Black Hat 2018: Attack Simulation

Inspector Clouseau, of Pink Panther fame, had Cato Fong, his manservant, attack him by surprise to keep his self-defense reflexes strong. (And funny) Businesses and government agencies today should have their own version of Cato in the form of attack simulation software. Black Hat 2018 had several vendors offering this kind of solution, sometimes called Breach and Attack Simulation (BAS). These included AttackIQ, XM Cyber, Cymulate and others.

This is a good time to have, or at least be aware of, BAS.  Because, just as Cato hid in closets and freezers waiting for the right moment to ambush his boss, so too do Advanced Persistent Threats (APTs) lurk inside networks in search of cyber vulnerabilities. Effective protection requires constant checking of countermeasures. That’s what BAS does.

Peter Sellers (Left) as Inspector Clouseau, fending off one of many surprise attacks by Cato Fong, played by Burt Kwouk, in the Pink Panther film series. (Copyright MGM)

Vulnerable, Despite an Ethos of Diligence

BAS providers understand that even the most diligent SecOps teams and IT departments can leave systems exposed through unexpected attack surfaces. For example, according to Verizon, 80% of organizations have misconfigured controls. Each misconfiguration is waiting for an APT.

“The attacker only has to be right once,” said Carl Wright, Chief Revenue Officer of AttackIQ. “The defender has to be right 100% of the time, which is essentially impossible.” Wright is the former CISO of the US Marine Corps. He cited the example of an organization that left S3 buckets exposed in Amazon Web Services (AWS).

“The attacker only has to be right once.” – Carl Wright, Chief Revenue Officer of AttackIQ

In some cases, the accidents are simply due to the scale and scope of organizations. Indeed, what counts as an organization today may actually be an agglomeration of connected but separate entities. This structure, which is inevitable in most modern industries, is notorious for poorly configured security controls.

The Need for Automation in Security Controls Testing

In Wright’s view, security is five year behind IT in its workflow automation capabilities. “The attackers are getting increasingly automated, though,” he pointed out. “Security has to keep up.” A human “red team” can only assess a small fraction of a organization’s security controls. To remedy this deficit, AttackIQ offers automated control validation.

“APTs can use techniques and methods that go around the controls as attackers often employ legitimate tools and leverage real user behavior.” – Maya Schirmann, VP of Marketing at XM Cyber

The company is responsible for compiling and curating the Common Vulnerabilities and Exposures (CVEs) listed in the Mitre Corporation “Body of Knowledge.” They base their vulnerability assessments on this collection of CVEs. Wright asked, “If you know the attacks, why not exercise all known attacker behaviors against your people, your processes and your security technologies?”  He added, “That is what AttackIQ does. If it doesn’t block, you haven’t done it right.” They work on this basis with DoD contractors, healthcare companies and financial institutions.

Cato, the world’s first APT (Copyright MGM)

Varying Approaches to Breach and Attack Simulation

BAS providers come at the APT challenge differently. AttackIQ offers what is essentially an open system testing platform. Users can develop their own tests to measure the effectiveness of their security controls. XM Cyber is more oriented toward revealing security holes like misconfigurations as they appear, regardless of controls. “APTs can use techniques and methods that go around the controls as attackers often employ legitimate tools and leverage real user behavior,” explained Maya Schirmann, VP of Marketing at XM Cyber. “We want to make sure you’re safe by identifying in advance the attack vectors that attackers will use to compromise your critical assets.”