8 comments

[ 4.9 ms ] story [ 34.8 ms ] thread
In recent years, more and more providers of Breach and Attack Simulation platforms have emerged. This technological revolution might change the way that companies analyze their security status.
(comment deleted)
The beginning of the article, coupled with what I know of security testing triggered my PR-fluff detectors.

The problem with these automated "agents", just call them scanners, is that they only test for known threats. Just as your vulnerability scanner du jour.

Sometimes an attacker does not need more than a flaw discovered and patched 2 years ago. Regularly I still see important systems in my customers' networks vulnerable to MS17-10. But that is covered completely by vulnerability scanning.

What does this supposedly bring to the table? Blue team training? Network detection validation and tests?

If you are a financial institution the groups that want to target you include sophisticated and determined attackers. They will have techniques not adequately covered by these systems. Or they will just invent a new technique. You don't hamstring these operators by endlessly re-sending their C2's traffic through your network sensors! (Or so I keep telling people rabidly interested in "actor emulation"). They are not stupid, they'll just invent a new technique...

Secondly, holes in your monitoring correlate with holes in your preventive security. You can hardly monitor for an exploit you don't know exists. You can't 'simulate' an attacker living of the land.

Thanks for your comment! BAS is for sure not the silver bullet. But what other means do large organisations have to validate their security controls? I think BAS is not better than a team of penetration testers, but it is better than penetration testing.
That is an invalid argument. The presence or absence of other means of validating security controls does not affect whether BAS constitutes a means of validating security controls. Justifying a solution because: "What else are you going to do?" is similar to justifying the use of rhino horn as an aphrodisiac prior to the invention of Viagra because: "What else are you going to do? Nothing else is known to work."

The only thing that justifies a validation scheme is its ability to provide an accurate quantitative assessment of the thing being measured that can be translated into business value. In the case of security, this would usually be a quantitative assessment of your security relative to a threat model and actionable information that allows either a more accurate assessment of underlying risk or an indication of where to deploy resources or how to deploy them more effectively.

Personally, even if I accept your claim that it is better than a penetration test and less than a team of penetration testers I do not see how this is very useful. Any substantial threat to a commercial entity can easily round up enough resources to be comparable to a team of penetration testers. As essentially any moderately competent team of penetration testers can completely compromise any commercial entity, the actionable information gained from penetration tests on most commercial systems is: "Your system is hopelessly insecure against substantial threats.". Therefore, inserting another level of threat competence below that allowing you determine if you are "hopelessly insecure against insubstantial threats" vs "hopelessly insecure against substantial threats" is not particularly helpful. It would be like testing bulletproof vests against BB-guns, even if it succeeds, it does not tell you anything useful about its effectiveness against the actual threat.

I see you’re quite the nihilist when it comes to computer security. But for your information, there are a lot of people in the corporate and government world that think computer security works like a bank. Unfortunately for us, many of those people are running the show, and too wealthy to care about learning about the details; that’s our job. So ultimately this so that they can feel save at night knowing they’ve covered their ass from negligence. This is why things like NIST-171-800 exist and this tool would be helpful for mandatory practices required to do business
I don't see how that's a nihilist attitude. It's the truth. At this point in time, and since the rise of the internet, no computer system has been completely secure. Things will change for the better over time, but not if we placate the people "running the show".

I assume from your comment that you to think that "covering ass" adds value to security, it does not. Because if you, like me, judge this product as being redundant, then what value is truly added? What if a competent team of pentesters is rejected and favor of this tool? Then you made the world less secure. An organization not competent enough to run a security scanner will certainly not see the benefit of this product.

The current status in cyber security is that of safety in engineering three centuries ago: "This bridge is secure because we walked two oxen over it, and it did not collapse.".

"Our bank is secure, because no hacker has stolen our funds yet."

Well until you start signing everyone's paychecks, we have to live by other peoples rules.