This blog post will take a deeper look and comment on the paper 'Red Team: Adversarial Attack Simulation Exercises (AASE) – Guidelines for the Financial Industry in Singapore'. It was released in November 2018 by the Association of Banks in Singapore and – although targeting the financial industry in Singapore specifically – it also contains useful guidance on how to leverage various offensive security methods for security validation.
The AASE guidelines explain how and when to use methods such as vulnerability scanning, penetration testing, and red teaming. This blog post discusses where Breach and Attack Simulation (BAS) tools fit into this continuum.
Singapore – Leading Through Technological Advantage
There are probably more adversaries around in cyber space than ever before – nation-state attackers, financially motivated crime groups, hacktivists, cyber mercenaries and many others. Countries are under a constant barrage of cyber-attacks against their critical national infrastructure. Singapore has carved out a leading position in the East through the rapid adoption and widespread dissemination of advanced technology. This has led Singapore to become targeted by many hostile nations and other threat actors.
Singapore has recognized the need for robust cyber security to maintain this technological advantage and its leading position. It is pushing its national cyber security program via different initiatives – e.g. the 2018 cyber security bill that allows national servicemen to spend part of their mandatory military service improving their cyber security knowledge.
Another such thought-leading initiative is the sharing of know-how and best practices. The 'Red Team: Adversarial Attack Simulation Exercises (AASE)' document is one such best practice paper which we will analyze in more detail. By providing this kind of guidance and thought-leadership on a national level, Singapore manages to let this culture, knowledge, and leadership trickle down into private companies big and small and thus improves the overall cyber security in Singapore.
Key Points of the Paper
The AASE paper provides succinct guidance on terminology, methodology and an overview of offensive security testing. Besides other great content, it provides guidance on two aspects of AASE:
Organizational Maturity & Which Attack Simulation To Run
The first major item is the description of different levels of organizational maturity and what kind of attack simulation is best suited for each. Different businesses have different levels of maturity and operational scale. This can range from a low-maturity organization with a limited number of systems and no prior experience in conducting attack simulation. Generically speaking, a tabletop exercise and focusing on the planning phase and familiarization with the concepts might be most important here. Medium-maturity organizations are probably the most common ones – running ad-hoc attack simulations by hiring 3rd parties whenever required. The recommendation is to run tests periodically. High-maturity organizations are recommended to align much closer with the rest of the guidance provided in the AASE paper.
Different Forms of Attacks
The second major aspect is the differentiation between different forms of attack simulation. According to the paper, attacks come in three main forms: Advanced Attack Simulation (AASE), Penetration Testing and Real Attacks. Interestingly enough, there is almost no mention of automated breach & attack simulation in the paper. It contains a reference to ‘Automated Attack Simulation’ but it appears to refer to attack path simulation tools with the goal of finding chains of vulnerabilities – rather than BAS tools that provide a continuous, automated method of testing detection & prevention capabilities against various techniques, tools & procedures (TTPs).
The main differences between AASE & Pentesting are the scope (wide vs. deep) and the use of physical or social engineering attacks (not commonly used in Pentesting). The main differences between AASE & Real Attacks are ethical considerations and the attack being time-bound in the case of AASE.
Where Does Breach & Attack Simulation Fit In?
While not making explicit reference to BAS, almost everything described as being good practice for AASE can be found with BAS tools. A few examples are:
- The paper identifies that low-maturity organizations should spend more time with the planning phase and familiarize themselves with attack simulation. BAS provides the perfect platform for this allowing users to learn about different TTPs and real-world attacks in the users’ own time
- Medium-maturity organizations should generally move towards more periodic attack simulations. This is often prevented by Red Teams being expensive or an AASE requiring a lot of organizational planning. Periodic or even continuous attack simulations is one of the main goals of BAS presenting another natural fit
- The AASE paper describes many guiding principles for high-maturity attack simulations. While BAS cannot provide social engineering or physical attacks, it helps with many demands detailed by the AASE paper
- Reduced impact on production systems, less risk. BAS is usually not deployed against production infrastructure
- Repeatable, high-quality of attacks. The skill in human Red Teamers can vary greatly. BAS provides continuous, repeatable and reliable results as described in 6.4 of the AASE paper 'Exercise Frequency'
- BAS is not to replace Red Teams – it can augment them greatly. As described in 7.1.4.3 in the AASE paper, the attacking team must be able to demonstrate expertise in selecting and using a large variety of TTPs. BAS can easily make those available and even allow a junior practitioner to use them
Ultimately, BAS technology provides a natural fit for the requirements laid out in the AASE paper. AASE has a strong organizational aspect and goes well beyond simply running attack simulations. This is where BAS can provide huge improvements and cost savings for organizations – by offering the attacking & defending team a common platform. The BAS tool, like Picus, can be used during the planning phase of the Advanced Attack Simulation Exercise to select the right attack scenario, TTPs and attack paths.
Picus can also help to improve the execution of the Adversarial Attack Simulation Exercises (AASE) – the repeatable execution of cyber-attacks should not be where the majority of human effort is spent during attack simulations. This can and should be automated via Breach and Attack Simulation (BAS) solutions so that humans can focus on planning and evaluating the attack results.