Continuously test the integrity of potential attack pathways.
Breach 和 attack simulation (BAS) is the process of a security operations center (SOC) 对攻击者可能破坏企业网络的各种途径(或载体)的安全状态保持警惕. 保持组织防御的当前“实力状态”可能是被挫败和成功的区别.
根据Gartner®, “BAS工具通过自动测试外部和内部等威胁向量,使组织能够更深入地了解安全态势漏洞, 横向运动, 数据泄露. BAS补充了红队和渗透测试,但不能完全取代它们.”
最后一个想法是至关重要的,因为它强调了利用一套全面的网络完整性测试工具的重要性,以确保强大的安全态势,可以抵御来自复杂攻击者的最新威胁. 网络安全 providers commonly offer suites of attack-simulation tools, platforms, 和 services.
事件响应(IR) 这些供应商的人员通常会使用最新和最相关的泄露场景来执行威胁模拟会话,帮助他们的客户了解泄露过程. This includes identifying key sources of evidence, 进行模拟通信, 和 providing post-simulation optimization recommendations.
BAS tools work by aligning to certain attacker tactics, 技术, 和程序(TTPs),以便组织可以运行特定的模拟,以确定其响应行动的有效性,并在这些情况下创建/自动化剧本.
具体地说, Gartner的州 that “automated validation using technology or service capabilities, such as breach 和 attack simulation (BAS), or automated penetration testing tools will:
由此我们可以推断,验证和速度可能是BAS和其他攻击模拟工具的两个最关键的方面. That latter aspect – speed – begs questions concerning workforce capabilities. 那些专业是 威胁检测和响应 能够有效地采取行动,尽其所能消除威胁,并限制潜在的后果?
BAS tools can help to identify those gap areas before the real thing inevitably occurs, 在某种程度上. 任何组织都不希望在没有应对攻击的技能的情况下猝不及防.
当然, many security organizations simply don’t have the luxury of addressing those skill gaps, especially in any sort of timely manner – thus the upward trend in adoption of managed security services providers (MSSPs).
BAS与其他网络安全测试的不同之处在于,它是对安全组织在同样或更复杂的攻击事件中抵御和获胜的能力的更复杂的评估.
对于安全涉众来说,要知道哪个解决方案最适合测试他们的防御和响应准备情况是很困难的, so let’s take a look at some of the differences between the major functionalities.
A 漏洞评估 将扫描整个组织网络的漏洞,但不试图利用它们. This functionality is a core operation for security teams, 这通常是初步了解网络在攻击面前有多脆弱的最好方法. After a 漏洞评估, 组织有责任决定如何进行优先级排序和补救.
While not a simple process by any means, a cybersecurity firm will perform a 渗透测试(pentest) to specifically look for vulnerabilities in a client’s network, 试图利用它们, 和 determine the overall risk to the organization. This process is an important part of a company’s security controls, 希望能激励组织对所有发现的漏洞采取广泛的补救措施. 它不会, 然而, automate a specific outside attacker strategy beyond discovery of those vulnerabilities.
A Red Team attack simulation focuses on an organization’s defense, 检测, 以及响应能力. 红队操作员通常会执行现实世界的对抗行为和常用的http,以便组织可以衡量其安全计划的有效性. The main difference between BAS 和 红色的合作, 然而, is that of automation vs. 真实的人. BAS自动化了真实世界攻击者行为的过程,而Red teams则雇佣真人来执行模拟攻击.
企业需要BAS,因为他们的IT和安全专业人员应该始终了解他们的入侵响应能力的当前状态和强度. 在这个时代,soc需要考虑更多的存在性问题,例如:
The best way to get a thorough sense of where evasive, 防守, IT和安全组织的补救能力是执行压力测试, also known as breach 和 attack simulation.
网络安全风险管理 programs can incorporate methodologies like BAS, 其中, 红队等,使SOC可以降低整体网络风险,并实现更强大的安全态势,以更好地应对攻击.
其他 技术 have more fine-tuned methods of testing IR readiness. “粘蜜罐”, for example, can act as a lure for 威胁的演员 和 an important test of the SOC’s readiness to deal with that threat.
有些测试方法是针对特定领域的,比如物联网(IoT)安全测试. From testing actual hardware to device network 其中, a company’s IoT activities could also come into consideration in an attack simulation.
In addition to lowering cyber risk, what are some of the major benefits BAS-enabled transparency can provide? Let's take a look beyond the potential to just the network itself.
了解网络漏洞和弱点的当前状态可以帮助减轻当前和未来的安全复杂性,从而使正常业务成为标准,而不是安全紧急情况.