Chapter 3. Breach and Attack Simulation

In the previous chapter, we covered examples where control effectivity was tested in very specific threat actor TTPs, allowing defenders to diagnose poorly performing controls and to keep improving results over time. But attackers never use only one technique during the attack’s lifecycle. Rather, they strategize the breach, use different techniques to gain the initial foothold, and then use others to escalate privileges and pivot, working with different tools and living-off-the-land techniques to achieve their objectives. Thankfully, defenders don’t have to test for each variety and attack kill chain one tactic or one technique at a time. To simulate more complex attacks in step 3 of the evidence-based security framework, security teams can opt to use automated breach and attack simulation (BAS) platforms/tools. Using BAS helps test how specific controls react and can also test the environments’ resilience to a given threat vector.

With BAS, the output from each simulation is detailed in customized reports that help quantify the extent to which controls detect a wide range of TTPs. The results help focus and prioritize remediation and ultimately serve to close security gaps. Security teams who regularly test their ability to detect and remediate incidents can also use BAS platforms to test attack flows uncovered by external or internal threat intelligence. They can then automate testing and reporting on what those attack patterns look ...