Cybersecurity is a strategic issue for companies and public administrations. In October, three public medical centers in Catalonia suffered a cyber-attack that paralyzed their activity. The malicious agents used ransomware to hijack patient data and demand an economic ransom from the Administration. These kinds of incidents demonstrate the relevance of having advanced cybersecurity services, such as the simulation of cyber-attacks, to analyze an organization’s security strategy, identify new attack vectors and take remediation measures.
The security crisis experienced by Catalan medical centers evidences of how successful cyber-attacks can compromise something as important as the health of people… and businesses. What’s more, a security incident can trigger major economic, legal and reputational consequences. How does an organization prevent this from happening?
The simulation of cyber-attacks can be a key ally in validating the security of a company or institution. Why? This high-value service, provided by cybersecurity specialists, is based on two fundamental characteristics. On the one hand, it is customizable, i.e., professionals adapt its design and execution to the needs and characteristics of the organization. On the other hand, the techniques used in the simulation of cyber-attacks can be automated, which facilitates the task of generating a very large number of tests in a short time. At the same time, security can be continuously monitored.
In the following, we will analyze Tarlogic’s cyber-attack simulation service and its benefits for companies wishing to improve their detection and response capabilities to potential cyber threats.
1. BAS technology, an ally to automate security validation
The automation of the techniques implemented in the simulation of cyber-attacks is possible thanks to the use of Breach and Attack Simulation (BAS) technology. These cutting-edge solutions, as the name of the technology itself indicates, are used to simulate cyber-attacks.
These tools make it possible to perform simulations of breaches and attacks. The objective of such a cyber-attack simulation is to identify and mitigate existing security holes in web applications, email, and endpoints of organizations.
Likewise, the wealth of information obtained by using BAS technology allows the generation of reports and risk assessment, using reference methodologies in the sector such as MITRE-ATT&CK.
One of the great advantages of using this type of technology is that these tools continuously update the threat repository, which facilitates the detection and anticipation of innovative and disruptive attacks.
1.1. MITRE-ATT&CK, a framework that systematizes malicious tactics and techniques
What tactics and techniques can be used to simulate cyber-attacks? For example, those contained in the ATT&CK framework developed by MITRE, a non-profit organization that researches and develops technology for various U.S. government agencies in such important areas as defense and cybersecurity.
As part of its innovative work in the field of Internet security, MITRE designed ATT&CK, a framework that systematizes the main tactics and techniques used by criminals to attack organizations.
In its latest version, published in April 2022, the framework lists up to 14 tactics. These range from reconnaissance, i.e. actions taken by attackers to obtain information that may be useful for future operations, to impact, i.e. the set of techniques used by attackers to manipulate, disrupt or destroy an organization’s systems and information. Other tactics include obtaining access credentials, privilege escalation, or data exfiltration.
In turn, ATT&CK establishes the techniques used by attackers to accomplish the objectives of each of the 14 tactics. In this way, the matrix compiles and systematizes the main techniques developed and implemented when carrying out cyber-attacks.
In the case of the defense evasion tactic, which seeks to avoid detection by the organization’s security systems, MITRE compiles up to 40 techniques that attackers can employ. This is a good example of the broad overview of cyber-attacks that this framework provides.
1.2. Simulation of on-demand cyber-attacks
On the other hand, it should also be noted that the simulation of cyber-attacks can be limited to a series of critical elements or assets.
This is very useful since each company or institution has its casuistry and not all of them have the same components implemented in their infrastructure. When designing a customized cyber-attack simulation, the needs, characteristics, objectives, and economic and human resources of the organization are taken into account.
Thus, some companies may decide that the cyber-attack simulation should focus on endpoint security or data exfiltration, while for others the Full Kill Chain or web application firewalls are fundamental.
This way of designing the cyber-attack simulation allows the service team to tailor the service to each client, focusing on those threat vectors that are most relevant to the organization in question.
1.3. A high value-added service for all types of companies
Just as in terms of threats, all companies are exposed to a similar degree, depending, of course, on their economic sector; in terms of vulnerabilities, each one is different.
Some companies have made a firm commitment to placing cybersecurity at the heart of their business strategy, investing money, hiring advanced cybersecurity services, and raising awareness throughout the organization of the risks they face. In contrast, other companies are at a more embryonic stage.
The cyber-attack simulation team should help companies identify and select the components that will bring them the greatest benefit in terms of improving the security of their systems.
1.4. Advanced scenario
In addition to designing the cyber-attack simulation a la carte, based on the organization’s priority intrusion vectors, a cyber-attack simulation scenario, that includes the entire MITRE framework, can also be designed.
In this way, an extremely complete security validation is obtained, addressing all the vectors and implementing all the tactics and techniques used by malicious actors.
These advanced services make the security gaps in an organization’s systems visible and serve as a starting point for taking the necessary actions to close them. Thus, a company’s CISO, in light of the results, can prioritize its resources and the actions to be taken.
2. The importance of human talent: The activities that are carried out
As we have already noted, BAS technology is a pioneering advance that allows cybersecurity professionals to perform a customized and automated simulation of cyber-attacks.
As a result, there are currently few providers capable of offering this cybersecurity service with the level of knowledge of this technology that the Tarlogic team has.
As is the usual trend in the field of cybersecurity, every day new types of threats are detected and the data around them are incorporated into this technological development. As a result, professionals must be regularly trained and recycled so that their knowledge is constantly updated.
Moreover, given its complexity, any tool using BAS technology must be implemented by a team highly qualified in its use and the main methodologies and best practices of the sector.
All this leads us to a conclusion that we must emphasize: this innovative technology does not replace the importance of human talent, but rather enhances it.
2.1. Analysis of information is key
The use of this type of tool provides an enormous amount of data on the security of a company’s systems. But it is essential to know how to analyze this information. This requires filtering the data and knowing exactly which are the most relevant aspects of each item according to the characteristics of the company in which the cyber-attack simulation is being carried out.
For example, using a solution based on BAS technology, it is possible to know how many times a certain vulnerability is repeated. But such a tool does not qualify the severity of the vulnerability. For an organization, the fact that vulnerability X has been detected 10 times may be less relevant than a vulnerability that has only been detected once but affects the company’s critical assets.
Hence, the human talent behind the management of the tool and the analysis of its data is of vital importance. Among the different activities carried out by the Tarlogic team that provides the cyber-attack simulation service, we can highlight six.
2.2. Implementation, configuration, and test execution
The orchestration of the service is fundamental. The management and coordination of all the components require a deep knowledge of the tool to be used, as well as a wide experience in its use. In addition, it is also key that the team in charge of the simulation of cyber-attacks also has extensive experience in pentesting, as in the case of Tarlogic.
Cybersecurity professionals are in charge of implementing and configuring the tool and proceeding to run the tests.
2.3. Data analysis and design of security indicators
As mentioned above, when using BAS technology, a large amount of data is collected. This information must be analyzed to be useful for strengthening the systems and resolving the vulnerabilities detected.
Therefore, data analysis is one of the keys to the cyber-attack simulation service. The professionals who carry it out generate security indicators, to make it easier for company managers to understand the information and, therefore, to make decisions.
The Tarlogic Security team has its own methodology for prioritizing threats, the result of the experience and knowledge accumulated in the provision of this advanced cybersecurity service.
2.4. Recommendation of containment and prevention measures
The analysis of the data obtained thanks to this type of tool allows the team performing the simulation of cyber-attacks to determine the security problems, prioritize them and propose a series of measures for both containment and prevention of cyber-threats.
Not all organizations have the same resources, which is why the prioritization of recommendations, adjusted to the characteristics and needs of each company, is so important.
In this way, the team that performs the cyber-attack simulation provides the company with the tools to create a roadmap to optimize the security of its systems. In addition, Tarlogic offers Advisory services to align the results with, among others, the CIS Benchmarks or the NIST framework.
2.5. Proactive research and complementary manual works
Beyond the implementation of BAS technology and the analysis of the data obtained, it is also essential for professionals to carry out proactive research, supplementing the information provided by the tool.
This allows the team to be constantly aware of new techniques implemented by malicious agents. They can then implement them in real environments in order to secure organizations against them.
What’s more, the Tarlogic team offers an extra service that complements the tasks that can be automated. Thanks to all the knowledge accumulated by its professionals, the team is able to analyze the data provided by the tools and perform manual checks that increase the probability of success.
2.6. Information on tests performed and collaboration with the Blue Team
The raison d’être of the simulation of cyber-attacks is to validate the security of a company’s systems and to remedy the vulnerabilities or breaches detected. To do this, the team that performs it has to establish an efficient and permanent communication channel with the organization’s professionals in charge of cybersecurity.
In addition to reporting on all tests performed, it is essential that the cyber-attack simulation team collaborates with the Blue Team to help it deal with threats.
2.7. Follow-up on the implementation of recommendations
Tarlogic Security professionals do not end their services with the proposal of threat mitigation recommendations, but follow up to evaluate their implementation and assist the organization in any way necessary.
3. Benefits of the cyber-attack simulation service
In view of the above, the simulation of cyber-attacks can be a crucial service for companies and institutions wishing to validate the security of their systems, check that the measures they have put in place are working properly and remedy the problems detected.
3.1. Comprehensive management of all components and stakeholders
Some companies choose to hire BAS tools and use them on their own. However, considering that we are talking about state-of-the-art and extremely complex and comprehensive solutions, this is not advisable.
If you want to get the most out of this tool, it is essential that it is managed by professionals who are well versed in its use and who are continuously trained to adapt to the changes made in each version.
A comprehensive cyber-attack simulation service guarantees that the orchestration of the tests and the coordination of all the actors involved will be carried out in an optimal manner, contributing to the service being of great added value for the management of the company that hires it.
3.2. Analytics, filtering and prioritization
In line with the previous benefit, hiring a cyber-attack simulation service is key to facilitate the processing and analysis of the information obtained in the tests. Not only because of the huge amount of data obtained, but also because of the complexity of qualifying, filtering and prioritizing them. In addition, the characteristics of each organization must be taken into account.
Thus, the professionals in charge of cyber-attack simulation filter out false positives, classify threats according to their importance and help organizations to prioritize them.
3.3. Improving cyber threat containment and prevention measures
The key to cyber-attack simulation lies not so much in the data obtained about the security of systems and assets, but in the possibility of transforming them into effective containment and prevention measures.
The cyber-attack simulation service provided by experienced professionals such as those at Tarlogic:
- Provides qualitative information to improve the detection capability of the SOC and Blue Team teams.
- It serves to contrast the impact that cyber-attacks could have on an organization and to predict what percentage of attacks could be successful.
- It makes it possible to detect vulnerabilities that had not yet been identified.
- This service helps to evaluate the effectiveness of the security measures that the company has already implemented.
- It assists the company’s teams, making it easier for them to understand all the data.
- Advises the organization in designing and implementing remediation and mitigation plans, incorporating the findings made during the cyber-attack simulation.
3.4. Continuous analysis of new techniques incorporated into the tool
One of the great advantages of tools using BAS technology is that they are constantly being optimized, incorporating crucial information on the most relevant tactics and techniques used by the bad guys.
This means that the team providing the service must be trained to understand and handle the new techniques in order to get the most out of them.
Beyond the use of the tool, if the professionals have extensive experience in the cybersecurity sector, they will be able to incorporate the latest trends in the field and analyze the most cutting-edge research, incorporating all this wealth of knowledge into the design, execution and evaluation of the service.
3.5. Personalization of cyber-attack simulation
This is perhaps one of the most important benefits of a cyber-attack simulation service. It is useless for a company’s systems and assets to be tested through generic tests that do not take into account the characteristics of the organization. The results obtained will not provide accurate information on their security, nor will they be useful for taking the most appropriate measures to solve problems.
Customization throughout the entire process is essential. From the choice of attack vectors, to the transfer of information, to the establishment of attack targets. Everything must be tailored to the needs of the company and the capabilities of its teams.
Hence, one of the keys to a comprehensive simulation of cyber-attacks is the permanent collaboration between the team orchestrating it and the professionals of the organization undergoing security validation.
This customization translates, unsurprisingly, into deliverables with results fully adapted to the demands of the company contracting the service. Thus, it is possible to provide documents prepared and structured according to the level of criticality, audiences or types of attacks.
As if all this were not enough, the permanent monitoring of tests, vulnerabilities and mitigation measures guarantees full customization of the service.
3.6. Painting a heat map of the security of all your assets
Precisely, the simulation of cyber-attacks makes it possible to obtain a global vision of the state of security of a company and the level of protection of its assets.
Thanks to all the information obtained, filtered, analyzed, and systematized, it is possible to compose a heat map of a company’s security, showing its various assets (WAF, email, endpoints, etc.) and their security percentage.
From this overview, it is then possible to determine which are the priority assets and to focus remediation and protection measures on them.
As mentioned above, the simulation of cyber-attacks allows a dynamic roadmap to be drawn up, which is modified according to the progress made during the provision of the service.
In short, the cyber-attack simulation service can be a key ally in validating a company’s security, detecting vulnerabilities, checking the efficiency of the security measures implemented, and managing the resources available to secure the organization’s systems, equipment, and assets.
More articles in this series about advanced cybersecurity services
This article is part of a series of articles about advanced cybersecurity services
- Essential cybersecurity services in the digital age
- Simulation of cyber-attacks: Customize and automate your company’s security validation