When It Comes to Security Validation, BAS Is Not Enough

Lynn Harrington
Jun 02, 2021
3 min read
|   Last updated: Apr 11, 2024

Incomplete testing of security controls could have devastating consequences on an organization’s security posture, brand reputation and bottom line. We hear concerns almost daily from customers and prospects who have come to the realization that Breach and Attack Simulation (BAS) technologies are just scratching the surface of testing security effectiveness.

In this blog post we share are a few reasons why BAS is not enough to demonstrate cyber readiness and why organizations are instead choosing Mandiant Security Validation to safely emulate real attacks, proving true security effectiveness against today’s most relevant threats.  

Simulation Is Not as Effective as Emulation

BAS tools merely simulate an attack, which is far less effective than the emulation of a real attack, achieved by safely executing real attack binaries. Contrary to executing dynamic attack behaviors, simulated attacks are incomplete, reverse-engineered, manufactured or fake. As a result, they are often not recognized by security controls as a threat. Rules detecting but not alerting on simulated attacks is common and detrimental to a security program as this creates a false sense of security. AI and machine learning will only exacerbate this scenario. Organizations have difficulty optimizing their security controls without using real attack binaries based on active attacker tactics, techniques, and procedures (TTPs) and without visibility of the full attack lifecycle. 

Simulations Only Focus on Post-Exploit Attacks

Simulations performed by BAS technologies are limited to the phases of operation once the attack has compromised the system. As a result, these simulations do not provide complete attack lifecycle/kill chain visibility, which is critical to analyzing security effectiveness across the entire security infrastructure and optimizing controls proactively.

Testing Is Only as Good as the Data Used

The validity of attack libraries inherent in today's BAS solutions is in question as they cannot keep pace with the threat landscape. BAS solutions lack the real-time threat data and breach intelligence that reveal what threat actors are doing right now. That lack of timely intelligence—providing insights into the current TTPs used by attackers—limits an organization’s ability to identify and defend against the most relevant threats.

Lack of Remediation for Environmental Drift

Critical to validating controls is the ability to monitor and remediate changes to the IT environment that otherwise remain unseen by the security team. These gaps can cause regressions in security controls effectiveness and ultimately cause massive opportunities for attackers. BAS solutions lack automated processes to detect and respond to IT environmental drift and ensure ongoing integrity of the security infrastructure. 

The use of continuous monitoring or simulation is distinctly different from the automated detection and remediation of IT environmental drift. Drift or changes in digital environments can also impact IT policies, tools, topologies, segmentation and more—which are not flagged in BAS solutions. Automating the process of monitoring and remediating IT environmental drift assures the health of the security infrastructure resulting in integrity and accuracy in test results.

Ongoing Proof of Security Effectiveness

Mandiant Security Validation gives teams ongoing proof of security effectiveness across people, processes and technology, providing them with:

  • The latest global threat intelligence and adversary visibility
  • Emulation of real attack binaries
  • Safe execution of destructive malware and ransomware
  • An automated process to monitor and remediate IT environmental drift 

Security Validation and BAS technologies have many perceived similarities, but despite claims of comparable functionality, the distinction remains clear: simulation and yesterday’s data are no match for emulation using real-time threat intelligence.