In December 2017, three engineers at Boeing filed a patent for a training tool different than any the century‑old aerospace company had developed before: technology that simulates an in‑flight cyberattack on a commercial airplane.
Such simulations aren’t just exotic war games for huge companies looking to secure systems and information for every possible scenario. Increasingly they are part of basic risk management, even, in Boeing’s case, at 35,000 feet.
Attack simulations make sense for several reasons. Most companies aren’t able to patch vulnerabilities in a timely manner, leaving them exposed to hackers. And despite years of training, employees still routinely get duped by phishing emails created by hackers to look like they’re from co‑workers or other contacts.
To reduce the impact of attacks that rely on weak security controls and human manipulation, some companies are turning to simulation tools that mimic how real hackers break into networks: by using programs that guess passwords, exploiting weaknesses in improperly configured hardware, bombarding employees with phishing emails, and so on.
Breach simulation technology that offers rapid, automated testing is a small but growing niche that could reach $1 billion by 2020, according to research firm CyberDB, as businesses come to grips with the stark reality that hackers are way ahead of them. Today, 54% of security professionals say that hackers are outpacing them with superior technology. Another 23% report that attacks have gotten more severe over the last 12 months, according to a ServiceNow study conducted by the Ponemon Institute.
Penetration or “pen” testing is a common method for determining weaknesses in an organization’s technology defenses. Using staged phone calls, emails, or attempts to stealthily hack employees accessing sketchy public wi‑fi networks, pen testers try to trick workers into falling for the same scams deployed by real hackers.
Security “red teams” comb through publicly available information, such as conference agendas, Facebook posts and LinkedIn profiles, and use the data to create phishing emails intended to fool recipients into opening a link or a document. It’s one aspect of what risk‑management firm Breadcrumb Security does for its clients.
To test one client company’s board member who also worked for a nonprofit, Breadcrumb’s team crafted an innocent‑sounding email that asked about sponsoring the nonprofit’s events. The attached “event sponsorship package”—which the board member opened—included simulated malware that could gain access to everything on his computer.
Breadcrumb Security presents findings to employees in person, because written reports are too easily ignored and almost never change behavior. “An attack is no longer something that might happen—it just happened,” CEO Brian Horton says.
Pen tests are difficult to scale in large organizations, and they don’t cover enough attack scenarios. “There aren’t enough skilled people, or hours,” says Chris Webber, security strategist for SafeBreach, which offers a breach simulation platform.
To augment their own efforts, red teams use automated attack tools that simulate breach tactics for everything from misconfigured routers to unpatched software applications, without the nasty impact of real malware. The simulations, which are focused more on system vulnerabilities than human ones, can run in many places—such as in cloud‑based file storage systems or in firewall hardware—to see how malware might damage systems and whether security controls are actually working.
Ideally, says Webber, security teams test security controls downstream from the user experience, so employees don’t have to jump through hoops to get to company files and applications. “There needs to be a balance between security and productivity,” he explains.
To achieve that balance, security defenses can be placed deeper within systems, instead of being aimed at employees. The SafeBreach attack simulations look for ways to stop attacks at many points along the “kill chain,” or the lifecycle of a breach—for example, by segmenting critical data so it’s harder for attackers to access.
Help for humans
Automation can remove some of the pressure on employees to sleuth out potential attacks. “The average user doesn’t want to know the ins and out of security,” says Brian Contos, chief information security officer and VP of technology innovation at Verodin, a security instrumentation platform company. “We should demand more of our technology.”
In Verodin’s case, this means testing that security tools actually do what they claim to do. The platform simulates real attack behaviors so that customers can figure out if their security policies and controls actually block attackers the way they’re supposed to—and tweak product features accordingly.
The ultimate goal is to make security solutions work harder (and correctly), so that the humans no longer have to serve as security guards.