Suleyman Ozarslan, PhD | 5 MIN READ

LAST UPDATED ON MARCH 24, 2023

Vulnerability Scanning, Pentesting, Red Teaming … What’s Next?

This blog post will take a deeper look and comment on the paper 'Red Team: Adversarial Attack Simulation Exercises (AASE) – Guidelines for the Financial Industry in Singapore'.

It was released in November 2018 by the Association of Banks in Singapore and – although targeting the financial industry in Singapore specifically – it also contains useful guidance on how to leverage various offensive security methods for security validation.

The AASE guidelines explain how and when to use methods such as vulnerability scanning, penetration testing, and red teaming. This blog post discusses where Breach and Attack Simulation (BAS) tools fit into this continuum.

Find out more about Breach and Attack Simulation in our whitepaper.

Singapore – Leading Through Technological Advantage

There are probably more adversaries around in cyber space than ever before – nation-state attackers, financially motivated crime groups, hacktivists, cyber mercenaries and many others. Countries are under a constant barrage of cyber-attacks against their critical national infrastructure. Singapore has carved out a leading position in the East through the rapid adoption and widespread dissemination of advanced technology. This has led Singapore to become targeted by many hostile nations and other threat actors.

Singapore has recognized the need for robust cyber security to maintain this technological advantage and its leading position. It is pushing its national cyber security program via different initiatives – e.g. the 2018 cyber security bill that allows national servicemen to spend part of their mandatory military service improving their cyber security knowledge.

Another such thought-leading initiative is the sharing of know-how and best practices. The 'Red Team: Adversarial Attack Simulation Exercises (AASE)' document is one such best practice paper which we will analyze in more detail. By providing this kind of guidance and thought-leadership on a national level, Singapore manages to let this culture, knowledge, and leadership trickle down into private companies big and small and thus improves the overall cyber security in Singapore.

Key Points of the Paper

The AASE paper provides succinct guidance on terminology, methodology and an overview of offensive security testing. Besides other great content, it provides guidance on two aspects of AASE:

Organizational Maturity & Which Attack Simulation To Run

The first major item is the description of different levels of organizational maturity and what kind of attack simulation is best suited for each. Different businesses have different levels of maturity and operational scale. This can range from a low-maturity organization with a limited number of systems and no prior experience in conducting attack simulation. Generically speaking, a tabletop exercise and focusing on the planning phase and familiarization with the concepts might be most important here. Medium-maturity organizations are probably the most common ones – running ad-hoc attack simulations by hiring 3rd parties whenever required. The recommendation is to run tests periodically. High-maturity organizations are recommended to align much closer with the rest of the guidance provided in the AASE paper.

Different Forms of Attacks

The second major aspect is the differentiation between different forms of attack simulation. According to the paper, attacks come in three main forms: Advanced Attack Simulation (AASE), Penetration Testing and Real Attacks. Interestingly enough, there is almost no mention of automated breach & attack simulation in the paper. It contains a reference to ‘Automated Attack Simulation’ but it appears to refer to attack path simulation tools with the goal of finding chains of vulnerabilities – rather than BAS tools that provide a continuous, automated method of testing detection & prevention capabilities against various techniques, tools & procedures (TTPs).

The main differences between AASE & Pentesting are the scope (wide vs. deep) and the use of physical or social engineering attacks (not commonly used in Pentesting). The main differences between AASE & Real Attacks are ethical considerations and the attack being time-bound in the case of AASE.

Where Does Breach & Attack Simulation Fit In?

While not making explicit reference to BAS, almost everything described as being good practice for AASE can be found with BAS tools. A few examples are:

  • The paper identifies that low-maturity organizations should spend more time with the planning phase and familiarize themselves with attack simulation. BAS provides the perfect platform for this allowing users to learn about different TTPs and real-world attacks in the users’ own time
  • Medium-maturity organizations should generally move towards more periodic attack simulations. This is often prevented by Red Teams being expensive or an AASE requiring a lot of organizational planning. Periodic or even continuous attack simulations is one of the main goals of BAS presenting another natural fit
  • The AASE paper describes many guiding principles for high-maturity attack simulations. While BAS cannot provide social engineering or physical attacks, it helps with many demands detailed by the AASE paper
    • Reduced impact on production systems, less risk. BAS is usually not deployed against production infrastructure
    • Repeatable, high-quality of attacks. The skill in human Red Teamers can vary greatly. BAS provides continuous, repeatable and reliable results as described in 6.4 of the AASE paper 'Exercise Frequency'
  • BAS is not to replace Red Teams – it can augment them greatly. As described in 7.1.4.3 in the AASE paper, the attacking team must be able to demonstrate expertise in selecting and using a large variety of TTPs. BAS can easily make those available and even allow a junior practitioner to use them

Ultimately, BAS technology provides a natural fit for the requirements laid out in the AASE paper. AASE has a strong organizational aspect and goes well beyond simply running attack simulations. This is where BAS can provide huge improvements and cost savings for organizations – by offering the attacking & defending team a common platform. The BAS tool, like Picus, can be used during the planning phase of the Advanced Attack Simulation Exercise to select the right attack scenario, TTPs and attack paths.

Picus can also help to improve the execution of the Adversarial Attack Simulation Exercises (AASE) – the repeatable execution of cyber-attacks should not be where the majority of human effort is spent during attack simulations. This can and should be automated via Breach and Attack Simulation (BAS) solutions so that humans can focus on planning and evaluating the attack results.

 
The AASE paper provides guidelines for the financial industry in Singapore on how to leverage offensive security methods like vulnerability scanning, penetration testing, and red teaming for security validation.
Singapore maintains its technological advantage through initiatives such as the national cyber security program and sharing of know-how and best practices, like the AASE document, to improve overall cyber security.
BAS tools provide a continuous, automated method of testing detection and prevention capabilities against various techniques, tools, and procedures (TTPs). They fit into offensive security testing by complementing red teaming exercises and providing cost-effective, repeatable simulations.
BAS tools allow low-maturity organizations to familiarize themselves with different TTPs and real-world attacks, providing a platform to learn and plan attack simulations without requiring extensive resources.
For medium-maturity organizations, BAS tools facilitate periodic or continuous attack simulations, overcoming the cost and planning challenges associated with red teaming and AASE.
High-maturity organizations can use BAS tools to enhance their attack simulations by providing automated, repeatable, and high-quality attack scenarios, aligning with the principles outlined in the AASE paper.
BAS technology automates the repeatable execution of cyber-attacks, allowing human teams to focus on planning and evaluating attack results, rather than spending excessive effort on execution.

Table of Contents