The Case for Breach and Attack Emulation
Author: Daniela Applegate, Co-founder at rThreat
The Case for Breach and Attack Emulation – Every CISO’s worst nightmare is to come into the office one day and find that an employee opened an attachment from a malicious email, responding with their login credentials and other sensitive information.
There are systems and protocols in place to prevent these types of threats from happening. Nevertheless, this malicious email got through. Now we must ask ourselves, how could we have prevented this security breach? What positions in an organization are most at-risk?
Furthermore, are employees knowledgeable enough to not only protect themselves, but the organization as a whole? While employees play an essential role in a company’s overall security, and employee security training should not be overlooked, the answer is no.
Effective security tools and protocols, and well-trained security teams in place are necessary to protect your customers, partners, and data. The average cost from data breaches increased from the previous year, up to $8.64 Million U.S. dollars in the United States and $3.86 Million U.S. dollars globally in 2020. 
With the increasing cost of cyber crimes, we are brought to our big question: How do we know if our cyber defenses are truly protecting us? The answer is we need to Defend Forward. Organizations need to implement continuous security validation to not only test and track the effectiveness of tools and processes, but the effectiveness of humans as well.
Addressing Human Error
There can be several factors when looking at curbing human error, which is why it’s important to have an in-depth look into your security training programs. In 2020, the most common delivery methods and vulnerabilities causing ransomware infections were from spam/phishing emails, poor user practices, and lack of cybersecurity training.
To begin combating this, some of the first things that can be done are:
- Identify at-risk positions:
Determine what employees and departments would be at the greatest risk or who has access to the most significant information.
- Run assessments:
Assess the roles of the employees and what access to information that they have. Perform assessments and analyze the employees’ virtual and non-virtual behavior. Re-educate if necessary, implement network segmentation, and provide additional resources to at-risk employees. It is important to provide these services to your employees in a positive, non-shaming way so they’re more open to taking security seriously.
It is important to continually train your employees on security threats such as phishing, brute force attacks, key-loggers, credential stuffing, and man-in-the-middle attacks. This includes implementing company-wide cyber hygiene practices. You also need to continually train your security team to optimize and improve detection and response times.
Performing daily or weekly drills can ensure your incident response processes are optimized, your team is well-versed with the latest TTPs, and they’re better prepared in the event of a potential breach.If you still find that, after re-educating employees, they are still encountering issues, then it is time to evaluate the current tools and processes you are using.
Jack Jones of the FAIR Institute said that “…[S]ometimes the problem comes down to the policies, processes, or tools that are provided to employees. Unclear, poorly defined expectations and poorly designed processes/tools are often the root cause, versus the employees themselves.”
Validating Security Protocols and Solutions
At the end of the day, you cannot solely rely on people to have the required knowledge to protect the organization from cyber threats. It is inevitable that people will make mistakes. Nevertheless, when that happens, you learn that there was a failure in the system before it reached the employee. Chris Kudless, VP of Cyber Risk Practice at Kroll stated “Theoretically, if an employee clicks a malicious link in a phishing email, there was a failure of the automated defense tool somewhere in the chain.” So what can you do?
- Look at processes
- Look at infrastructure
- Evaluate security solutions
You need to not only ensure that your technology and processes are working as they should, but you also need to be able to justify your security investments to business leaders and ensure business continuity is optimized. With the recent uptick in sophisticated threats, it’s more imperative now than ever for organizations to take a serious look at their security posture and create a plan to better manage their attack surface.
A large component of this is not only taking a closer look at your weaknesses and implementing better tools and processes, but you need to implement a continuous way to test these cyber defenses using the latest attack methodologies seen in the wild. If misconfigurations, poor processes, or ineffective tools exist in your network defenses, you need to be able to catch and remediate those problems before they are exploited by threat actors.
Attackers are constantly evolving and improving their tools and techniques, the same should apply to the defenders. If we remain static in our efforts to defend against threat actors, we will never stand a chance at getting ahead.
Proactive Not Reactive
It is important to be more creative and proactive with training and validating the effectiveness of security tools, processes, and teams. Many companies think reactively, which means that you look into your processes once something goes wrong such as a data breach.
Whereas a proactive approach comes in the form of continuous security assessments to anticipate an attack. It’s not a matter of if an attack will happen, but when. There are many proactive ways in testing your current security measures, including:
- Hiring third-party companies
Third-party companies can perform penetration testing and red team engagements for you. However, these services cost a lot of money, are limited in scope, and it’s not feasible for companies to perform these manual assessments regularly, especially for SMBs.
- Breach and attack simulations tools
Breach and Attack simulation tools provide an automated and continuous look into how well your cyber defenses are performing. However, one of the most significant issues is that most platforms rely on signature-based or attack scenario-based testing. These platforms are unable to execute real malware and only utilize known threats in their assessments.
When you need to continuously analyze the effectiveness of your cybersecurity infrastructure, protect your employees, customers, and partners, and ensure protection from known and unknown threats, you need rThreat’s breach and attack emulation solution. Our breach and attack emulation platform uses real and custom malware to identify your organization’s strengths, gaps, and weaknesses before threat actors get a chance to strike. Our next-generation solution not only identifies areas for improvements, but we also empower organizations with the intelligence they need to make informed decisions to remediate gaps.
Breach And Attack Emulation
The Case for Breach and Attack Emulation
“Know the enemy and know yourself in a hundred battles you will never be in peril. When you are ignorant of the enemy but know yourself, your chances of winning or losing are equal. If ignorant both of your enemy and of yourself, you are certain in every battle to be in peril.” – Sun Tzu
“Know your enemy and know yourself”. It is important to have an honest look at your current cybersecurity measures and understand the consequences if you fail to do so. That is why it is crucial to find pragmatic and proactive solutions to cybersecurity instead of reacting to threats after they become a problem.
rThreat uses breach and attack emulation with built-in threat intelligence to give you a proactive and true black-hat approach when testing your defenses. Not only can you validate your technology and processes, but most importantly, you can validate how well your team is able to detect and respond to real, live threats in a secure environment. Security teams need real experience and training with live malware so they can better understand how adversaries operate in order to defend against these types of threats. It is undeniable at this point that performing continuous attack emulations is a natural part of the evolution in improving detection and response capabilities.
This is why our thesis and mission are based on the concept of Defend Forward. Organizations need to activate the power of threat intelligence so they gain an understanding of potential adversaries’ actions instead of waiting for indicators of attack. They need to step into the perspective of an attacker in order to develop better defensive strategies. As an industry we can no longer afford to sit back and be the hunted, we need to approach cybersecurity through a different lens and be the hunters.
If you would like to learn more about how you can Defend Forward with rThreat, please visit our website.
 Johnson, Joseph. U.S. Companies and Cyber-Crime – Statistics and Facts. Statista. Feb 10, 2021
 Johnson, Joseph. Most Common Delivery Methods and CyberSecurity Vulnerabilities Causing Ransomware infections according to MSPs worldwide as of 2020. Statista. Feb 16, 2021
 Barth, Bradley. CISOs score big on employee risk. SC Magazine. May 1, 2020.
The Case for Breach and Attack Emulation