What is Breach and Attack Simulation (BAS)?

As organisations try and stay one step ahead of cyber criminals, Breach and Attack Simulations (BAS) are growing in popularity as a way of testing cyber resilience. The technology is used to automatically spot weaknesses in an organisation’s cyber security, a little like automated, ongoing penetration testing.

The global BAS market is expected to reach $1.68 billion by 2027 - a 37.8% growth from 2018’s figures - primarily driven by demand for prioritising security investments as vulnerability management grows ever more complicated.

Furthermore, Breach and Attack Simulation technologies were highlighted as one of the top solutions for CISOs to consider in a recent report from Gartner, because of its effectiveness at testing against known threats.

But just what are Breach and Attack Simulations, and how are they being used by businesses?

The different types of Breach and Attack Simulations

BAS is an emerging technology that runs simulated automated attacks, mimicking the attacks likely to be deployed by cyber criminals. These ‘pretend’ attacks can help a company identify potential vulnerabilities in security systems, as well as test out the detection and prevention capabilities.

According to Cymulate, BAS technologies fall into three main categories, depending on the approach needed.

The first is agent-based vulnerability scanners. As opposed to using protocols like SSH to remotely access network devices, this method involves running agents directly on target devices themselves to test them for known vulnerabilities. These agents are deployed inside an organisation’s LAN and distributed across a number of machines, with the goal being to map out the potential routes an attacker could take to move through the network.

The second type of BAS tests the organisation’s security by generating ‘malicious’ traffic inside the internal network. Virtual machines are set up inside the network which act as targets for the test, using a database of attack scenarios. The BAS sends attacks between these machines, then checks that the organisation’s security solutions are able to detect and block the traffic.

The third category consists of multi-vector simulated attacks, and are the most advanced and true-to-life type of simulation that can be deployed. This ‘black box’ approach puts a lightweight agent on a workstation within the network. Usually cloud-based, the assessments utilise distinct types of attack tactics to try and bypass the security in place, both internally and externally to the organisation’s LAN.

Pros and cons of Breach and Attack Simulations

One major benefit of BAS is the automation aspect. Having tests scheduled and frequently carried out automatically by a tool means that potential weaknesses can be spotted and dealt with quickly, compared to one-off tests where staff may be more alert to issues.

Automated tests can be particularly useful in larger organisations where networks are constantly changing, especially if new tools are being deployed, software is updated, or operations expand into new locations. Regular tests can identify issues with complex networks quickly and efficiently, and some BAS technologies can be set up to run constantly, meaning that vulnerabilities can be spotted almost instantly.

However, human cyber experts are usually much more creative in how they deploy attacks. BAS is limited in what it can test, and can only run known attack simulations. This is why penetration testing - a simulated attack run by highly trained security professionals to probe business systems for vulnerabilities - may uncover different problems compared to BAS.

There is also a danger that IT teams can end up overloaded with notifications on an ongoing basis with BAS, especially if there is no easy way to differentiate routine issues from important alerts.

As with many security tools, Breach and Attack Simulation is not a comprehensive solution, and different tools have different purposes depending on how they are deployed. However, as part of a comprehensive cyber security strategy, BAS can play a valuable role, particularly as the technology matures and BAS providers continue to evolve their offerings.