According to the 2020 IDG Cloud Computing Survey, around 93 percent of enterprises are already using cloud computing in some form. Enterprises are already moving to the cloud, seeing the significant benefits of not obtaining on-prem hardware and spending for software to be maintained by an internal IT team.
It is inevitable, though, for many organizations to get too caught up in the expected benefits of the cloud that they tend to pay less attention to their security needs. After all, numerous articles online repeatedly point out how the cloud can be safer for data than the on-prem setup.
Cloud environments require solid security against various threats, including data loss, ransomware, accidental credential exposure, poor incident response, weak data sovereignty or residency control, and privacy or confidentiality breaches.
A study released in early 2021 revealed a surge in attacks against cloud users mainly driven by many businesses going online and employees working from home. To ensure superior cloud security, it’s not enough for organizations to have security controls in place. Proper security testing is also a must.
Breach and attack simulation
One of the best approaches in security testing is to deploy breach and attack simulation (BAS). As the phrase suggests, it is about simulating breach and attack instances to determine if the cyber defenses provide adequate protection.
No cybersecurity posture can ever be perfect, so it is crucial to subject an organization’s security controls to testing to spot weaknesses and implement the needed improvements.
Sometimes, security testing may conclude that the security controls are working the way they are designed without revealing other weaknesses that bad actors can exploit to gain access to a device or network. Also, cyber attacks are evolving rapidly so that an attack that has been blocked now may no longer be detected and prevented in some future time.
BAS simulates real-world threats or attacks to validate the effectiveness of existing security controls. It runs sets of complex attack scenarios to find vulnerabilities, defects, and other issues exhaustively.
For example, the various methods of penetrating the firewall or the WAF are attempted until the testers are satisfied that there are no viable methods of bypassing defenses. Several vectors are considered. If penetration occurs, corrections or reconfigurations are undertaken in the security controls.
Securing cloud environments and where BAS fits in
In an analysis article for CSO Online, tech journalists Fahmida Rashid and James Martin laid out security controls deemed compulsory for all organizations. They are as follows:
- Knowing responsibilities: Many cloud providers or SaaS solutions tout various benefits, particularly the zero need for configuration and maintenance. This makes many organizations lax with their security. It is critical to clarify what the cloud provider and organization’s responsibilities to have the right security controls and measures in place and the right people to take charge of cloud security.
- Controlling access: Access is a major problem for cloud environments because it makes the cloud convenient and a better option for many, but it is also its biggest vulnerability. Poorly handled permissions and access controls can single-handedly cause an entire organization’s cloud environment to collapse.
- Protecting data: Many still avoid using encryption when using the cloud. Even the Pentagon was criticized at some point because of their inadequate data protection standards, leading former Center for 21st Century Security and Intelligence Director Peter Singer to note back in 2009 that “Hollywood security is better than Pentagon’s.”
- Securing credentials: Predictable passwords, poor secrets storage, and other bad habits involving credentials are among the top threats in cloud security. Ensuring that credentials do not fall into the wrong hands or become accessible to unauthorized parties is a must for every organization.
- Ensuring cybersecurity hygiene: An organization’s hardware and software should be properly secured by implementing best practices across the board.
- Improving security visibility: Cloud users need to take full advantage of logging and monitoring functions to have a good glimpse of all security concerns in an organization.
- Adopting a shift-left approach to security: This is about incorporating security measures in the early stages of application or system development instead of making security a penultimate or final consideration.
So, where does breach and attack simulation figure in all of these? Essentially, BAS serves as the catalyst in fortifying these security controls. The simulations conducted with BAS help identify technical issues in the entire cybersecurity system.
Still, they can also reveal problems that are often considered “administrative” or indirectly related to an organization’s security posture, hence ignored.
BAS helps reveal vulnerabilities in threat detection and monitoring processes that hinder the early detection and prompt response to ongoing or potential attacks. The simulations can also include executing files for behavioral-based detection systems to scrutinize and determine if they are regular or potentially harmful, or anomalous.
Some would argue that BAS is limited to what kind of security controls an organization has, saying that if an organization has minimal controls that deliver the minimum of what is expected of them, the results of the BAS test would be positive.
This is not the case, though. BAS undertakes a comprehensive review of an organization’s security posture, not individualized assessments of existing security controls. It can show if an organization needs more controls implemented and changes or improvements in policies and procedures.
Utilizing threat intelligence for more effective security validation
For BAS to work effectively, it requires a dependable source for threat intelligence. Many BAS solution providers readily provide a regularly updated cyber threat intelligence repository to ensure that all of the most recent threats and attacks are covered.
Many also take advantage of MITRE ATT&CK, a comprehensive knowledge base of adversary techniques and tactics based on real-world observations.
The operationalization of the MITRE ATT&CK framework significantly enhances the ability of BAS to test the effectiveness of security controls.
It helps in detecting problems before they are exploited by cybercriminals and improving cyber defenses continuously in response to the newest threat intelligence gathered and analyzed by the framework and the security provider running the BAS function.
In other words, BAS helps organizations validate their security without developing their sophisticated system and having their vast cybersecurity knowledge system.
It is also worth noting that BAS is designed to run repeatedly and can be automated to ensure that organizations are protected periodically and continuously. The simulations take place in the background to proceed with their operations smoothly and without interruption while having a constant security validation keeping everything in check.
Ensuring the best cloud security
BAS and advanced red teaming, according to Gartner, spell the end of traditional penetration testing. Automating most penetration, using up-to-date threat intelligence, and emphasizing the adversarial perspective, deliver more efficient and considerably better security validation outcomes.
The benefits of breach and attack simulation are particularly noticeable in cloud environments. It simplifies the complexities of conducting security testing in environments that may not be that familiar to organizations.
Moreover, it is less expensive than hiring conventional penetration testers while providing the advantage of continuous testing or the ability to check the state of security controls anytime and not wait for scheduled change-control times.