By Dave Gordon
Cyberattacks and data breaches have now become a pressing concern for all organizations regardless of size, industry and origin. Just recently, Canadian federal agencies were reported to have mishandled the records of 144,000 individuals in a collection of data breaches. The report cites misdirected mail, security incidents, and employee misconduct as the main causes.
Cybercriminals and threat actors are also refining their methods to perform more successful hacks. Ransomware, for a long time the bane of many organizations, has now evolved. Aside from encrypting data to force victims to pay a ransom, newer variants are now designed to exfiltrate data first and even corrupt files. Hackers now even use artificial intelligence (AI) to launch more targeted attacks.
This is why it’s critical for you to establish a strong security posture for your organization. You must not only adopt capable security solutions but also routinely check if these actually work properly. It only takes one vulnerability for attackers to gain access to your systems.
An emerging standard for testing your security is breach and attack simulation (BAS). This method uses automation to test multiple potential vectors through simulated attacks – unlike traditional penetration testing, which is often limited to just one or a few vectors. BAS platforms also provide easy-to-use interfaces so they don’t require high levels of technical expertise to be performed properly.
“Breach and attack simulations evaluate security systems to help organizations optimize their defences against known and emerging threats. It’s an efficient way to keep pace with and adapt to a dynamic IT security environment,” says Cymulate chief executive officer Eyal Wachsman.
Attack simulations, however, must also be executed properly. For instance, giving employees a heads up can increase their security awareness and give you inaccurate results, which can make the whole exercise pointless. While there’s no single answer for the best time to run a breach and attack simulation, it will be prudent to conduct them without informing your staff.
Here are three key reasons to keep your team in the dark about planned attack simulations.
1. Establish an accurate baseline of security
The first step for creating a robust defence system is to establish a baseline of security needs. Testing how your organization’s IT solutions perform against attacks should reveal existing vulnerabilities. This way, you can identify the gaps in your defensive perimeter, allowing you to set up the right security controls to reduce the risk of falling victim to attacks.
If the team knows well ahead of time that there’s going to be a simulation, they may perform tweaks or even adopt new solutions to plug these gaps.
While these may eventually result in a stronger defensive perimeter, they skew the result and give you an inaccurate baseline of where you really are in terms of security.
2. Identify who needs more training
Human error continues to be the major cause of security breaches. An Egress study revealed that 60 per cent of breaches within the first half of 2019 as a result of this reason. Hackers know this very well, and this is why they employ a variety of social engineering attacks, including phishing, to manipulate users into giving them access.
“The web is still a huge vector of attacks. So if you don’t have proper controls on how people use the web, just going to the wrong website can invite attackers into your organization,” Chris Dodunski, CEO of CyberHunter Solutions in Toronto, told OHS Canada.
Employees who are likely to fall victim to manipulation attacks and phishing attempts must be identified. Fortunately, BAS platforms allow you to perform simulated phishing attacks. However, informing your team of such tests beforehand would likely make them extra vigilant, so the results may not really reveal those who would otherwise have their guards down.
3. Flush out threat actors
Considering how sneaky threat actors can be, your infrastructure might already have been breached by one. They can be advanced persistent threats (APTs) which stealthily lurk in your network, or they can be some disgruntled member of your team.
Performing BAS tests can actually reveal their presence in the form of the vulnerabilities and malware that they introduce to your infrastructure.
If you send out a message announcing a planned attack, hackers may start covering their tracks and plug the vulnerabilities they exploit. This way, your planned simulated attacks may not reveal them or their presence.
Putting the right strategy in place
Running tests and simulations on your security can help you get a better sense of your security posture. It’s important to get an accurate assessment of the capabilities of your security tools as well as the skills of your staff so that you can implement more bulletproof measures.
Ultimately, when done right, continuous testing can help you develop a security-first culture that allows you to minimize your exposure to cyberattacks.