Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Read More
Suleyman Ozarslan, PhD | June 14, 2019
This blog post will take a deeper look and comment on the paper 'Red Team: Adversarial Attack Simulation Exercises (AASE) – Guidelines for the Financial Industry in Singapore'.
It was released in November 2018 by the Association of Banks in Singapore and – although targeting the financial industry in Singapore specifically – it also contains useful guidance on how to leverage various offensive security methods for security validation.
The AASE guidelines explain how and when to use methods such as vulnerability scanning, penetration testing, and red teaming. This blog post discusses where Breach and Attack Simulation (BAS) tools fit into this continuum.
Find out more about Breach and Attack Simulation in our whitepaper.
There are probably more adversaries around in cyber space than ever before – nation-state attackers, financially motivated crime groups, hacktivists, cyber mercenaries and many others. Countries are under a constant barrage of cyber-attacks against their critical national infrastructure. Singapore has carved out a leading position in the East through the rapid adoption and widespread dissemination of advanced technology. This has led Singapore to become targeted by many hostile nations and other threat actors.
Singapore has recognized the need for robust cyber security to maintain this technological advantage and its leading position. It is pushing its national cyber security program via different initiatives – e.g. the 2018 cyber security bill that allows national servicemen to spend part of their mandatory military service improving their cyber security knowledge.
Another such thought-leading initiative is the sharing of know-how and best practices. The 'Red Team: Adversarial Attack Simulation Exercises (AASE)' document is one such best practice paper which we will analyze in more detail. By providing this kind of guidance and thought-leadership on a national level, Singapore manages to let this culture, knowledge, and leadership trickle down into private companies big and small and thus improves the overall cyber security in Singapore.
The AASE paper provides succinct guidance on terminology, methodology and an overview of offensive security testing. Besides other great content, it provides guidance on two aspects of AASE:
The first major item is the description of different levels of organizational maturity and what kind of attack simulation is best suited for each. Different businesses have different levels of maturity and operational scale. This can range from a low-maturity organization with a limited number of systems and no prior experience in conducting attack simulation. Generically speaking, a tabletop exercise and focusing on the planning phase and familiarization with the concepts might be most important here. Medium-maturity organizations are probably the most common ones – running ad-hoc attack simulations by hiring 3rd parties whenever required. The recommendation is to run tests periodically. High-maturity organizations are recommended to align much closer with the rest of the guidance provided in the AASE paper.
The second major aspect is the differentiation between different forms of attack simulation. According to the paper, attacks come in three main forms: Advanced Attack Simulation (AASE), Penetration Testing and Real Attacks. Interestingly enough, there is almost no mention of automated breach & attack simulation in the paper. It contains a reference to ‘Automated Attack Simulation’ but it appears to refer to attack path simulation tools with the goal of finding chains of vulnerabilities – rather than BAS tools that provide a continuous, automated method of testing detection & prevention capabilities against various techniques, tools & procedures (TTPs).
The main differences between AASE & Pentesting are the scope (wide vs. deep) and the use of physical or social engineering attacks (not commonly used in Pentesting). The main differences between AASE & Real Attacks are ethical considerations and the attack being time-bound in the case of AASE.
While not making explicit reference to BAS, almost everything described as being good practice for AASE can be found with BAS tools. A few examples are:
Ultimately, BAS technology provides a natural fit for the requirements laid out in the AASE paper. AASE has a strong organizational aspect and goes well beyond simply running attack simulations. This is where BAS can provide huge improvements and cost savings for organizations – by offering the attacking & defending team a common platform. The BAS tool, like Picus, can be used during the planning phase of the Advanced Attack Simulation Exercise to select the right attack scenario, TTPs and attack paths.
Picus can also help to improve the execution of the Adversarial Attack Simulation Exercises (AASE) – the repeatable execution of cyber-attacks should not be where the majority of human effort is spent during attack simulations. This can and should be automated via Breach and Attack Simulation (BAS) solutions so that humans can focus on planning and evaluating the attack results.