Integrating continuous security validation solutions can be scaled up as requirements and resources grow.
The four essential elements to extend your security posture management to the widest coverage currently available with continuous security validation solutions are
• Attack Surface Management (ASM)
• Breach and Attack Simulation (BAS)
• Continuous Automated Red Team (CART)
• Purple Teaming (PT)
Though integrating all these tools is the ideal option, it’s not feasible for everyone. They should be integrated in that order as the infrastructure and resources become available.
Adopting Attack Surface Management (ASM)
Attack Surface Management (ASM) is the first line of offensive defense as it aims at detecting the same potential points of entry as an attacker would.
ASM tools automate the continuous discovery, inventory, classification, and monitoring of your organization’s IT infrastructure from an attacker’s point of view. Obtaining and maintaining a 360° vision of all digital assets potentially usable by cyber-attackers is key to preventing unauthorized access to your organization’s infrastructure. With the dynamic nature of today’s environments and the ever-growing spread of connected endpoints, the ASM needs to continuously monitor all assets, known or unknown, secure or not, active or not, managed or not, proprietary or vendor-managed, as well as all devices (managed or not), hardware, software, IoT devices, SaaS and cloud assets, and resources.
The classic line of defense is to run tests in a controlled environment, covering all or part of the infrastructure. These tests, however, are by definition limited in scope and time and fail to protect the infrastructure in real-time as the attack surface is constantly evolving and security teams must mitigate emerging vulnerabilities and reconfigure security control gaps before attackers find and exploit them.
With the rapidly evolving array of off-the-shelf advanced offensive tools available on the Darknet for an affordable price, and the resulting exponential growth in both the number of advanced malicious tools and of malicious actors taking advantage of the low technological level required, cyber-defenders need to integrate ASM tools to keep up with attackers’ progress.
Deploying an Automated Breach and Attack Simulation (BAS) Solution
Another effective way of improving security posture is to ad offensive testing capability to your cybersecurity array. Breach and Attack Simulation (BAS) is an advanced computer security testing method. Attack simulations identify vulnerabilities in security environments by mimicking the likely attack path and techniques used by malicious actors, making Breach and Attack Simulation similar to a continuous automated penetration test. BAS improves upon the inherent limitations of the red and blue teams.
Testing security teams have long sought to assess the strength of their organizational defenses through organized red and blue team exercises. Under these scenarios, the red team plays the role of malicious attackers while the blue team is tasked with deterring these attacks. Ideally, these exercises are led by seasoned security professionals and staged under controlled environments, leading both sides to work together to provide a clearer picture of the state of an organization’s security posture. While blue team exercises have long been an important security tool, they suffer from a key disadvantage: They are highly manual and resource-intensive: this means that most organizations can only run these tests episodically. As a result, during the weeks or months between tests, vulnerabilities may arise undetected, and defenders have little visibility into the true state of their security environment. A BAS platform solves this issue by performing many of the same critical functions as red and blue teams but in a continuous and automated fashion.
What are BAS key benefits?
An advanced cyber security breach simulator assesses and
validates the most current attack techniques used by advanced persistent
threats and other malicious entities. It follows the entire attack path to an
organization's critical assets and then provides a prioritized list of
remediation steps if any vulnerabilities are discovered during a breach
It can simulate many scenarios: covering malware attacks on endpoints,
data exfiltration attempts, sophisticated APT attacks that move laterally
through a network targeting the most valuable assets. Combining red and
blue team techniques in a practice known as purple teaming and
automating them in a BAS platform provides continuous coverage as these
simulations can be run on a 24x7x365 basis ensuring that
organizations maintain much deeper visibility into the true state of their
defense readiness. This is critical as, given enough time, attackers will
uncover any security control gap.
This makes continuous testing the most effective way to mitigate risks. BAS
brings another benefit to their relative conventional security validation in that
it's not as reliant on human scale penetration testers, or the varying
specific skill sets and experience levels of red or blue teams and can be run
continuously. Catching emerging security control misconfigurations,
prioritizing their patching, and providing detailed mitigation instruction is
key to harden your security posture and prevent security drift.
Running Continuous Automated Red Team (CART)
While ASM and BAS tools are excellent at spotting and fixing security gaps and vulnerabilities, they typically require adding at least one agent per environment. They are extensively testing the infrastructure security posture from the inside out, including checking the internal proliferation paths an attacker can obtain. What is missing, though is an outside-in approach.
Initially used by the US military to emulate adversary war tactics, red teaming is a key concept in cyber security. Typically, red teams operate bi-annually or quarterly, launching simulated attacks onto the infrastructure and reporting on the uncovered security gaps. This approach, though complex, requires orchestrating numerous tools manually and is usually run only on select known applications or systems. With hackers’ massive sophistication, tooling, and resources growth, this approach is increasingly untenable.
Whereas BAS operationalizes testing attack scenarios from within, CART automates launching multi-stage attacks spanning a wide range of scenarios, covering the entire attack path, from entry points to mission execution (data exfiltration, encryption, disrupt or destroy). These attacks cover techniques ranging from vulnerability assessments to penetration tests and social engineering. A complete CART solution instantaneously produces detailed reports that can be used to both accelerate mitigation and facilitate communication with the board.
As invaluable as the ASM, BAS, and CART solutions are, they are off-the-shelf solutions capable of automating a large number of non-repetitive manual actions and freeing the security team time to perform more challenging tasks and harden the security posture to its highest possible level.
Unlike ASM, BAS, and CART, purple teaming is more a framework than a solution. A purple team combines the defensive expertise of the blue team and the offensive skills of a red team. Purple teaming is the exercise of those two working together to improve the organization’s security posture.
When used in combination with ASM, BAS, and CART, purple teaming enables security teams to create custom scenarios, ideal leveraging templates, customized to the organization’s infrastructure.
If possible, these purple teaming exercises should be run in the same dashboard as the ASM, BAS, and CART, as a single-pane-of-glass dashboard facilitates security posture management and extends its actual efficiency.