Breach and Attack Simulation vs Penetration Testing

Breach and Attack Simulation vs Penetration Testing is becoming the question to answer in offensive security testing circles of late; so what is the difference between the well established world of penetration testing and the up and coming Breach and Attack Simulation (BAS)?

Before we answer that , it is noteworthy to point out that investments in information security tools has skyrocketed over the last ten years.  A joint study by IBM and the Ponemon Institute found however, that deploying more security tools resulted in organisations being less secure and that on average, organisations have deployed 47 key security controls – tools that all need to be configured, tuned, maintained and managed.

Clearly then, the key question that CISOs need to ask is: how effective are the security tools that we have put in place and are they working as expected?  With threats like Ransomware, it is not only the CISO that will want to know this, but increasingly, the Board and senior management team as well.

How do we know how effective our security controls are?  Have they been tuned and configured correctly and are they able to protect us from established and the latest threats and attack methods?  In addition, are our Security Operations and Incident Response teams able to detect attacks in a timely manner?

Penetration testing

Typically, penetration testing is conducted by human security specialists who attempt to emulate the tactics and techniques of attackers in order to identify any vulnerabilities or weaknesses within a network, process or application.  While automated penetration testing tools are emerging, this still remains largely a manual exercise and due to the cost, is often a point-in-time test.

The penetration testing process typically involves stating a specific goal (like being able to reach a ‘crown jewel’ asset or a database) after which the testing team may use a variety of methods and techniques that emulate how an attacker may behave in order to reach the specified goal.

“A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”

UK National Cyber Security Centre (NCSC)

Breach and Attack Simulation (BAS)

Breach and Attack Simulation tools, like Validato, simulate threat actor behaviours (often using MITRE’s ATT&CK framework as a baseline) in order to validate the effectiveness of security controls.  Breach and Attack Simulation tools provide unbiased data that can be used to measure:

  1. how effective security controls are able to protect against legacy and the most current cyber threats
  2. how effective the security operations and incident response teams are able to detect attack methods
  3. how effective the organisation is able to respond and fix issues that are identified.

In this regard, Breach and Attack Simulation tools are able to provide CISOs with valuable security tool effectiveness data that can be directly mapped back to governance frameworks, like the NIST Cybersecurity Framework, which is useful for presenting upwards to the Board and to external auditors.

In summary

In a mature information security environment, the two disciplines of Breach and Attack Simulation and Penetration Testing will co-exist and compliment each other.  Ideally, Penetration Testing will be used after a Breach and Attack Simulation to validate that any changes made to correct any misconfigurations or gaps in security control coverage have been effective as a security assurance measure.

Gartner sums up the difference between Breach and Attack Simulation and Penetration Testing by saying:

Penetration testing answers the question: ‘can they get in?’  Breach and Attack Simulation (BAS) tools help you to answer the question: ‘do my security tools work?’.

… so for us to sum up, Breach and Attack Simulation (BAS) tools help to continuously validate security control effectiveness, while penetration testing seeks to find weaknesses and vulnerabilities.

To understand more about how Validato’s security validation platform works, request a demonstration from our team by clicking here.