Canadian Bacon Series: Penetration Testing vs. Breach Attack Simulation
Building a Defensible Security Architecture
Recently, during my session at Vancouver International Security and Privacy Summit, I focused on building a resilient defensible architecture while elevating our defensive capabilities. One question that came up was, “What is the difference between Penetration Testing and Breach Attack Simulation?”
Well, both have a ton of value although and during the session I focused on Breach Attack Simulation (BAS) as a continuous proactive approach when evaluating your overall security capabilities. That said, lets break this down to highlight the differences between the two and of note one does not replace the other.
Methodology
Penetration Testing: Usually, a manual process where the penetration tester will simulate cyberattacks to identify weaknesses in your overall security posture. This will includes identifying vulnerabilities (weaknesses) in systems, networks, applications, and even people. Skilled professionals will test a variety of opportunities that the adversary will take advantage of such as social engineering, physical security breaches, and application-level attacks. This tends to be done once or twice a year and is typically point in time. Penetration testing provides a ton of value but becomes stale the moment it is complete.
Breach Attack Simulation: BAS tends to be an automated process that leverages software (agents) to simulate a wide range of attacks to identify potential weaknesses in your security posture. These tests help to identify potential vulnerabilities and gaps in overall coverage both prevention and detection. Tests tend to run continuously or at scheduled intervals and helps the organization stay ahead of the adversary.
Scope and Focus
Penetration Testing: Penetration testing tends to be more targeted and focuses on specific systems or applications and can be performed with or without the defender’s knowledge. Penetration testers might be looking for vulnerabilities in new software / service ideally before the service goes to live and is accessible. These tests tend to be very point and time.
Breach Attack Simulation: BAS tends to be broader in scope and aims to simulate real-world attack vectors on a continuous basis across a larger portion of the organization’s environment. This helps in identifying systemic weaknesses including items such as changes that introduce deficiencies in one’s controls over time.
Objective and Results
Penetration Testing: Pen Testers mission is to discover high risk gaps such as vulnerabilities that can be exploited. The goal is to demonstrate how they might be leveraged by an attacker. The exercise provides a detailed report describing the findings and provides remediation advice such as patching or virtual patching a system to remove the risk.
Breach Attack Simulation: BAS goal is to scrutinize one’s security controls on a constant basis. This provides deep insight into the organization’s defensive posture on an ongoing basis which allows for a more of an immediate adjustment to one’s defensive capabilities reducing risk continuously and consistently.
Frequency
Penetration Testing: As mentioned, this is typically performed annually and even biannually. Organizations tend to contract a third party which are highly specialized teams providing external perspective of the current posture in place.
Breach Attack Simulation: BAS runs on a constant basis with higher frequency, such as daily or weekly. BAS being automated doesn’t require the same level of human effort that is required with pen testing. Teams become more agile when testing and can test against the latest threats or tactics driving a prescriptive based outcome to improve defenses.
Complexity and Detail
Penetration Testing: Higher in complexity but may be more comprehensive exercise that can be tailored to the organization’s specific needs. This requires highly skilled professionals that can mimic the adversary in both sophistication and ability.
Breach Attack Simulation: BAS may not cover the same level of complexity and creativity augmented by human intelligence found in pen testing but does provide an effective way to reduce risk on a continuous basis.
Cost
Penetration Testing: Pen Testers do come with a cost due to the specific nuance they address and the skills they provide during the exercise. This is why pen testing is performed once or twice a year.
Breach Attack Simulation: BAS does come with a cost but once installed they tend to lower overall operational costs due to automation. BAS also provides continuous improvement in your overall security posture.
Customization
Penetration Testing: Extremely customizable to meet he needs of the organization. Pen testers can be very sophisticated, agile, and creative providing highly valuable results that may get missed with BAS testing alone.
Breach Attack Simulation: BAS does provide a level of customization but tend to be less customizable in comparison as our human-led pen testers.
Pen Testing and Breach Attack Simulation help improve one’s overall security posture and overall cyber resilience while helping reduce the blast radius. Its not one or the other but a combination of both strategies that can provide a more comprehensive view of your ability to defend (prevent or detect)
Remember, although we want to prevent 100% of bad 100% of the time it’s a loosing battle. Assume breach and build a defensive architecture that allows the business to maintain operations regardless of whether a breach occurs. Detection is key and a minimum in everything defenders do.
Tags:
