Why Breach & Attack Simulation is the evolution of Penetration Test

Written by: Daniel Bertoni, Diego Lorenzi, Marco Gallina

In the last few years Penetration Test activities have become a cornerstone of the data security management process within several companies. The possibility to concretely validate the strength level, especially of an IT infrastructure, against a wide range of well-known vulnerabilities significantly increases its security posture.

However, threats are growing not only in quantity, but also in quality: the exploitation of lesser known vulnerabilities, if not even of technical limits which are not countervailable in the most used software architectures, makes it necessary to validate security more and more frequently and with an enhanced focus on complex attack vectors.

These are the reasons that led to the development of modern Breach & Attack Simulation tools: these are highly automated software solutions, capable of launching realistic attacks against a network and overcoming many of the limitations of traditional Penetration Test.

A new paradigm

Breach & Attack Simulation” or BAS refers to a methodology that allows organizations to simulate a whole cyber kill-chain in their network infrastructure. The most advanced solutions allow to reach this aim with a higher, in some cases full automation. Unlike Penetration Test, which is typically performed by a human ethical hacker, automation allows BAS solutions to ensure consistent and replicable results, thus reducing both cost and time needed to perform Red Teaming activities.

It is namely the idea of Read Teaming that makes up the second key difference between Penetration Test and BAS. Penetration Test is in fact based on the approach of detecting all those vulnerabilities that could let a potential attacker gain unwanted access or privilege within an IT infrastructure. To do so, several techniques with an effective approach are attempted, in order to detect the greatest possible amount of vulnerabilities.

Specific criteria to make this activity visible to defense systems are not adopted, for the aim is a wide-ranging scan, performed on the highest possible number of assets, and often with the direct cooperation of a company’s Blue Team: this latter can therefore take action if the execution of a given attack technique causes crashes or user blocks, and it can define appropriate exclusion rules, to prevent the pentester’s activity to be identified as malevolent and hindered by the installed defense programs, such as Detection & Response solutions, albeit managed by a 24/7 SOC. A Penetration Test tends to work not so much in depth, otherwise it would be forced to interact tightly with the Blue Team, to remove all barriers that the pentester struggles to overcome after certain techniques, often effective but easily detectable by defense tools, have been launched.

BAS adopts instead the Red Team Assessment philosophy: as in a real attack scenario, the software aims to attack certain critical points, bypassing the defenses and leaving few or no trace. Network protection systems are normally kept active, so as to evaluate their effectiveness beyond the potential presence of vulnerabilities classifiable according to a CVE (Common Vulnerabilities and Exposures). Nowadays these vulnerabilities are no longer used extensively by real hackers carrying out targeted attacks.

Concretely, a lot of BAS software simulate attack scenarios which are typical of different groups of hackers, according to predetermined sequences of techniques, and they work following a logic based on the model of Fuzzy Logic, now considered ordinary. The most innovative solutions can instead perform context reasoning, based on the information they obtain, and create a dynamic scenario, emulating the behavior of an experienced attacker, sometimes even using AI and ML algorithms. The effectiveness of defense systems in the identification and neutralization of unusual behavior is the main target of validation by a BAS, which in fact restricts the range of techniques tested, selecting only those with the best chance of success, and carries out the most indirect possible checks before attempting an attack, so as to reduce the possibility of being discovered even before the start of the attack itself.

Internal, External e Breach

Everything said so far concerns in particulars aspects related to an internal activity, in which an intrusion (breach) is assumed to have taken place. In reality, the attack is often carried out externally, through a Command & Control system, which tries to establish a connection with the compromised machines within the network, in order to perform further attacks and extract sensitive data.

This last scenario is unlikely to happen with a Penetration Test: typically, in case of Internal Penetration Test the activity is namely limited to the execution of techniques from within the network, while in an External Penetration Test vulnerabilities that could lead to a breach are assessed, and not the real consequences of the breach. On the contrary, a BAS simulate a breach, testing the ability of defense mechanisms in preventing the extraction of data as well as hindering the connection of an attacker from outside.

Remediation plan and mitigation

Both Penetration Test and BAS lead to a Remediation Plan as final result, that is, a suggested action plan to mitigate the detected vulnerabilities.
As for Penetration Test, these concern in most cases bug software, outdated systems and policy to update: therefore, it is usually possible to remove precisely and almost at all the identified leaks.

In case of BAS, the main mitigation tool is represented by the installed “Detection and Response” systems, since techniques which exploit hardly monitorable and corrigible vulnerabilities are mostly performed. This can result in the necessity to adopt alternative defense solutions, which are also more suitable for the features of one’s infrastructure, or to revise the configuration of the existing features, to make them more sensitive to unusual activities, such as those carried out during a BAS.

These measures increase the defense capacity in a way which is complementary to a Penetration Test, and this is why using a BAS software will in the near future be ever-more decisive in determining the security level of an IT infrastructure.