unique security environment they must
account for. Not all tools will work effectively. Thus, it’s important
to validate potential tools in your own environment before
making the purchase instead of only testing them in the vendor’s
lab environment.
Use attack simulations to set up your tools under normal
working conditions and test common attack techniques. This is
the best method of ensuring that your network is adequately prepared
for the common attacks perpetrated by a growing amount
of hackers operating across the globe.
For example, simulate a network attack to make sure the
device can respond, whether it’s signature or anomaly-based attacks.
To simulate an endpoint attack you can imitate a hacker
on the box to ensure that the solution effectively blocks and
responds.
Attack simulations are vital tools that can help an organization
see if its security model has holes or weaknesses. But don’t
wait to start testing.
Too many organizations get breached, and then find that it’s the
first time they ever looked at their logs or discover that key security
tools aren’t working properly. Every organization
has the capability to do this – there is no such
thing as “we’re not ready.” In this way, attack
simulations are the great security equalizer.
This article originally appeared in the March 2020 issue of Security Today.