Sponsored Stop me if you’ve heard this before, but something appears to be amiss with cybersecurity. The spectacular success of ransomware is only the latest and worst example, a phenomenon in which small groups of often barely technically literate attackers ransack some of the biggest and best resourced companies on earth for easy money.
Tens of millions of dollars head out the door every day in this dystopia and yet it is becoming a quickly forgotten blur. Most industries would have folded with this record of failure and yet, on the contrary, cybersecurity is booming. Ironically, as the attack earlier in 2021 on FireEye shows, even security companies full of elite white hats can’t stop the bad people.
Is it that the cybersecurity kit doesn’t work or that the people deploying it inside organizations don’t know how to use it? Either explanation is plausible but there’s a third possibility – networks are inherently complex, getting more so, and change so much every day that things that were working yesterday end up being fumbled.
One company that subscribes to a version of the complexity thesis is Keysight Technologies, a $4bn-turnover company that was spun out of Agilent in 2014. Multiple acquisitions later and in early 2020 it released Threat Simulator, a SaaS- based tool which competes in an intriguing new sector, Breach and Attack Simulation (BAS).
A BAS tool lets you step away from the defender’s view of the network that you normally have and assume the hacker’s view of the network. The defender just sees the attacks he’s stopping; the attacker sees the attacks he’s not.
The principle behind BAS tools is simple enough: if many cybersecurity weaknesses are caused by error and misconfiguration - and it's near impossible to detect all those issues, even if you're looking for them – one answer is to make them visible through continuous testing.
But what does continuous mean in this context? And how do you look for something when the haystack is as big as your entire security footprint? The philosophy of BAS tools is that you simulate what real attacks do inside networks based on patterns drawn from threat intelligence. If a security layer fails to stop or spot this simulation, you have your first needle.
Although BAS sounds new, some of this capability has been hiding inside specialized tools that have been in use for years. “Historically, we built these tools for quality assurance and test labs. It was built by geeks for geeks as a pre-deployment lab tool,” explains Keysight’s VP of security solutions, Scott Register.
Designed to bombard a system as part of heavyweight testing, eventually, it occurred to testing vendors that some elements of this testing might nevertheless have more mainstream uses. And so the BAS sector was born, where it resides today inside larger SecOps platforms – or in Keysight’s case, the Security Operations Suite, a product family that includes the separate threat intelligence gateway, ThreatARMOR.
For Register, the flaw in big cybersecurity is that, despite investing in more and more security tools, organizations have no simple way of measuring how well they’re protecting their company.
“Ask yourself, ‘After spending all of this money on security tools and operations, am I safer than I was yesterday? Last month? Last year? Because if you can’t answer that simple question, then you’re flying blind. You can’t justify or even evaluate expenses. So why are you buying all that security stuff if you can’t manage it?”, he says.
“For example, if you don’t get an alert from a firewall on a remote site, it’s hard to know if that’s because there’s nothing bad happening, or is there a configuration problem, or did it go offline?"
The conventional solution to this issue is to engage a bunch of internal pen testers to poke around on the network from the inside looking for the holes nobody knows about. This kind of assessment has been considered a best practice but has an obvious limitation – the day after the pen testers have gone home, the network changes and new vulnerabilities appear. Likewise, continuous red team pen testing which solves this problem in theory but is also a complex, expensive undertaking for companies without Top Gun IT departments.
“What a pen test team finds in January is going to be very different from the same team in July. The world is very dynamic, and the threat landscape changes every day. It’s just hard to measure your security over time with pen testing,” argues Register.
“Our tool lets customers safely conduct real attacks on their networks and find out where the gaps are, what is blocked and what is let through without you knowing it had happened. You can effectively deploy real malware against your network but in a safe way.”
In any organization, cybersecurity comprises a series of sensitive zones such as endpoint security, email and web servers, and branch office infrastructure. These in turn are protected by layers of anti-virus and sandboxing software, packet, and web application firewalls (WAFs), data leak prevention (DLP), VPN gateways, intrusion protection systems (IPS), email and web filtering, and controls for cloud applications such as Office 365.
These applications send status and alerts to a high-level security and event management (SIEM), which is where automated routines and human intervention are coordinated. The way Register describes it, Threat Simulator is like the internal affairs cop that keeps the other systems honest by testing their security state.
This is done using a simple architecture comprising a series of virtual agents that sit on the part of the network or policy zone being tested, running on Windows or Linux Docker containers. The agents simulate malware, communicating with a remote ‘dark cloud’ in Keysight’s data center, which acts as the malware command and control (C2). The idea is that while the agents talk to the cloud service and each other, they simulate a series of attack patterns and techniques that traverse and attempt to bypass internal security controls.
Once subscribed, admins can quickly set up one of a series of threat scenarios from a library of assessments which feed results to most SIEMs. These scenarios include generic assessments modelling known attacks (Mirai, Lazarus, WannaCry, Covid-19 lures), generic indicators (Cryptojacking), and individual techniques (data exfiltration, malware file transfer, LAN perimeter security), as well as the effectiveness of specific defenses (URL filtering, for example).
“In the flood of messages that security teams get every day from their many security tools, a SIEM isn’t configured to look for the specific events – the ‘Indicators of Compromise’ – that would indicate an organization is being subjected to a certain attack. That’s what usually happens -- you get an alert but it’s lost in the flood of hundreds of alerts a day so you don’t know that it’s actionable. We fix that,” Register says.
Another example would be that the organization’s endpoint security software isn’t detecting a new malware executable or known attack pattern, or the firewalls haven’t spotted that malware can tunnel their network using an encrypted C2 channel without being blocked or subject to packet inspection.
These types of conditions or oversights can appear at any moment, which is why running Threat Simulator as a regular but non-disruptive service makes sense.
“Most security admins will pick which attack scenarios to use based on the MITRE ATT&CK Framework. That lets you pick a particular threat actor and select the attacks that the bad guy is currently using. Threat Simulator makes it easy to do that,” Register says. “Our tool can be run as frequently as desired and it’s repeatable. You can also add whatever the new attack is. You get a really thorough view of your security posture while exposing your team to the newest attacks.”
An interesting use case is where organizations migrate from hosted web applications protected by WAFs to cloud platforms protected by proprietary security. The configuration on the latter turns out to be less than straightforward because the settings are unfamiliar which creates the likelihood of misconfiguration risk.
“We’ve been able to show customers that their current configuration won’t stop SQL injection attacks. It’s about helping people through those sorts of cloud migrations.”
In a fix It’s not a complete surprise that Threat Simulator is able to advise which issues should be prioritized but perhaps that’s the easy part. What matters more than that is being given direction on how to address the problems it has found. Sometimes that will be a straightforward case of adjusting a single parameter, other times it’ll be more complex advice. As any manual pen tester will tell a customer, some weaknesses are the result of architectural choices or legacy kit that’s not easy to dump overnight.
“We give remediation instructions so that you’re not on your own. Sometimes that’s product specific while on other occasions is more of a best practice approach.”
Other times, what it finds might be incredibly straightforward but important. Register cites the example of using Threat Simulator to send a malicious attachment through the Exchange server to see whether it is passed. If it is, the admin has found an issue that could save the organization.
He stresses that BAS is not a replacement for a full internal pen testing so much as a complement to it. The distinction is important. BAS lets security teams take an attacker’s view of the network while Pen testing tends to focus on emulating hackers who are perpetrating social engineering attacks or opportunistically testing an organization’s Wi-Fi.
Threat simulation is still a simulation, but one that finds common weaknesses which appear suddenly and lurk unnoticed. If an attacker is trying to gain a foothold in a network, or already has one and wants to move laterally, it is this kind of everyday weakness that gives them free fuel. If an attacker has to work harder to exploit a network, there’s a good chance that they’ll move on to one that’s more easily breached.
BAS can be thought of as part of a much bigger trend away from security systems that block things – with fingers crossed – towards the simple, perhaps radical notion of continuous improvement. Something is always going wrong, or not operating as it should, but the problem is you don’t know where or how this has happened until the ransom note appears screen-side.
No single tool, technology or approach will do the whole job. Pen testing, especially black box testing, is still necessary because it is an independent assessment. Ditto for compliance and assurance because they raise standards.
Breach and attack simulation is simply another element for use between times. Taking a hacker’s view of your network with a BAS solution – rather than relying on security tools – shows you your vulnerabilities. Ultimately, the idea that in order to secure something you must validate it continuously is a compelling one.
“Corporate security has been notoriously difficult to measure,” Register says, “As Peter Drucker famously said, what you can't manage is what you can't measure. And yet today the only measure we have is a negative, a breach. That’s terrible, like asking a doctor how many patients they’ve lost last year.”
Sponsored by Keysight.