Implementing Continuous Security Validation with BAS

Overview

Breach and Attack Simulation (BAS) is an automated, continuous approach to validating security control effectiveness by safely executing real-world attack techniques against production security infrastructure. Unlike traditional penetration testing (point-in-time), BAS platforms continuously simulate threats mapped to MITRE ATT&CK, testing endpoint protection, network security, email gateways, SIEM detection, and incident response capabilities. Leading platforms include SafeBreach, AttackIQ, Picus Security (2024 Gartner Customers' Choice), Cymulate, Pentera, and SCYTHE. BAS 2.0 solutions safely emulate real attacker behavior across the entire IT environment without requiring pre-deployed agents on every endpoint.

When to Use

• When deploying or configuring implementing continuous security validation with bas capabilities in your environment
• When establishing security controls aligned to compliance requirements
• When building or improving security architecture for this domain
• When conducting security assessments that require this implementation

Prerequisites

• BAS platform license (SafeBreach, AttackIQ, Picus, Cymulate, or Pentera)
• Deployed security controls to validate (EDR, NGFW, email gateway, SIEM, WAF)
• MITRE ATT&CK framework familiarity
• Network segments accessible by BAS agents/simulators
• Security operations team to act on validation results
• Change management approval for running simulations in production

Core Concepts

BAS vs Traditional Security Testing

Aspect	BAS	Penetration Testing	Red Team
Frequency	Continuous/scheduled	Annual/quarterly	Annual
Automation	Fully automated	Manual with tools	Manual
Scope	Full kill chain	Specific targets	Goal-oriented
Safety	Safe simulation, no exploitation	Controlled exploitation	Real exploitation
Coverage	Thousands of techniques	Hundreds of tests	Focused scenarios
Output	Control gap analysis	Vulnerability report	Narrative report
Cost model	Subscription	Per engagement	Per engagement

MITRE ATT&CK Coverage Mapping

Tactic	Example BAS Simulations	Controls Tested
Initial Access	Phishing payload delivery, exploit public apps	Email gateway, WAF, IPS
Execution	PowerShell, WMI, malicious macros	EDR, application control
Persistence	Registry run keys, scheduled tasks, services	EDR, SIEM detection rules
Privilege Escalation	Token manipulation, UAC bypass	EDR, PAM, SIEM
Defense Evasion	Process injection, obfuscation, timestomping	EDR, behavioral analytics
Credential Access	Mimikatz, Kerberoasting, LSASS dump	EDR, credential guard
Discovery	AD enumeration, network scanning	SIEM, NDR
Lateral Movement	PsExec, WMI, RDP, SMB	NDR, microsegmentation
Collection	Screen capture, keylogging, email collection	DLP, UEBA
Exfiltration	HTTP/DNS exfil, cloud storage upload	DLP, CASB, proxy
Command & Control	C2 beaconing, DNS tunneling, encrypted channels	NGFW, proxy, NDR

Security Control Validation Score

Control Effectiveness = (Attacks Prevented + Attacks Detected) / Total Attacks Simulated * 100

Example:
  Total simulations:  500
  Prevented (blocked): 350
  Detected (alerted):  100
  Missed (no action):   50

  Prevention Rate: 350/500 = 70%
  Detection Rate:  100/500 = 20%
  Overall Score:   450/500 = 90%
  Gap Rate:         50/500 = 10%

Workflow

Step 1: Deploy BAS Platform Components

Architecture:
  Management Console (Cloud SaaS):
    - Central orchestration and reporting
    - Attack scenario library management
    - MITRE ATT&CK mapping dashboard

  Simulation Agents:
    - Attacker Agent: Simulates threat actor behavior
    - Target Agent: Receives simulated attacks
    - Network Agent: Tests network-level controls

  Deploy agents across zones:
    - Corporate network (workstations)
    - DMZ (web servers)
    - Data center (critical servers)
    - Cloud environments (AWS/Azure/GCP)
    - Remote/VPN segment

Step 2: Configure Attack Scenarios

# Example BAS scenario configuration
scenario:
  name: "APT29 (Cozy Bear) Full Kill Chain"
  threat_group: APT29
  mitre_attack_techniques:
    - T1566.001  # Spearphishing Attachment
    - T1059.001  # PowerShell Execution
    - T1547.001  # Registry Run Key Persistence
    - T1003.001  # LSASS Memory Credential Dump
    - T1021.002  # SMB/Windows Admin Shares
    - T1071.001  # Web Protocol C2
    - T1048.003  # DNS Exfiltration

  phases:
    - name: "Initial Access"
      actions:
        - deliver_phishing_payload:
            type: office_macro
            target: email_gateway
            variants: [docm, xlsm, ppam]

    - name: "Execution & Persistence"
      actions:
        - execute_powershell:
            encoded: true
            amsi_bypass: true
        - create_scheduled_task:
            technique: T1053.005

    - name: "Credential Access"
      actions:
        - dump_lsass:
            method: [procdump, comsvcs, nanodump]

    - name: "Lateral Movement"
      actions:
        - psexec_lateral:
            target: internal_server
        - wmi_lateral:
            target: file_server

    - name: "Exfiltration"
      actions:
        - dns_exfiltration:
            data_size: 10MB
            encoding: base64

Step 3: Map Results to Security Controls

def map_bas_results_to_controls(simulation_results):
    """Map BAS results to security control effectiveness."""
    control_scores = {}

    control_mapping = {
        "email_gateway": ["T1566.001", "T1566.002", "T1566.003"],
        "edr": ["T1059.001", "T1003.001", "T1055", "T1547.001"],
        "ngfw": ["T1071.001", "T1071.004", "T1048"],
        "siem": ["T1053.005", "T1021.002", "T1087"],
        "dlp": ["T1048.003", "T1567", "T1041"],
        "ndr": ["T1071", "T1021", "T1040"],
    }

    for control, techniques in control_mapping.items():
        relevant = [r for r in simulation_results
                    if r["technique_id"] in techniques]
        if not relevant:
            continue

        prevented = sum(1 for r in relevant if r["result"] == "prevented")
        detected = sum(1 for r in relevant if r["result"] == "detected")
        missed = sum(1 for r in relevant if r["result"] == "missed")
        total = len(relevant)

        control_scores[control] = {
            "total_tests": total,
            "prevented": prevented,
            "detected": detected,
            "missed": missed,
            "prevention_rate": round(prevented / total * 100, 1),
            "detection_rate": round(detected / total * 100, 1),
            "effectiveness": round((prevented + detected) / total * 100, 1),
        }

    return control_scores

Step 4: Schedule Continuous Validation

Validation Schedule:
  Daily:
    - Malware delivery simulation (email gateway test)
    - C2 communication simulation (firewall/proxy test)
    - Known ransomware behavior simulation (EDR test)

  Weekly:
    - Full kill chain simulation (APT scenario)
    - Lateral movement simulation (network segmentation test)
    - Data exfiltration simulation (DLP test)

  Monthly:
    - Full MITRE ATT&CK coverage assessment
    - New threat group TTP simulation
    - Regression testing after security control changes

  On-Demand:
    - After firewall rule changes
    - After EDR policy updates
    - After new threat intelligence (zero-day response)

Best Practices

1. Start with known threat group simulations relevant to your industry
2. Always run simulations in safe mode first before enabling full emulation
3. Coordinate with SOC team so they can distinguish BAS traffic from real attacks
4. Use BAS results to prioritize SIEM detection rule development
5. Track control effectiveness scores over time to demonstrate security posture improvement
6. Integrate BAS with ticketing systems to auto-generate remediation tickets for gaps
7. Run validation after every security control change to catch regressions
8. Map all simulations to MITRE ATT&CK for standardized reporting

Common Pitfalls

• Running BAS without informing the SOC, causing unnecessary incident response
• Testing only prevention and ignoring detection/response validation
• Not acting on BAS findings, leading to persistent security gaps
• Deploying BAS agents only in one network zone, missing cross-zone gaps
• Focusing only on commodity threats instead of APT-relevant scenarios
• Treating BAS as a replacement for penetration testing rather than a complement

Related Skills

• implementing-attack-path-analysis-with-xm-cyber
• performing-purple-team-exercise
• implementing-siem-use-cases-for-detection
• implementing-threat-modeling-with-mitre-attack