putilov_denis - stock.adobe.com
Testing the security of an organization's digital assets using realistic attack scenarios is widely considered a best practice. Testing provides assurance that the security controls in place are sufficient to prevent hackers from being able to breach the perimeter and gain access to an organization's sensitive data.
Penetration testing is the most established form of this testing, but another option known as breach and attack simulation (BAS) has been introduced over the last few years. For many people, it's not clear how the two differ and when each should be used.
What is pen testing?
Pen testing uses a combination of tools and requires skilled pen testers to simulate the methods used by cybercriminals to conduct attacks. Usually, pen testers are only permitted to assess the security of certain parts of the organization's network, such as a website or its internet-facing infrastructure. The process relies heavily on manual work by a skilled human tester.
The goal of pen testing is to identify security vulnerabilities and then exploit them to determine what malicious hackers could realistically achieve if they found the vulnerability first. Pen testing is primarily focused on the protective controls in place on one system and how they can stop an attack from occurring, rather than assessing the overall security posture of the organization.
What is breach and attack simulation?
BAS differs significantly from pen testing in that it is highly automated and runs on a more continuous basis. The goal is to remove the human element of pen testing and replace it with the ability to run realistic scenarios on a more frequent basis. The system is controlled by a central interface that enables attack scenarios to be executed and provides details of the results. The results are often mapped to known attacker techniques by using the Mitre ATT&CK framework, for example. BAS aims to examine not only an organization's defenses, but how it detects and responds to a specific attack scenario as it occurs. Modern BAS platforms can run automated red team scenarios, including an external breach of the perimeter through phishing attacks.
Pen testing vs. BAS: Which should your organization use?
Whether you should use BAS, pen testing or both is primarily determined by your organization's level of cybersecurity maturity. BAS requires an organization to have internal security resources that can manage and analyze the results the automated tool generates and have detection and response systems in place whose effectiveness can be assessed. For larger and more mature organizations, BAS provides a continuous assessment that is useful as an addition or replacement for pen testing and enables tailoring attacks to specific techniques the organization may be concerned about. For organizations that simply want to know if systems they have deployed are secure against attacks, pen testing is the preferred option because it is laser-focused on finding vulnerabilities before they can be exploited. Organizations that are lucky enough to have the scope to include both BAS and pen testing could use the two complementary tools to even better protect their systems.