Validate Your Security Model

Validate Your Security Model

Amid growing threats, organizations must evaluate the holes and weaknesses in their systems

As security threats grow in complexity and scale, organizations are spending major resources to address the threats and minimize risk, including hiring top security talent and purchasing sevenfigure security solutions. But how do teams know their overall security model is working and that they are reducing the business risk?

Every organization’s security environment is dynamic and therefore, to keep up with the latest threats, must be continually evaluated. Doing so is complicated because of “vendor sprawl,” which refers to the growing number of often redundant and sometimes underused security solutions that end up in an organization’s technology stack. Businesses may be eager to address threats, but do not have the expertise necessary to decide which products will accomplish their goals.

When these disparate tools and processes overlap or leave gaps in a security model, organizations are left vulnerable to the very threats the products are designed to protect against, particularly when it comes to the increasing complex cyber threat landscape facing small and large businesses alike.

Fortunately, advances in attack simulation tools have made it possible for organizations to truly validate their security model across all solutions through continuous, automated testing.

By following a few best practices and knowing what to test for, organizations can ensure their holistic approach is truly keeping them secure.

Attack Simulation Basics

Attack simulation software mimics real-world threats to show organizations where they have gaps in their security systems and to enable them to improve their security controls and prepare incident response plans.

The simulations can include a variety of techniques and tactics that an adversary may use when compromising endpoints and applications. The testing operates under the assumption that most hackers and malicious actors are using a similar set of tools to try to penetrate networks and take advantage of either inexperienced business owners or their over-taxed IT providers, whether those are in-house or outsourced.

Attack simulations can include functions like penetration tests and vulnerability scanning, but on a more automated, non-intrusive, benign and continuous basis.

In addition to testing exploitation techniques, they can include machine learning and automation of the various steps in an attack chain, such as command and control, lateral movement and resource access and exfiltration.

Simulations can be customized to mimic threats targeting various surface areas and multi-vector attacks. Reporting and postsimulation visualization show security teams how the attacks were conducted and handled.

Building a Foundation for Attack Simulations

A good attack simulation strategy should start by covering the basic attack factors that do not change. For example, you know that at your office you have a door, lock, camera and other controls.

There are a million ways someone can break into your building, but do you need to try to stop all of them? No. You focus on controlling your environment — being able to see when someone gets in and how, and how you will be alerted so you can respond immediately.

Attack simulation tools should test what we know is true about attacks and attackers. Attackers need to get from point A to point B for a network attack. When they’re in your host system, we know they need to follow a certain path and how you can follow them.

You need to identify what attackers are going to do in any breach or other type of attack. There is a myth that most attacks are really sophisticated and complex, but in reality many attacks do the same things using the same techniques— and that’s what you can test for.

An attack simulation should cover the entire attack chain from network intrusion to system and network reconnaissance, payloads and behaviors such as creating user accounts, collecting and archiving data, encrypting data and exfiltration, as well as escalating privileges and “living off the land” to hide in plain sight with built in tools like Powershell.

Organizations should first figure out what is normal versus abnormal behavior in your network. You can’t account for all variables in a cyber attack — do the basics super well, and 9 times out of 10, you’ll be successful.

Four Ways to Validate Your Security Solutions Holistically

In order to bring your security model from zero to hero, you need to identify what tools you have and how to leverage them most effectively.

You also must be able to test all of your solutions to ensure they detect and mitigate the risk that threats pose to the network. Here are four main technology issues that attack simulation tools enable you to test for:

Misconfigurations. Organizations often have major difficulties stemming from a suite of security tools that are not configured properly. For example, many teams are so inundated with false positives that they end up turning off or ignoring their alerting from certain sources to their SIEMs.

This can lead to breaches going undetected, which increases adversary dwell time. If security teams can replicate the breaches and finetune the systems beforehand with attack simulation, they can prevent or quickly discover future attacks.

Security decay. Just as new cars lose their ability to function properly over time, security posture can suffer from efficacy decay too. Over time, as systems continue to function without being patched and new malware and exploits are developed, the systems and network security posture decays much like wear and tear on a new car.

In information security, the problem is that there’s no way to measure security posture decay, including that of software within an organization’s technology stack, unless you’re testing for it. Attack simulation tools can diagnose and prevent security decay because they allow teams to constantly test systems to ensure they are up-to-date and remain secure.

Overlap. Another vendor sprawl challenge comes from tools that duplicate capabilities. Companies end up spending resources on tools they don’t need because they can’t measure the coverage they have.

By using attack simulations, companies can see the overlap and reduce the cost of their product spend. For example, organizations can utilize the MITRE attack framework to map coverage of mitigation for attack techniques, which can show capability overlap.

Tools That Don’t Work in Your Environment

Every organization has a unique security environment they must account for. Not all tools will work effectively. Thus, it’s important to validate potential tools in your own environment before making the purchase instead of only testing them in the vendor’s lab environment.

Use attack simulations to set up your tools under normal working conditions and test common attack techniques. This is the best method of ensuring that your network is adequately prepared for the common attacks perpetrated by a growing amount of hackers operating across the globe.

For example, simulate a network attack to make sure the device can respond, whether it’s signature or anomaly-based attacks. To simulate an endpoint attack you can imitate a hacker on the box to ensure that the solution effectively blocks and responds.

Attack simulations are vital tools that can help an organization see if its security model has holes or weaknesses. But don’t wait to start testing.

Too many organizations get breached, and then find that it’s the first time they ever looked at their logs or discover that key security tools aren’t working properly. Every organization has the capability to do this – there is no such thing as “we’re not ready.” In this way, attack simulations are the great security equalizer.

This article originally appeared in the March 2020 issue of Security Today.

Featured

  • Analysis of AI Tools Shows 85 Percent Have Been Breached

    AI tools are becoming essential to modern work, but their fast, unmonitored adoption is creating a new kind of security risk. Recent surveys reveal a clear trend – employees are rapidly adopting consumer-facing AI tools without employer approval, IT oversight, or any clear security policies. According to Cybernews Business Digital Index, nearly 90% of analyzed AI tools have been exposed to data breaches, putting businesses at severe risk. Read Now

  • Software Vulnerabilities Surged 61 Percent in 2024, According to New Report

    Action1, a provider of autonomous endpoint management (AEM) solutions, today released its 2025 Software Vulnerability Ratings Report, revealing a 61% year-over-year surge in discovered software vulnerabilities and a 96% spike in exploited vulnerabilities throughout 2024, amid an increasingly aggressive threat landscape. Read Now

  • Evolving Cybersecurity Strategies: Uniting Human Risk Management and Security Awareness Training

    Organizations are increasingly turning their attention to human-focused security approaches, as two out of three (68%) cybersecurity incidents involve people. Threat actors are shifting from targeting networks and systems to hacking humans via social engineering methods, living off human errors as their most prevalent attack vector. Whether manipulated or not, human cyber behavior is leveraged to gain backdoor access into systems. This mainly results from a lack of employee training and awareness about evolving attack techniques employed by malign actors. Read Now

  • Report: 1 in 3 Easily Exploitable Vulnerabilities Found on Cloud Assets

    CyCognito recently released new research highlighting critical security vulnerabilities across cloud-hosted assets, revealing that one in three easily exploitable vulnerabilities or misconfigurations are found on cloud assets. As organizations increasingly shift to multi-cloud strategies, the findings underscore significant security gaps that could provide attackers with potential footholds into networks. Read Now

  • Built for Today, Ready for Tomorrow

    Selecting the right VMS is critical for any organization that depends on video surveillance to ensure safety, security and operational efficiency. While many organizations focus on immediate needs such as budget and deployment size, let us review some of the long-term considerations that can significantly impact a VMS's utility and flexibility. Read Now

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.