It feels like almost every industry is on the verge of being disrupted these days. From healthcare to travel, retail to communications and everything in between. Innovations can be subtle but have a huge impact on the way we live. Some industries get decades, some years, but in almost all cases the change is here before we see it coming.
Cybersecurity is no different, and BAS is one of the hot new acronyms on the block. And like any memorable boy/girl band, it comes with a great backstory. It stands for Breach Attack Simulation, and can be boiled down as continuous automated pentesting.
BAS tools seek to probe the live web applications and network assets that a company is responsible for securing, and to enable red teams (read; pentesters) to create repeatable checks that can be scheduled and/or used to verify fixes and patches once they have been deployed.
“I thought pentesting was done by humans, not robots?
So, it is. Or was. Like all fast-paced industries, we are in the midst of figuring out the specifics while the ground shifts beneath our feet and the goalposts get narrower and further from the ball.
Breach Attack Simulation (BAS) and other noteworthy technologies like Continuous Automated Red Teaming (CART) seek to do what so many technological advancements in the past have done. They want to take a nuanced human skill, and turn it into something which can be performed by a computer system — saving some of the hassle of hiring, wages, sleep etc. Humans are great at many things, including pentesting and general security practitioning. The challenge is there is never enough of them, their skills are in high demand — and it’s hard to scale up and down to meet demand.
As with most things, automation can alleviate some of the pain, but turning a human skill into a product/platform isn’t easy.
Vulnerability management burst onto the scene in the late 1990s, when a few key players in the industry (many of which are still notably big names today) decided that manual checking of software versions against lists of known vulnerabilities was a series of disasters waiting to happen. Prior to this, few databases existed which held all the vulns in one place, and even fewer tools out there were really up to the task of checking software versions across an entire corporate network with hundreds of thousands of devices.
The initial innovation was largely based on pattern matching, but quickly evolved all sorts of clever ways to process large volumes of data and historical tracking as assets were updated. Security very quickly became a rolling process, with risk scoring, high value patches & trend charts. Vulnerability management had earned its place at the table. Roll forward 20 years, and it’s still one of the core tools in a security team’s playbook — but now does a lot more than pattern recognition.
“Weren’t we talking about cars?
We’re getting there.
Security has evolved into much more than just vulnerability management. Security teams monitor incoming attacks in real time. They manage massive asset inventories, sync with development teams as they release code and much much more. They also often seek expert help to test drive their defenses from the attacker's perspective, and this is where pentesting is an invaluable method in ensuring good security.
Pentesting in most cases is very different from defensive security. Imagine a general charged with defending a castle. They have to consider security as a holistic goal, ensuring no weaknesses exist — or at the very least, understanding where the greatest vulnerabilities lie, and taking action to bolster their defensive position. The attacker approaches this problem from another direction: survey the compound, and look for the easiest point of exploitation.
Now a pentester isn’t a typical attacker. Their role is to use their skills and experience to find ways to access a network, so that they can help companies plug that leak. They act like attackers, but ultimately improve the overall security of the network.
The real question with niche tools that fall into the BAS/CART categories is - can they effectively replace the human component of a pentest?
And so to the self-driving car analogy.
Self-driving cars have come a long way since the idea was really embraced by some of the world’s biggest automotive companies. Self-driving cars however, aren’t literally driving themselves. At least not yet. A human operator has to be in the vehicle, and in most cases “self-driving” is a blanket term covering innovations such as lane assist, automatic braking, and some other nifty gadgets. Have they made driving easier? Undoubtedly. Have they made driving safer? The data is still coming in on that one. Have they relegated drivers to the back seats? No way, José.
“Does the same apply when it comes to pentesting?
The short answer is that we aren't quite there yet, and several leaps in technology would be required to reach that point. We shouldn't assume however, that large technical leaps require a lot of time. History has taught us that disruption can come when we least expect it.
You can deploy an automated process to act like a pentester acts, but it’s much more difficult to make it think like a pentester thinks. Pentesters are highly skilled and creative individuals, and will take new and innovative approaches to bypass obstacles as they arise. This innovation is where the magic happens. When an immovable object meets an unstoppable force the only way forward is by solving a problem using new methods.
A recent Gartner report said that while BAS was a novel approach from new and upcoming vendors, it was better suited to proving existing defenses were effective than it was to doing extensive penetration testing. Their recommendation was to use “quality, expert-led testing” as the final resilience check as a means to defend against attackers.
What we can take away from this, is that while BAS tools are yet another shiny new product in a cybersecurity toolkit - they aren’t replacing pentesters anytime soon, nor do they set out to do so. These tools are there to support pentesters with what they do best, and create more time in their day to do it.
“Can traditional red teaming be augmented?
At Cobalt we believe the future of security isn’t testing by robots, it’s testing by humans with spectacular tools at their fingertips. Reconnaissance that happens as soon as a target URL is available. Security checks that only have to be carried out manually the first time around. The ability to find a vulnerability and write a test that can be run on demand, or on a continual loop until the issue is fixed.
We are entering a new dawn of security, one where automation and human effort will elevate each other rather than replace one another.
At Cobalt we believe our greatest strength lies in our people. We are investing in technology to advance our teams’ abilities to address new security challenges with ease, providing better security outcomes for our customers, and the everyday users who depend upon them.
Cobalt Core Pentesters are the best of the best. These top performers make up our pentesting community, and we hand-select the right person to fit the unique needs of each pentest. If you believe you would be a good fit to join the Cobalt Core, and you are eager to contribute to the community you can apply to come on board here.
The third of Arthur C. Clarke’s famous Three Laws states “Any sufficiently advanced technology is indistinguishable from magic.” For now, this magic is still in the hands and minds of the pentesters of the world, and the purely technical solutions are leagues behind their human counterparts. When they catch up, and we enter a new reality where offensive technology has exceeded what a human hacker can do, the security landscape will get even more interesting (and exponentially more challenging).
In the meantime, a pentester's creativity and expertise is the best tool at our disposal. Curious what they keep finding? Check out this report: The State of Pentesting 2022.