In the last three years, 4 percent of all SMEs in Switzerland have fallen victim to a cyberattack with strong impact. This is according to the Cyber Study 2024Target not accessible, which was commissioned by Digitalswitzerland, the University of Applied Sciences Northwestern Switzerland and other partners. Extrapolated to the whole of Switzerland, this results in around 24,000 affected companies.
It is therefore less a question of IF you will be affected by a cyber incident, but rather WHEN. In view of the current threat situation, “speed is everything”: a company must be certain within the shortest possible time whether its security can detect and mitigate a brand new threat. And that is exactly what BAS does. Breach & Attack Simulations can detect vulnerabilities in the security stack before an attack occurs. BAS also provides information about which security tool is effective and where an investment has paid off. This makes BAS a clear trend for 2025 and more and more companies will be using it.
On the hunt for threats with BAS
To protect against the increasing frequency and sophistication of cybercrime, organizations are deploying a variety of security solutions. This inevitably leads to an increase in the complexity and scope of the security landscape, especially as both on-premises and multi-cloud environments now need to be protected.
Despite having a comprehensive security framework, relevant questions remain unanswered for many companies:
- Are we using the right security solutions and mechanisms?
- Are the solutions configured correctly?
- Are they protecting us from the latest attack techniques and threats?
- Are the solutions properly integrated into the Security Operations Center (SOC)?
- Are we using the right detection use cases to uncover attacks?
- What does our real threat detection coverage look like?
- Are we as a SOC and company responding correctly to the relevant signals and alerts from the cyber defense platform?
- What gaps and risks do we have and how are they changing?
- What impact do changes in our IT and security landscape have?
Using BAS, a company's security mechanisms are continuously tested and evaluated using real attack methods. It's like going on a threat hunt. As a control and management tool for cyber defense, BAS checks the effectiveness of the security controls used, identifies security gaps and risks, and provides support in the event of an attack.
The added value of BAS
BAS represents a real set-up with real attacks that target a company's productive security controls. BAS thus brings visibility to cyber defense and makes it possible to proactively reduce risks. At the same time, it supports the targeted strategic development of cyber defense:
- Continuous validation of security controls
- The guarantee that the security measures are effective
- Security assessment and risk analysis
- Identification of security gaps before they become a problem
- Prioritization of measures
- Quality assurance
- Reporting and compliance
BAS is also the perfect complement to manual pentests and Purple Teaming.1
Who is BAS suitable for?
BAS is particularly suitable for companies that have already reached a certain level of maturity in cyber defense and want to actively control and manage the risks and quality of their cyber defense. This applies in particular to companies that operate in a complex IT environment with many changes or are heavily regulated due to their industry.
For a company with a very small security stack - i.e. without EDR, NDR, SIEM etc. - a BAS solution cannot offer all its strengths. - a BAS solution cannot play to all its strengths, as there is nothing to compare and optimize. After an initial analysis of the infrastructure, requirements and risk potential, it is advisable to start with a few basic security components.
How does a Breach & Attack simulation work?
Once a BAS solution has been set up, the simulations should ideally run continuously. What does that mean? A BAS solution comprises a large number of possible attacks - and new ones are added every day. Individual attacks are then combined in scenarios to map complex attacks across the entire kill chain. In addition, solutions from SafeBreach, for example, offer scenarios of different categories: those that map threats globally or are only local or industry-specific.
A company decides which scenarios should run and how regularly they should be executed. A security consultant usually defines a selection as a sensible baseline, which can be expanded by the company at any time. Furthermore, ad-hoc scenarios can be run at any time, e.g. to test a current wave of attacks against the company's own security infrastructure.
Automated validation
Within the range of solutions for automated validation, there are various services available to a company that complement each other and pursue different objectives:
| Service | Goal | Method | NIST-phase |
|---|---|---|---|
| Breach & Attack Simulation | Continuous review of the effectiveness of the security controls in place. | Real attack scenarios and threat vectors are executed on and between simulators in the productive network. | Detection and Protection |
| Automated Pentest | Identification and exploitation of vulnerabilities to test the security of the system landscape. | Tools are used to exploit vulnerabilities and determine the impact of the attack and the effectiveness of security controls. | Protection |
| Tabletop-excercise | Evaluation and improvement of responsiveness and processes. | Role-playing is used to practice emergency situations to improve cooperation and communication. This is purely theoretical and not technical. | Response |
In contrast to conventional manual or automated penetration testsTarget not accessible, BAS works on dedicated customer reference systems (the simulators) and the attacks do not take place on the productive endpoint systems. This reduces the risk of productive systems and applications being negatively affected to an absolute minimum.
Why BAS is becoming increasingly important
Why is BAS becoming increasingly important and is seen by many CISOs as a new trend and an important part of their cyber defense? The answer is “speed”. Hackers are fast, while the mills of a company grind rather slowly. If a new vulnerability or threat becomes known on the market today, it takes an average of 24 hours for it to be made available as a scenario by a BAS tool. From then on, a company can run a simulation ad hoc to determine how the security tools used react to the new threat. If a manual penetration test had to be set up first, the hacker would have long since penetrated the system and could cause damage.
Validation of existing security tools
A CISOTarget not accessible of a security-conscious company probably already has several tools in use. And they probably don't just rely on one manufacturer, but also manage Microsoft Defender, Splunk, Cybereason, Palo Alto, SentinelOne and many more. But does he also know which tool from which manufacturer has detected, alerted, stopped and perhaps even directly eliminated a threat? And which solution never works and is therefore probably not worth the money? The magic word to find this out is “Validation of Security Controls”, i.e. checking the effectiveness of all security tools. After a BAS, a company receives a granular, easy-to-understand graphical evaluation of the effectiveness of its security tools. The analysis report shows which manufacturer or which tool has logged, detected, stopped or completely missed what percentage of simulations or attacks, for example. If the values in one area are poor, you know where you should invest. A quarterly exchange with an external security analyst can also provide valuable benchmark values from industry peers, as well as tangible recommendations on what the next security measures should look like.
What can you do with the results of a BAS?
- Take the right measures, because they are effective. BAS shows which security tools prevent the exploitation of a vulnerability or detect and stop a threat. This helps a company to further expand its cyber defense measures in the right place and thus be better protected.
- What do you gain from a BAS? Time! Companies that have a BAS in place find out much more quickly whether they are affected by a new vulnerability. They can therefore take protective measures more quickly and get ahead of the hacker.
- Invest in the right (manufacturer) toolsTarget not accessible. Of course, a BAS solution does not come for free. But the analysis of a BAS provides information on how well existing security software works, which has not failed in any simulation and where something is missing. This means that companies know exactly where they need to invest or where they can save money. And last but not least, it provides arguments for management and the CFO. Because one thing is certain: a successful cyber attack will always cost a company more.
1 ↑The ideal toolbox for a Purple Team
BAS is increasingly establishing itself as a tool for a so-called “purple team exercise”. In this exercise, the Red Team (the hackers) simulates an attack that has to be repelled by the Blue Team (defenders, SOC). The joint assessment of success and failure then results in new cyber security measures. However, given the sheer volume of threats today, it is no longer possible for a purple team to simulate every attack “in person”. And this is exactly where BAS can help, as the scenarios that the BAS tool delivers ready-made can be simulated and tested much faster.