25 October 2023
Market trends

BAS versus Red Team : how attack simulation alters the landscape

Publié par Arnaud Le Men

To avoid any misunderstanding, it is not the intention here to advocate against Red Teams; quite the contrary. Erium has excellent Red Team partners. Red Team operations continue to serve as a benchmark for exposing businesses to the reality of cyber risk. However, the emerging methods of continuous SecOps enhancement through Breach & Attack Simulation solutions are increasingly challenging traditional Red Team approaches. But why?

BAS highlights the vulnerabilities that Red Teams exploit

The two approaches have different end goals.

The Red Team follows a path of compromise known as the “path of least resistance”: spending as little time as possible on the targeted infrastructure, leaving minimal traces, taking the shortest route, limiting movements, and so on.

By achieving its objective, it highlights very targeted and localized vulnerabilities that will subsequently be addressed. The BAS solution explores all conceivable paths, generating various levels of noise with the primary objective of verifying that what should be detected is indeed detected and effectively addressed by cyber teams.

In the process, the simulations produced by BAS highlight numerous failures, sometimes isolated, often overlooked, and easy to rectify. Here are a few examples:

Regarding detection:

  • Failures or gaps in log collection and forwarding services (missing or faulty Syslog)
  • Limitations in log strategy (log type, retention period, etc.)
  • Misconfigurations in SIEM correlation scenario settings (inappropriate or inactive rules)
  • Failure to detect a specific action by an EDR that should have detected it
  • Failure or absence of alerts from detection consoles (SIEM, EDR, etc.)
  • Obsolescence of CTI data (reactivation of a known C&C)
  • Limitations related to alert thresholds for specific events (at what point, in terms of packets, ports, or targeted IPs, is a scan considered abnormal?)
  • Presence of unnecessary and/or vulnerable open services
  • Failure to detect data leakage by a Data Leak Detection service

Regarding response:

  • Application errors in severity qualification event processes
  • Delays in exporting or retrieving logs required for an investigation
  • Limitations on access provided to analysts for their investigations
  • Coordination of alert sharing between internal teams and the MSSP (Managed Security Service Provider)
  • Coordination between security teams and IT teams to neutralize or contain the threat (network isolation of the source, disconnecting a malicious device, etc.)

BAS throws a wrench into the Red Team’s work

One of the benefits of Breach and Attack Simulation solutions is the training of defense teams (Blue Team). The more they face increasingly complex simulations, the more detection mechanisms will be optimized, the more effective the defenders’ processes and reflexes will become, and the faster and more relevant their investigations will be.

In summary, BAS will not replace Red Teams but will drive them to be better.

BAS = Panoramic Photo and Red Team = Photo with 24x Zoom

A well-executed Red Team is an undetected Red Team. And this result is what is reported: “if a highly skilled, well-organized attacker takes their time to target you, they will eventually succeed.”

This is a strong message, but it is becoming less audible to CEOs and auditors. Repeated for years, this message is well understood and absorbed. The proof: cybersecurity budgets increase every year, and technological components continue to stack up.

The question now being asked is about the real and overall effectiveness of these measures and investments. Since the Red Team focuses on a specific and well-defined path, it cannot provide this comprehensive picture. BAS and its more “massive” approach offer a response to this new question.

To measure, you need a precise rule

The concepts of measurement and ranking are increasingly prominent in assessing cybersecurity performance within organizations.

To measure the evolution of cybersecurity maturity, you need a baseline reference point that serves as a standard for comparison. In the realm of IT, comparison relies on precise and replicable technical criteria and actions. It’s crucial to compare apples to apples.

Consider a real-life scenario:

During an attack simulation, the SOC doesn’t detect the 3 persistence tactics automatically executed by the BAS. Upon analysis, it becomes apparent that the detection scenario is not correctly configured. This can happen, and the MSSP corrects it. A second test a few weeks later, the BAS replays the exact same technical event (flow, source, target, time, sequencing, etc.). This time, the scenario triggers an alert. Bingo! The scenario is then automatically retested periodically. This is done to verify that there is no regression, for continuous monitoring and assurance of ongoing compliance.

To conclude

If there’s one piece of advice to take away: if you’re considering mobilizing a Red Team, do it in environments where BAS solutions indicate that you excel.

It is in these specific contexts and environments that the human touch of a Red Team will bring you the most interesting results.

In this regard, BAS and Red Teams are unquestionably complementary and will remain so for a long time.