Continuous security validation as a cyber defense strategy is relatively new, but the main solution behind it is something already employed successfully in many fields. This is simulation, which entails the emulation of real-world processes and situations to understand something better and anticipate problems that may arise.
“Simulations allow researchers and practitioners to test an abstraction of the system that contains only features of interest, without the need for detail, toward answering a research question,” explains a paper on simulation for cybersecurity published in the Journal of Cybersecurity. They enable the creation of virtual networks and testbeds that mimic the conditions of an attack.
Simulation is something already undertaken in traditional security testing solutions such as pen tests and red teaming. However, the advent of continuous security validation is making it even more important. Continuously evaluating the effectiveness of security controls in the face of more complex and aggressive cyberattacks, including zero-day threats, is not possible by waiting for an actual attack to happen or waiting for the latest threat information from security firms or threat intelligence sources.
Simulation in continuous security validation
Risk Management Executive Berk Algan, the Head of Silicon Valley Bank’s Technology and Security Risk Management Group, offers a good summary of continuous security validation by listing the following benefits:
- Increasing cyber resiliency through frequent or continuous testing and validation
- Ascertaining the effectiveness of security controls and tools in blocking specific attack vectors
- Developing an organizational cyber threat model that is useful in targeting higher risk areas and key information assets
- Methodically analyzing security observations
These benefits are achieved by undertaking all the core steps of traditional security validation while emphasizing a cybercriminal or adversary’s perspective in the process. As Algan puts it, “continuous security validation allows an organization to take cyber attackers’ perspective and stress-test its security stance.”
So where does attack simulation figure into all of these? Here’s a quick rundown of the key points:
- Frequent or continuous testing and validation is undertaken through attack simulation. The act of having a red or a purple team is itself a simulation of the possible threats an organization will be facing.
- After specific attack vectors are identified and scrutinized, they are then simulated to determine how existing security controls fare.
- Cyber threat models that focus on high-risk areas emerge out of the information and insights generated by attack simulations.
- The methodical analysis of security observations may happen without simulations, which means simply relying on security research or actual attacks that have been observed by the organization or by other organizations and shared through common threat intelligence resources. However, such an analysis is unlikely to cover new or emerging threats and attack variants, hence futile against yet-to-be-identified threats.
In the past, security firms relied on data from actual attacks or the findings of security researchers to identify and block threats. Something similar is unviable when it comes to continuous security validation. While it is possible to have an endless stream of cyber threat data, they rarely present all possible variations and evolutions of attacks.
The rise of purple teaming
The growing prevalence of continuous security validation coincides with the rise of purple teaming, which entails the collaboration of the red (attack) and blue (defense) teams. To emphasize, red and blue teams are in the business of simulating cyber-attack scenarios to find problems in security controls and implement the necessary corrections and improvements. Purple teaming ups the simulation ante by facilitating the sharing of insights between the red and blue teams.
This sharing of insights does not mean that the red and blue teams work together as one team. The two still work independently to avoid developing presumptions and volunteered knowledge that can skew judgment in either team. What’s different with purple teaming in the picture is the sharing of insights that can help both teams in improving their attacks and defenses.
The collaboration results in better attack simulations because the blue team can help the red team re-tool their attacks to target vulnerabilities they may have missed. Similarly, the red team can help the blue team in understanding successful attacks better, so they can improve security controls more effectively and efficiently.
It is also worth mentioning that purple team attack simulations often take advantage of the MITRE ATT&CK framework, a comprehensive online resource for adversary tactics and techniques. This framework is useful in simulating the most recent cyber attacks as observed in real-world scenarios to test the ability of security controls in dealing with various forms of cyber threats.
Again, there is simulation involved in all of these. MITRE ATT&CK provides the threat intelligence, but it is going to be futile without undertaking attack simulations. Everything boils down to the need to simulate attacks to determine how they are most likely to impact the defenses implemented by organizations. Likewise, simulations are necessary to find out what should be done to improve cybersecurity and to anticipate attacks that may not be identified based on previous analysis because the attacks have evolved or they have been modified to exploit other vulnerabilities.
Automated simulations
Can continuous security validation and attack simulation be automated? Certainly, yes. There are security validation platforms that feature purple team modules and automated attack simulation functions to accelerate the process of security testing.
“These security controls validation platforms provide an automated and continuous simulation of a variety of cyberattacks, including insider threats and lateral movements by attackers, giving companies constant feedback about the effectiveness of their security measures benchmarked against the MITRE ATT&CK framework,” writes cybersecurity expert Ron Newman in a CIO post about continuous security controls validation as a secret weapon for CISOs.
If cyberattacks are evolving, it only makes sense for cybersecurity to improve similarly. Many aspects of security testing can already run automatically to generate timely reports that help security teams respond promptly to threats and attacks.
Also, automation helps control the costs of attack simulation. If everything were to be undertaken by human security professionals, imagine how long and costly the process would become.
Towards holistic security validation
In the context of security validation, simulation is not just something that can be compared to doing clinical trials for medicines or vaccines, for example. It is more than just the reproduction of different scenarios and reactions under controlled environments. When white hats and internal security teams conduct attack simulations, what they do very closely approximate what can actually happen during real attacks.
Sometimes, these simulations even go beyond what bad actors likely have in mind as they plan their attacks. Through purple teaming and continuous security validation with the help of the MITRE ATT&CK framework, the simulations explore an extensive range of scenarios to prepare for virtually all conceivable attack vectors, variations, and enhancements.