Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Breach and attack simulation (BAS) offers an efficient way to validate and test security controls, threat detection capabilities, logging levels in an environment, and incident response workflows. Simulating cyber attacks in this manner allows for security teams to proactively identify and remediate gaps; however, if not performed correctly, security teams may end up with a false sense of confidence. It’s important to avoid the three common mistakes below so you can maximize the value of cyber attack simulations for your security program.
One of the biggest mistakes made when running breach and attack simulations is testing on a host that is configured differently for testing purposes. For example, if you increase the logging levels of Windows events or install additional endpoint products to monitor this host, this would not be representative of your environmental norm. Conducting testing in this manner can give the illusion that you have logging to detect the types of attacks across the entire environment, when instead that represents the best-case scenario. For the most valuable results, configure the logging on machines where testing is performed like other hosts of the same type.
Ideally, select an existing host in the environment or set up a new host as you would any other host in that area of the network. This can generally be accomplished by using the golden or master image for the environment, since that is what is being used to set up new devices.
Another common oversight in breach and attack simulations is to only run the agent on a single host and thinking that is the end all, be all for the status of an environment. Unfortunately, this can create blind spots as logging can differ based on:
Logging between servers and workstations typically differs, as logging levels and security controls are higher on critical servers. Testing only on a critical server could give the illusion that all hosts in the environment would detect simulations that were detected on this server. It is best to choose both a server and a workstation to perform testing on.
In addition to testing on both servers and workstations, it’s crucial to test on different operating systems, depending on how common they are used in an environment. Each operating system is different in the events that can be logged, scalability of logging, and how the events are logged, whether it be through GPO for Windows or through Auditd or osquery on a Linux host. Testing on any major operating systems in an environment is key to getting accurate cyber attack simulation results.
Finally, other log source functions such as firewall, proxy, and IDS logging is likely different for hosts in different subnets. In addition to this, results may differ if testing a remote or local host due to traffic not going through the same network security stack. In light of these possible shortfalls, testing should be conducted on a wide variety of local and remote hosts that include different operating system types, servers and workstations, and different subnets of your environment.
Another mistake commonly made is simulating attacks that represent the exact conditions defined in SIEM or EDR detection rules. For example, say you are looking to test a SIEM rule looking for encoded commands run through PowerShell, where the criteria of the rule are defined by any command containing the string “-EncodedCommand”, where the process name is PowerShell.exe. If you only run the command including this string, we would miss many other attacks that employ the EncodedCommand parameter in alternative ways:
Using caret characters to escape character injection powershell.exe –^e^C^ Truncated with alternate capitalized letters powershell.exe –eNco
By using commands that an attacker would more frequently use, you may discover that your initial threat detection isn’t as robust as you previously thought and may want to address this by changing the rule logic to use a regex to detect the Encoded Command parameter. It’s best to test a variety of ways an attacker may perform an action during attack simulations, instead of being too specific to the rule logic set in place. Doing this will validate your current threat detection and advance new threat detection in your environment.
ReliaQuest GreyMatter provides integrated, automated cyber attack simulations to validate security controls and detection content.
By following these recommendations around attack simulations, you can increase confidence in your threat detection and logging in your network. Simplify this process even more through ReliaQuest GreyMatter’s integrated cyber attack simulations, which allow for the deployment of multiple agents across your environment to give you the assurance you need during testing and providing a substantial number of real-world scenarios.
Learn how to integrate attack simulations into your security operations strategy with the white paper: Continuous Attack Simulations: How to Identify Risk, Close Gaps, and Validate Your Security Controls