What is Breach & Attack Simulation, and Does it Mean the End for Traditional Penetration Testing?

I changed my mind on this (which doesn’t happen very often, but I will come back to that later)… Breach & Attack Simulation (BAS) is an advanced security testing methodology that is designed to stress-test your cyber defences by launching ‘real’ cyber-attacks against your live systems, or a virtual representation of your technology infrastructure stack. When the results of this attack are analysed, any weaknesses will be highlighted, so they can resolved before a real-world attack takes advantage of them.
What is Breach & Attack Simulation, and Does it Mean the End for Traditional Penetration Testing?

BAS consists of tools (usually software) and processes that use real attack and exploitation techniques from known vulnerabilities to measure how deep into your networks the attack can penetrate before it is (hopefully) stopped! A good example of this is to use a “popular”1 vulnerability – such as Log4Shell, Follina, Spring4Shell – to launch a ransomware attack with a benign payload, i.e. it will penetrate and execute without encrypting your data.

When I first came across BAS, my first thought was that there would be no point in running penetration (aka pen) tests any more as BAS was better. Right?

Without wanting to turn this into a debate on the pros and cons of pen testing vs. BAS, let’s say that a pen test is analogous to confirming that the doors and windows of your house are locked and secured. BAS, on the other hand, is more akin to employing a former house-burglar to actually break into your house! Did you forget the single-glazed window in the garage and the cheap and flimsy door that leads into the house? Those will be among the first things a burglar will look for, and the first weaknesses the ‘real’ burglary will reveal.

Then, I remembered how when I first started out on my ‘IT security’ journey (the term ‘cyber’ hadn’t been invented yet!), I was taught to think of information security as an onion. An onion has multiple layers and so should your cyber security!

So, with that in mind, back to the house analogy…

If our ‘friendly’ burglar did manage to break in, we may decide to purchase an intruder alarm in case they try it again, but this doesn’t mean we shouldn’t continue to lock our windows and doors after it’s been installed. So it is with any new addition or enhancement to our cyber security ecosystems. Good security comes in layers, and pen testing and BAS provide complementary layers of security.

It sounds mercenary, but our role as cyber security professionals is to make sure that our ‘houses’ are secure enough to make the thieves assess our security controls, spot the locks and intruder alarm, and move on to the next victim.

Well, there you have it… My change of mind, or more accurately, an old guy who has been in IT and security for a very long time, remembering what he was taught 25+ years ago.

Find out more about Xpertex’s own BAS solution, and don’t hesitate to contact us if you’re concerned about the security of your own ‘house’!

Joel Sweeney, CEO, Xpertex

Joel has spent more than 35 years in the world of IT – with the majority of that time focused on networking – and was actively involved in the earliest days of what we now call ‘cyber’. Since founding Xpertex in 2006, he has channelled that multifaceted experience into a range of projects for customers on some of the highest security networks and systems – the systems that help maintain the UK’s security as the digital threat landscape evolves. He remains passionate about all aspects of cyber security, particularly the NCSC’s mission to make the UK the world’s safest place to live and work online.



Related articles