Hack to the Future: Why Attack Simulations are the Future of Security Control Testing

Offense versus defense. Proactive versus reactive. In many parts of an enterprise, teams need to make choices between preparing for upcoming events, or waiting until they occur – and nowhere so much as on the security team. Do you wait until the attackers make themselves known in your networks before you remediate the impact? Or is it better to strategize how and where attacks may take place, so that you can avoid attackers making inroads at all?

In the past couple of decades, when security control testing and attacks weren’t quite as sophisticated as they are now, the security posture was more likely to be reactive. Also, traditional testing wasn’t designed to be as forward-looking: Its limitations meant that multiple threat vectors couldn’t be tested at once, nor could results be derived quickly enough to have rapid impact on attacks.

If traditional testing was part of the past, attacks simulations are very much a part of security today and bode well for fending off attackers in the future. Here are some reasons why:

• Attack simulations are designed to be conducted repetitively without the costs and setup time of traditional testing.
• Machine learning enhances ongoing testing, and findings are reported continually – unlike traditional testing, where findings are from a specific point in time and are difficult to tie back to long-term security trends.
• Attack simulations can be run on production environments – whereas traditional testing can upend normal operations in the production environment.

Attack simulations have become more necessary to security teams because of innovation and complexity – on both the attacker and defender sides. Attackers are good at what they do, and today’s cyber threats are more sophisticated than ever, requiring precise intelligence into malicious activity. On the defender side, enterprises’ security models have become more complex in terms of in terms of product configurations, as well as automated and manual processes and the overall networking environment.

In this complex and challenging environment, time-consuming traditional testing, like red-teaming and penetration tests, is simply not worth the risk. Since traditional testing mostly looks at the past and is fixed on moments in time, it can’t provide guideposts for how the security environment should change in the future.

On the other hand, continuous attack simulations, which automate adversary behavior in a controlled manner, overcome the barriers posed by traditional testing, such as time and cost. They can also span many more processes and security controls, without disrupting day-to-day business operations.

Attack simulations’ role in improving future security operations 

To allow attack simulations to help your security team become proactive and future-facing, here’s how to ensure that they produce actionable insights.

Use attack simulations to test assumptions. If you run attack simulations continuously, you can validate the security teams’ assumptions about the efficacy of security controls. As teams research attack kill chains to uncover threats their security controls successfully recognize – as well as the threats that go undetected – attack simulations validate that their environment will perform as expected when the attackers show up.

Use attack simulations to cover basic risk factors. Attack simulations should cover risk factors that do not change, which can be the highest-level threat vectors – as opposed to every possible weak point. For best results, focus on where attackers get in and how they do so.

Use attack simulations to understand possible outcomes. With continuous testing, you can validate the security team’s expectations of what baseline results should look like. If your team runs tests without understanding outcomes – such as which alarms will fire, and which data sources are generating data to trigger alarms – they won’t know if the simulations were successful or not.

As we noted above, it’s true that today’s attacks – and no doubt the ones your security team will encounter in the future – are sophisticated and complex. But even so, maybe of the attacks behave in similar ways, since attackers copy and adapt each other’s approaches. This is where attack simulations can help add some future-proofing to your security environment: If you know what’s coming, you can take steps to find and close security gaps.

To learn more about how to use attack simulations, check out the white paper: Continuous Attack Simulations: How to Identify Risk, Close Gaps, and Validate Your Security Controls.

Marcus Carey is currently an Enterprise Architect at ReliaQuest. Marcus is renowned in the cybersecurity industry and has spent his more than 20-year career working in penetration testing, incident response, and digital forensics with federal agencies such as NSA, DC3, DIA, and DARPA. He started his career in cryptography in the U.S. Navy and holds a Master’s degree in Network Security from Capitol College.   Marcus was previously the founder and CEO of Threatcare (acquired by ReliaQuest), a venture-backed cybersecurity and software services company based in Austin, Texas. He regularly speaks at security conferences across the country. Marcus is passionate about giving back to the community through things like mentorship, hackathons, and speaking engagements, and is a voracious reader in his spare time.