Real World Attack Simulation – Attackers Do Not Care About Your Compliance

The challenges faced by everyone in 2020 were unprecedented. Companies forced to run their businesses from within their own living rooms faced, not only issues of interrupting children, but an increasing threat landscape with many ill prepared for the sudden change in working conditions.

This challenge further highlights the constant evolving nature of the cyber security industry. As new technologies that enhance home working are introduced, so too are the discoveries of new vulnerabilities. Attackers are continuously trying to keep ahead of the game, and it is vital that businesses should too.

Businesses often deal with these issues through compliance. Externally, they measure themselves against regulations, laws, and industrial standards. These are interpreted internally to form policies and business requirements. These measures often provide a badge of honour to place on their business portfolio. But does it equate to full protection?

The standards that businesses are expected to attain are often of a high level. These assessments can be difficult, vast and resource intensive. Often businesses will instead look to regulations that provide the minimum level, are cost effective and often primarily used to provide evidence that reduces liabilities. In recent years, they have become tick box exercises. Businesses will prioritise departments they feel should be protected, leaving other areas vulnerable and open to attack.

The Reality

Malicious hackers are fully aware that these badges of honour can be misleading and that they provide little incentive to preventing attacks. Hackers continually change their methods and are committed to bypassing security restrictions in place.

So how do businesses know if they are vulnerable to attack and where?

 It is too late to identify weaknesses in the middle of an attack so, one preparation is to simulate the attack and test the boundaries of the company.

Real-life attack simulations are a common method used by all forms of defence departments to help prepare individuals and groups to respond effectively to unexpected events. It puts people in positions where they can feel confident and are aware of how to deal with an incident if it were to occur. These methods are commonly used by law enforcement to prepare terrorist attacks but are now also increasingly used within the cyber world.

A simulated attack involving hacking techniques provides crucial information in both the detection of any vulnerabilities and the effectiveness of the response. The benefits include:

• Imitating the hacker: Ethical hackers, also known as penetration testers, utilise the latest tools and exploits to bypass controls with the same mindset as that of an attacker. This is all conducted in a safe and secure manner. Penetration testing is a formidable ally in a company’s defence and should be utilised routinely, assessing the latest exploits and vulnerabilities.
• Preparation: Auditing and understanding what security control technologies are in place and their roles in dealing with an attack while identifying redundant technologies.
• Performance analysis: Monitoring the system’s performance under attack and assessing data in real time. This can include testing any new technology that has been implemented and its resilience. Where the system relies on Artificial Intelligence, any weaknesses can be highlighted and mitigated for future deployment. Where the targets are the staff with phishing emails or perimeter testing, vulnerabilities can be identified and fixed.
• Specify objectives: The tests can be focused on specific requirements. This could be to test the introduction of new technology like a firewall or testing the communication between staff, a vital part of incident response.
• Staff training: Assessing how staff deal with their responsibilities and handle pressure can highlight any resourcing issues and knowledge gaps. Attacks that effect non-IT staff can improve culture and awareness.
• Incident response: How people, technology and processes deal with the incident, the positives, and negatives, and where improvements can be made.

Cyber security is about strength in depth. Compliance provides companies with a safety net to fall back on, but the inclusion of real-world testing can ensure that businesses are prepared for an attack if they are ever fall unfortunate to be chosen.