Double Your Threat Blocking in 90 Days
By Picus Labs • October 19, 2023, 11 min read
In our previous blog titled “Security Posture”, we introduced the concept of security posture, its key components, and offered suggestions on how to strengthen and continuously monitor it.
In this blog, we'll delve into the significance of organizations consistently evaluating their security posture in the face of both known and emerging threats. A security posture assessment practice encompasses more than just testing the effectiveness of perimeter/preventative security measures. It also examines cloud security configurations, internal defenses against lateral movements, and the robustness of detection rules, reflecting the overall health and effectiveness of an organization's detection mechanisms. In essence, posture assessment is a multi-faceted practice that spans multiple layers.
Security posture assessment is a comprehensive evaluation of an organization's security strategies, controls, and defenses to identify vulnerabilities, weaknesses, and risks. It involves analyzing the effectiveness of current security measures, procedures, and policies against a set of predefined criteria or best practices.
The goal of this assessment is to determine the organization's ability to protect its assets, data, and operations from cyber threats and to recommend improvements to bolster its cybersecurity resilience. By pinpointing gaps in security controls and potential areas of exposure, organizations can make informed decisions to enhance their overall security posture and reduce the likelihood of successful cyberattacks.
The importance of cyber security posture assessment in today's digital landscape cannot be overstated. As the cyber threat environment becomes increasingly sophisticated and the digital footprints of organizations expand, understanding and strengthening an organization's security posture is pivotal.
Here are some of the primary reasons why cyber security posture assessment is so crucial:
Risk Management: By identifying vulnerabilities, weaknesses, and emerging threats, organizations can better prioritize risks and allocate resources efficiently, ensuring the most business-critical vulnerabilities are addressed promptly.
Regulatory Compliance: Many industries are governed by rigorous cybersecurity standards. Regular cyber security posture assessments ensure ongoing compliance, minimizing the risk of legal issues and potential penalties.
Building Stakeholder Confidence: Continuously committing to cyber security posture assessments underscores an organization's dedication to maintaining robust security standards, which can bolster trust among customers, partners, and investors.
Minimizing Financial Impact: Proactive assessment strategies can help avert expensive security breaches, thus reducing potential penalties, costs of remediation, and losses in business operations.
Staying Updated with Threat Landscape: The cyber threat landscape is in constant flux. Routine cyber security posture assessments ensure that an organization's defenses remain updated and effective against newly emerging threats.
Optimized Security Investments: Cyber security posture assessments provide valuable insights into the efficacy of established security measures, guiding more informed decisions regarding future investments and necessary recalibrations.
Promoting a Security-centric Culture: The regularity of cyber security posture assessments accentuates the paramount importance of cybersecurity across all echelons of the organization, nurturing a culture that emphasizes and embodies secure practices.
Enhanced Incident Response: Recognizing potential vulnerabilities and weak spots facilitates the development of a more tailored and efficient incident response strategy, ensuring timely and decisive actions during security infractions.
One of the most common mistakes done by organizations is to assume their security posture, rather than relying on a data-driven picture of its point-of-view state. Assumptions may lead organizations into a reactive state, rather than being proactive. This results in taking actions only after a cyber incident happens, often resulting in data, money and reputation lost.
As Picus Security, we are proud to introduce our Complete Security Control Validation Platform.
With its four modules,
addresses the various components of an organization's overall security posture, identifies and validates vulnerable points, and provides actionable insights along with mitigation suggestions.
In this blog, we'll discuss how organizations can utilize the Security Control Validation (SCV) and Cloud Security Validation (CSV) modules to perform security posture assessment in a manner that mirrors real-life attack scenarios.
However, for a more in-depth understanding of the Detection Rule Validation (DRV) and Attack Path Validation (APV) modules, and how they address the gaps in your security posture, visit the following resources.
Detection Rule Validation (DRV) is a cybersecurity process of continuously testing, evaluating and fine-tuning detection contents used in defense solutions like SIEM, EDR, and XDR. Organizations can benefit from Detection Rule Validation to improve their security posture by ensuring that their detection rules are working as accurately and effectively as intended.
Detection Rule Validation is an integral part of any organization's cybersecurity strategy as it enhances the overall security posture of an organization. By allowing security teams to assess the effectiveness of their detection rules, organizations can decrease the cost of developing and running detection contents and ensure that they can detect and respond to threats quickly and efficiently.
Automated Red Teaming with Attack Path Validation:
Attack Path Validation (APV) is a cybersecurity approach that proactively simulates and analyzes potential business-critical attack paths within an organization's network. In doing so, APV aids in assessing an organization's security posture against insider threats and sophisticated lateral movement attacks. It highlights vulnerabilities and weak points that malicious actors might exploit, offering a graphical visibility into the attack paths leading to an organization's crown jewels. This enables organizations to enhance their defenses against these advanced threats.
The Security Control Validation (SCV) module operates on the principle of Breach and Attack Simulation (BAS). This approach offers organizations a methodical way to assess their security posture. By leveraging BAS, the effectiveness of existing security solutions is evaluated, giving organizations data-driven insights into how robustly their security measures counteract potential cyber threats.
Essential to the efficacy of BAS is the utilization of realistic attack simulations, which draw from an exhaustive and continually updated threat library. Picus' SCV module is enriched by this Threat Library, ensuring that the security posture assessment remains relevant and comprehensive, even in the face of the newest threats emerging in real-time environments.
Figure 1. Picus Threat Library for Security Posture Assessment
As of October 2023, the Picus Threat Library boasts close to 5,000 threats. Collectively, these encompass almost 22,000 distinct attack actions. This number grows daily, thanks to the dedicated Red Team engineers who enrich the library with cyber threat intelligence (CTI) sourced from a variety of platforms, databases, and forums. Organizations aiming to assess their security posture against specific threats – be they threat actors, ransomware, malware, or Advanced Persistent Threat (APT) campaigns – can easily input their queries into the search bar, as depicted in the figure.
Security professionals seeking to conduct regular security posture assessments, without the hassle of selecting individual threats each time, can opt to execute ready-to-run attack templates. These templates are tailored to address various scenarios.
For instance, to assess security posture against emerging ransomware attack campaigns, organizations can select specific attack templates. These templates are perpetually refreshed and overseen by a dedicated team to ensure relevancy and effectiveness.
Figure 2. Security Posture Management Ready-to-Run Threat Templates against Ransomware
Upon selecting the desired template, configuring the agent, and finalizing the settings, users are presented with an in-depth report detailing their security posture assessment. For illustrative purposes, consider the subsequent example which showcases the results from a specific simulation. In this scenario, the security posture of a host is rigorously assessed in relation to its vulnerability to the Ivanti Sentry remote code execution (RCE) exploit, referenced as CVE-2023-38025.
Figure 3. Assessing the Security Posture of an Organization Against a Particular Threat with Picus SCV
Upon examining the report generated after the simulation, it becomes evident that the implemented preventive layer solutions were unsuccessful in thwarting the attack. The attacker's objectives were realized. However, it's noteworthy that the detection layer solutions succeeded in logging the attack. This aspect is crucial. In the event of an actual attack, understanding the attack paths, along with the tactics, techniques, and procedures employed by the attacker, proves invaluable. Such insights facilitate effective post-compromise and mitigation activities.
Figure 4. Simulation Results of an Attack Simulation with Picus Security Control Validation Module
After a security posture assessment against a certain threat is completed, customers are not left to wonder, confused about what to do next. In fact, the Picus Security Control Validation platform is one of the leading and sophisticated platforms that provide the most comprehensive aid, offering both vendor-based and generic mitigation for the threats. After a certain threat is included in the Picus threat library, our dedicated blue team engineers collect various vendor-based mitigation signatures from multiple vendors, who are affected by the corresponding threat.
Figure 5. Vendor-based Detection Rules by Picus Security Control Validation Platform
Beyond individual simulations and their respective reports, the platform offers an overarching view of both prevention and detection scores. These scores are derived from the cumulative results of all simulations executed by the host. Consequently, organizations gain a more transparent perspective of their security posture.
Figure 6. Overall Prevention and Detection Scores of an Arbitrary Host
Here is the information how the prevention and detection layer scores are calculated by the platform,
This metric reflects the effectiveness of preventive measures in relation to the attacker's objectives across all threats.
For example, out of a total of 50 attacker objectives (with 30 achieved and 20 thwarted), the prevention score would be 40%.
This score provides an assessment of the platform's detection capabilities. It's formulated by equally weighing log and alert analyses.
Consider a scenario where there are 50 completed threats: 20 are logged (with 30 unlogged) and 10 trigger alerts (with 40 going unalerted). In this context, the detection score would stand at 30%.
The Security Control Validation (SCV) platform by Picus provides organizations with an invaluable tool to holistically assess their security posture. Leveraging the Breach and Attack Simulation (BAS) methodology, organizations gain a methodical approach to evaluating their defensive measures, powered by the extensive Picus Threat Library. With its user-centric features like ready-to-run attack templates, detailed report generation, and transparent prevention and detection scores, the platform ensures a comprehensive security assessment. In essence, Picus' SCV platform empowers organizations with the insights and tools needed to continually enhance their cybersecurity resilience against a rapidly evolving threat landscape.
As Picus Security, we are proud to introduce our naive Cloud Security Validation module, as part of our Complete Security Control Validation platform.
In the following sections, we are going to explain how the Picus Cloud Security Validation module helps organizations to assess their cloud security posture with the following practices.
Auditing Essential AWS Services
Uncovering Privilege Escalation Scenarios
Simulating Cloud-Specific Attacks
Each validation practice is provided with a deeper explanation.
Picus Cloud Security Validation module offers an in-depth assessment tailored for AWS environments. Rather than following traditional cloud security audit protocols, Picus conducts comprehensive scans across 14 key AWS services. This methodological approach aids in the early identification of:
IAM roles and access keys with extended privileges.
Publicly accessible S3 buckets.
Resources that remain unused and may need de-provisioning.
Detected cryptographic vulnerabilities.
By leveraging the insights provided by Picus, organizations can have a clear perspective on their cloud security posture. The real-time data and findings facilitate informed decision-making processes, guiding enterprises toward an improved cloud security posture and ensuring the mitigation of potential security risks before they manifest into significant incidents.
Figure 7. Scanning 14 Core AWS Services like Amazon IAM, Amazon S3 with Picus Cloud Security Validation Module
In AWS environments, an essential component of security posture assessment is understanding potential privilege escalation threats. Once attackers gain initial access, their subsequent step is often to escalate their privileges to access critical systems.
The Picus Cloud Security Validation module systematically gathers and assesses AWS resources, focusing on misconfigured IAM policies that can act as vectors for privilege escalation. By pinpointing these vulnerabilities, the module offers an accurate evaluation, facilitating prompt remediation and strengthening the overall security posture against such escalation tactics.
The Picus Cloud Security Validation platform, as shown in the provided figure, allows organizations to run simulations to assess their security posture against cloud-specific threats. By examining AWS IAM policies, the tool identifies privilege escalation scenarios due to misconfigurations.
Figure 8. Cloud Attack Simulation with Picus Cloud Security Validation (CSV) Platform
During the attack simulation, the module uses temporary users, ensuring that existing users and permissions are unaffected. After the simulation, all changes are rolled back, maintaining operational consistency. This approach offers organizations a clear view of potential vulnerabilities while ensuring their systems remain stable.
 S. Abbasi, "CVE-2023-4911: Looney Tunables - Local Privilege Escalation in the glibc's ld.so," Qualys Security Blog, Oct. 03, 2023. Available: https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so. [Accessed: Oct. 11, 2023]
Understand the 4 trade-offs limiting security teams in managing their organization's threat exposure.