Adversarial Controls Testing: A Step to Cybersecurity Resilience

TL;DR: Take an in-depth look at Adversarial Controls Testing Assessments (ACT), an offensive security testing approach that evaluates the effectiveness of an organization's email, endpoint, and network security controls by simulating real-world attacks.

The blog walks through how this approach and methodology can be useful for any organization seeking to better understand how its security controls can prevent, detect, and respond to actual threats.

In today's digital age, organizations face an ever-evolving landscape of cybersecurity threats. From sophisticated phishing attacks to advanced persistent threats, the methods employed by cybercriminals are becoming increasingly complex. To effectively combat these threats, organizations must not only invest in robust security controls but also ensure these controls are tested and optimized. This is where the Adversarial Controls Testing Assessment (ACT) comes into play.

What is an Adversarial Controls Testing Assessment?

An Adversarial Controls Testing Assessment (ACT) is an attack-focused offensive security testing approach designed to evaluate the effectiveness of an organization’s email, endpoint, and network security controls. Unlike traditional security assessments that focus on compliance and configuration reviews, ACT uses real-world adversarial tactics, techniques, and procedures (TTPs) to simulate cyberattacks. This method provides a more accurate picture of how well security controls can prevent, detect, and respond to actual threats.

The assessment is typically conducted in collaboration with the organization’s security team. By leveraging the MITRE ATT&CK framework, ACT maps attack behaviors to specific security controls, offering detailed insights into potential vulnerabilities and areas for improvement.

How ACT Fits in the Security Testing Landscape

The security testing landscape is crowded, with multiple, overlapping ways to tackle any given use case — and assessing security controls is no different. Here are just a few of the options that are out there, and how they compare with ACT.

• Technical security controls review: While the name sounds similar to ACT, many of these reviews narrowly focus on whether controls are correctly configured and properly implemented – including verifying settings, rule sets, and policies. But just because a control is set up correctly, does not guarantee it will prevent or detect a real-world attack.
• Breach and Attack Simulation (BAS): BAS tools are commonly marketed for “Security Controls Validation.” While these platforms do test the effectiveness of security controls using automated simulations, some organizations find the cost and complexity of these systems to be prohibitive. BAS implementations can take more than a year to fully integrate with existing security infrastructure and sufficiently tune to produce reliable results. Customizing a BAS tool to simulate attacks specific to the organization's unique environment and threat landscape can be complex, requiring a skilled internal staff to support.
• Red Teaming: Red Teaming is a goal-driven method of simulating advanced adversary attacks against security defenses to identify weaknesses and improve organizational resiliency against threats. The comprehensive scope of Red Team engagements – where TTPs are chained together in an end-to-end attack scenario, often in a stealthy way – will, by its nature, shed light on whether an organization’s security controls are operating effectively. While Red Teaming is a powerful tool in an offensive security arsenal, they can be more effort than is needed for an organization that just wants to know if their key security controls are doing their job.
• Purple Teaming: Purple Team exercises are highly collaborative, with the testers working closely with the Blue Team (defenders) to enhance security measures through continuous feedback. ACT’s follow a similarly collaborative approach, but a key difference is that Purple Teaming focuses only on detections and playbooks, whereas ACT tests both detective and preventive-related controls.

The Significance of ACT in Cybersecurity

Realistic Threat Simulation:

One of the primary advantages of ACT is its ability to simulate realistic attack techniques. This allows organizations to see how their security controls perform against the most common attack behaviors employed in security breaches. According to the 2024 Verizon Data Breach Investigations Report, the human element was a component of 68% of breaches, highlighting the significant role that human behavior plays in cybersecurity incidents. By mimicking these real-world attacks, ACT helps identify weaknesses that might otherwise go unnoticed.

Strengthened Resilience:

ACT provides organizations with actionable findings and recommendations, enabling them to continuously improve their defenses. Regular assessments ensure that security measures evolve alongside emerging threats. A study by IDC predicts that 60% of enterprises are consolidating their security tools to enhance performance and reliability. ACT supports this trend by pinpointing which controls are effective and which need enhancement.

Enhanced Collaboration:

ACT promotes a collaborative approach to cybersecurity. During the assessment, the organization's security detection and response personnel (often referred to as the Blue Team) work closely with external security experts. This partnership fosters knowledge transfer and ensures that internal teams are better equipped to handle future incidents. The 2023 Cost of a Data Breach Report by the Ponemon Institute highlights that organizations with a well-integrated security culture were 49% more likely to successfully detect and respond to cyber threats compared to those without such a collaborative approach.

Threat-Focused Visibility:

With the plethora of threats organizations must contend with, distractions can have dire consequences and prioritization is a necessity. ACT focuses on the security controls aligned to the top threat vectors: email, endpoints, and networks. ACT engagements also take into consideration the organization’s unique environment, industry, and other factors to ensure the assessment is tailored to their needs.

Timely Insights:

In the fast-paced world of cybersecurity, timely insights are essential. ACT engagements typically deliver results within a few weeks, providing organizations with quick feedback on their security posture. This rapid turnaround helps to address control gaps before they can be exploited by adversaries. The National Institute of Standards and Technology (NIST) emphasizes the importance of timely detection and response in its cybersecurity framework, which ACT aligns with closely.

The increasing complexity of cyber threats necessitates a proactive and comprehensive approach to cybersecurity. An Adversarial Controls Testing Assessment (ACT) offers a realistic, collaborative, and timely method for evaluating and enhancing security controls. By simulating real-world attacks and providing actionable insights, an ACT helps organizations strengthen their defenses and stay ahead of evolving threats. As the cybersecurity landscape continues to evolve, services like ACT will play a crucial role in ensuring that organizations are prepared to detect, prevent, and respond to cyber incidents effectively.