From simulation to emulation: Four ways email attack simulation tools fall short

(Image credit: Shutterstock / GoodStudio)

For as long as there’s been war, there have been games of war. In 1812, a Prussian officer named George Reisswitz invented what is considered to be the first wargame called Kriegsspiel, a board game that was designed to simulate and train military tactics to officers. While this approach to training was quite novel at the time, the practice of using simulations to mimic real-life battles has since become commonplace and of course, significantly more sophisticated.

Two centuries later, attack simulations have likewise played an important role in helping organizations prepare and defend themselves from adversaries in the domain of cybersecurity. In 1999, a former Army officer with a keen interest in military simulation tactics, started the Honeynet Project in which decoy ‘honeypot’ network computers were deployed. Their sole purpose was to attract attackers in order to help security researchers deconstruct the specific techniques hackers were using to infiltrate their networks.

As the enterprise has hardened the network perimeter and improved their ability to deploy timely patches to known vulnerabilities, attackers have increasingly relied on email attacks as their grappling hook to gain their foothold inside the network. As noted in the most recent Verizon Data Breach and Incident Response report, the vast majority (67%) of data breaches are caused by social attacks such as phishing.

About the author

Eyal Benishti is the founder and CEO of IRONSCALES

Which is one of the reasons why the relatively new categories such as Breach Attack Simulation (BAS) and Automated Penetration Testing have emerged as a way to continuously ‘stress test’ the effectiveness of control points and identify the gaps that might exist. However, while these tools will certainly improve an organization’s overall preparedness, they’re limited by one crucial fact: a simulation is only as good as the data that’s being fed into the system. Because most simulation-based systems rely on fictitious and outdated campaign scenarios, organizations are often lulled into complacency and not adequately prepared to meet the challenges of tomorrow’s email threat landscape.

Which is why the next generation of email security systems will rely on emulators instead.

Simulation vs. emulation: What's the difference?

In the context of software, the terms simulation and emulation are often conflated and used interchangeably. Yet there is an important distinction between the two: a simulation refers to the notion of replicating the general behavior of a system while emulators work by duplicating the environment itself. A simulator mimics the basic behavior of a system and provides a model for analysis (such as a flight simulator) whereas an emulator behaves exactly like something else, abiding by all the rules of the system being emulated.

There are four primary ways in which simulation falls short against today’s emerging email threats:

Email authentication standards catch a lot of phish, just not the most dangerous ones

Email security has indeed come a long way in the past decade. Most notably, the broad adoption of authentication protocols such as DMARC, DKIM, and SPF provide an important first layer of defense by authenticating the sender’s domain and identity. While these methods are effective at blocking spam campaigns and other potential malicious messages, they are largely ineffective at identifying and blocking targeted spearphishing attacks such as Business Email Compromise threats that leverage credential harvesting and other social-engineering techniques, enabling them to evade reputation-based Email Security Gateways. And unlike simulation techniques that are patterned from historic campaigns – most of which are no longer effective – emulation-based systems are designed to use current and trending campaign attack data.

Past threats are NOT always a good indication of future threats

These days, almost all investment literature offers the same caveat to prospective investors: “past performance is no guarantee of future success.” Unfortunately, many of the same BAS tools that security teams rely on do not carry a similar disclaimer. While these tools provide organizations with a useful framework for scenario planning and allow them to conduct a higher frequency of simulations in general, their overall efficacy is hamstrung by relying on historical or fictional email campaigns that do not accurately represent the trending phishing attacks that are currently being used by threat actors.

PenTesting rarely approximates real-world conditions

While PenTesting provides a valuable means by which to proactively identify a range of vulnerabilities as well as high-risk weaknesses that often result from a combination of smaller vulnerabilities, they also require skilled analysts to spend hours manually performing tests and writing reports. Moreover, organizations that do embrace PenTesting typically only conduct them on an episodic basis. But perhaps most critically of all, if these tests don’t employ realistic test conditions, the results will be misleading and the organization will believe it’s more prepared than it actually is. As we all have come to learn, genuine attacks come without warning and in creative ways that are difficult to prepare for.

Vulnerability scanning is a tool, not a cure-all

As the Verizon DBIR report points out in this year’s report: “there are lots of vulnerabilities discovered, and lots of vulnerabilities found by organizations scanning and patching, but a relatively small percentage of them are used in breaches.” Of course that doesn’t mean hackers won’t try to exploit an unpatched vulnerability. Rather, it’s more likely that threat actors, regardless of their sophistication level, will always follow a path of least resistance. While vulnerability scanning should be part of every security toolbox, it’s not designed to identify or thwart social engineering attacks, as there is no malware or malicious payload to detect – just a bad actor with bad intentions.

Whether you’re a military strategist or an enterprise CISO, emulation represents a powerful way to understand how an adversary might plot their next attack as well as how you should prepare and respond to potential unknown threats. In the perpetual game of brinkmanship between attacker and defender, it’s more critical than ever that we move beyond first generation simulations and instead look to emulate real and current data into our threat assessment models.

Eya Benishti is the founder and CEO of IRONSCALES, pioneers of self-learning anti-phishing email security that combines human intelleginece and machine learning for automatic prevension, detection and autonomous incident response. He is a Computer Science and Mathematics graduated with honors, Security Researcher, Reverse Engineer and Malware Analyst. He has acted as Java team leader and Technology leader in various positions, 8+ years of practical experience.