Breach & Attack Simulation
Doing red and blue separately isn’t working anymore
Gateway ICT’s partnership with Israel-based Cymulate is an award-winning Breach & Attack Simulation platform developed by a team of Elite Intelligence officers that served in the Israeli IDF.
Cymulate’s BAS technology compliments our offensive strategy, enabling companies to form our signature security posture.
Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to know and optimize your security posture any time, all the time and empowers companies to safeguard their business-critical assets. With just a few clicks, Cymulate challenges your security controls by initiating thousands of attack simulations, showing you exactly where you're exposed and how to fix it—making security continuous, fast and part of every-day activities.
Where are we today ?
The security community has been in something of a gilded cage of late. Revenues going
up, paychecks looking healthy, negative unemployment, a vibrant community of independent researchers and innovative companies pushing capability by the day, but still sitting behind the bars of configuration management cycles, compliance requirements, and our own lack of an evolving context for the threats we face. We’re still dealing with vulnerabilities from 2016 in some sectors.
Red Teams are expensive and highly specialized. They should be innovating, not playing gotcha or spinning their wheels on defenders who won’t or more often can’t follow through with mitigation.
An organization which tests cyber defenses by emulating adversary attacks against them.
The organization responsible for defending a larger organization’s assets/business/operations in cyberspace.
Blue Teams are overworked and spread too thinly. They should be hunting advanced threats, not maintaining a continuous stream of slapdash capabilities and correlations they can never get ahead of.
We can’t afford to stay in our silos of excellence anymore. Attack and Defense are complementary and our community is wasting talent in extravagant fashion by failing to codify their relationship in service of security
Purple Teaming couples and coordinates red and blue to maximize the capabilities and impact of both. It aligns the blue team’s mission focus with relevant threats, allowing them to base defensive architectures on Business Critical needs. It applies “Red” thinking to carefully balanced and curated enterprises to show (not tell) stakeholders how their most critical capabilities can be compromised and give clear guidance on defending them. Fundamentally, Purple Teaming offers operators and analysts the means to align detection to threat in a structured way.
Cyber Threat Intelligence Analysis
Threat intelligence analysis is taking existing intelligence data like TTPs, malware hashes, or domain names and applying human intelligence to harden cyber defenses and improve ways to anticipate, prevent, detect, and respond to cyber attacks.
Defensive Engagement of The Threat
Defensive engagement of the threat takes what you’ve discovered from intelligence analysis and allows you to look for indicators of a pending, active, or successful cyber attack. Breach and attack simulation tools fit in well here because we can take the behavioral models uncovered during intel analysis and use BAS to automate testing and reporting on what those behavior patterns look like in our enterprise.
These simulation results can feed back into your threat intelligence analysis and into the next element we’re going to talk about, which is focused sharing and collaboration.
Breach & Attack Simulation tool
While there are few frameworks we're laying over the BAS testing tools, the most prevalent is the MITRE ATT&CK Framework. MITRE has organized attacker techniques into multiple categories along the attack chain. On the MITRE ATT&CK website, we can drill into techniques under each category to get a better understanding of how a technique works, threat groups known to use the technique, how to mitigate and detect the technique, and references to articles on the technique
How Does BAS Fit Into Purple Teaming?
Breach and Attack simulation tools can help with Red Team execution by providing a platform to make sure test procedures are safe, controlled, and documented
Integrations with other defensive security tools like EDR, Firewalls, AV, and IDS/IPS can allow BAS tools to provide instant feedback in a centralized manner to the Red Team
Those same integrations can provide instant feedback and centralization for Blue Team members as well. Some BAS platforms will also provide mitigation information to the Blue Team as well.
During the joint debrief, data collected by the BAS tool can be analyzed by both Blue and Red team members. This data can be used as suggestions for both sides on the next piece, which is:
Continuous testing and improvement. Breach and attack simulation tools allow you to begin automating many of the low-level tasks the red team is doing so that they can continue to innovate. Blue teams are also provided with a way to run those lower-level red team tasks themselves to validate that the measures taken to resolve red team discoveries are always working