The playing field for a cyber attacker has never been more active than it is right now. There are more instances of phishing, ransomware campaigns and fraud attempts targeting organizations of all sizes, than ever before.
One of the main catalysts of this phenomenon is the Covid-19 pandemic and the ensuing explosion in work from home situations. The surprising need to adapt and expand business technology and communications for an unprecedented number of remote employees has led to massive growth in the use of collaboration platforms. For instance, the number of unique visitors for Zoom.us increased by 813 per cent year-over-year (May 2019 vs. May 2020) and the number of unique visitors to Microsoft Teams grew by 943 per cent in the same time period. This unprecedent growth in the use of enterprise collaboration tools has provided fertile ground for cyber attackers who take advantage of people that are using these platforms more often, and sometimes, for the first time. Bad actors exploit the fact that employees who are now working from home have not applied the same security on their networks and end point devices that would be in place in a corporate environment. In addition, over the years, these collaboration tools such as video conference and cloud drives platforms were not the key focus of enterprise cybersecurity teams, which left them relatively unsecure.
Organizations are responding and actively looking for ways to check and improve their security posture, evaluate their gaps and vulnerabilities and make sure that their data, users and network are safe.
From Pentesting to BAS
Pentesting, a simulated cyberattack against an organization’s computer system that is performed by an authorized person in order to check for vulnerabilities that could be exploited by a hacker, is no longer considered an effective security assessment mechanism on its own. This is because it is a single test that is built from attack samples, not real attacks from the wild. This is one of the reasons that organizations have begun to understand the value of Breach and Attack Simulation (BAS) tools, as they provide an ongoing evaluation of an organization’s security posture.
Even when an organization’s security controls are aligned and working, there can still be weaknesses that a bad actor could exploit. BAS tools ensure that these weaknesses are found and addressed. BAS tools are designed to perform actions that closely mimic real threat scenarios to determine if they are caught by an organization’s security controls. The scenarios can run the gamut of placing files that mimic malware (but are not dangerous to a system) onto a machine to find out if the anti-malware tool catches them or attempting to send data through a firewall to see if it works. These scenarios are just part of what BAS tools do to evaluate an organization’s security posture.
The main advantage of BAS over pentesting is its ability to provide continuous and automated testing at limited risk without harming the organization’s environment. Pentesting, on the other hand, involves high human touch which needs to be repeated each time.
BAS tools are also cheaper to use and more efficient than training an in-house team or outsourcing one. In addition, BAS can run hundreds of tests a day and simulates attacks from different network segments, and across multiple attack vectors.
BAS software is being constantly improved and upgraded, so it can simulate attacks on new vulnerabilities, new attack patterns, and new malicious files. It exposes vulnerabilities in the IT infrastructure, systems, software and processes, and provides easy to read results showing the gaps in current defenses so one can make them stronger.
BAS came into a security market that needed a new solution and has held a great deal of big promise – simulating real attacks that are updated based on attack trends and threat popularity. No wonder that the BAS market is growing rapidly with an increasing number of vendors and products.
BAS isn’t perfect
However, by definition, BAS solutions use simulated attacks and therefore are only effective to a certain extent. They simulate threats based on what they see in the wild but they still are not the actual attacks that bad actors set in motion. Therefore, there is always a lag from when a new attack technique is released until it is implemented in BAS solutions.
Considering the fast pace in which hackers change their attack methods, it is imperative to test security solutions against real threats that are live and out wreaking havoc in the world today - not yesterday- in order to get a genuine picture of an organization’s security posture. The quandary is that the highest risk for an organization happens at the very moment the threat is released for the first time. A few hours later, your security solution will probably catch it, but by that time, there will already be new threats targeting your organization. This is a game and it is about who is the quickest and because of this, there is a deep need for vulnerability tools that use real live threats, rather than old or simulated ones.
BAS next generation is here
That is why, although there is a great deal of hype around BAS, we are seeing a new generation of BAS solutions which will be the next big thing when it comes to vulnerability testing. These solutions will use the freshest in-the-wild malware and phishing threats to continuously test email defenses, enabling an organization to be able to easily assess how well it is protected against malware in real-time.
This new generation of BAS solutions – what some call BAS 2.0 - continually sends real attacks of all types as they emerge from the wild, while keeping its surveillance non-intrusive. It contains a dashboard that is always up-to-date which includes not just which threats bypassed security and which were blocked, but also the organization’s duration of exposure to each threat (i.e. Time To Detect), which might be even more important than the rate of detection or miss rate.
In a way, BAS as we know it is just a phase on the way from pentesting to the real thing – continuous security assessment that constantly use the attacks that are seen in the wild in real-time (not a week, a day or even an hour ago). The question is when this quantum leap will happen? The technology is there, will BAS vendors, MSPs, end-users or other players adopt it soon?
Liron Barak, CEO, BitDam