From cybersecurity-skills
Deploys Breach and Attack Simulation (BAS) tools to continuously validate security controls by safely emulating MITRE ATT&CK techniques across production infrastructure.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
Breach and Attack Simulation (BAS) is an automated, continuous approach to validating security control effectiveness by safely executing real-world attack techniques against production security infrastructure. Unlike traditional penetration testing (point-in-time), BAS platforms continuously simulate threats mapped to MITRE ATT&CK, testing endpoint protection, network security, email gateways, ...
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Breach and Attack Simulation (BAS) is an automated, continuous approach to validating security control effectiveness by safely executing real-world attack techniques against production security infrastructure. Unlike traditional penetration testing (point-in-time), BAS platforms continuously simulate threats mapped to MITRE ATT&CK, testing endpoint protection, network security, email gateways, SIEM detection, and incident response capabilities. Leading platforms include SafeBreach, AttackIQ, Picus Security (2024 Gartner Customers' Choice), Cymulate, Pentera, and SCYTHE. BAS 2.0 solutions safely emulate real attacker behavior across the entire IT environment without requiring pre-deployed agents on every endpoint.
| Aspect | BAS | Penetration Testing | Red Team |
|---|---|---|---|
| Frequency | Continuous/scheduled | Annual/quarterly | Annual |
| Automation | Fully automated | Manual with tools | Manual |
| Scope | Full kill chain | Specific targets | Goal-oriented |
| Safety | Safe simulation, no exploitation | Controlled exploitation | Real exploitation |
| Coverage | Thousands of techniques | Hundreds of tests | Focused scenarios |
| Output | Control gap analysis | Vulnerability report | Narrative report |
| Cost model | Subscription | Per engagement | Per engagement |
| Tactic | Example BAS Simulations | Controls Tested |
|---|---|---|
| Initial Access | Phishing payload delivery, exploit public apps | Email gateway, WAF, IPS |
| Execution | PowerShell, WMI, malicious macros | EDR, application control |
| Persistence | Registry run keys, scheduled tasks, services | EDR, SIEM detection rules |
| Privilege Escalation | Token manipulation, UAC bypass | EDR, PAM, SIEM |
| Defense Evasion | Process injection, obfuscation, timestomping | EDR, behavioral analytics |
| Credential Access | Mimikatz, Kerberoasting, LSASS dump | EDR, credential guard |
| Discovery | AD enumeration, network scanning | SIEM, NDR |
| Lateral Movement | PsExec, WMI, RDP, SMB | NDR, microsegmentation |
| Collection | Screen capture, keylogging, email collection | DLP, UEBA |
| Exfiltration | HTTP/DNS exfil, cloud storage upload | DLP, CASB, proxy |
| Command & Control | C2 beaconing, DNS tunneling, encrypted channels | NGFW, proxy, NDR |
Control Effectiveness = (Attacks Prevented + Attacks Detected) / Total Attacks Simulated * 100
Example:
Total simulations: 500
Prevented (blocked): 350
Detected (alerted): 100
Missed (no action): 50
Prevention Rate: 350/500 = 70%
Detection Rate: 100/500 = 20%
Overall Score: 450/500 = 90%
Gap Rate: 50/500 = 10%
Architecture:
Management Console (Cloud SaaS):
- Central orchestration and reporting
- Attack scenario library management
- MITRE ATT&CK mapping dashboard
Simulation Agents:
- Attacker Agent: Simulates threat actor behavior
- Target Agent: Receives simulated attacks
- Network Agent: Tests network-level controls
Deploy agents across zones:
- Corporate network (workstations)
- DMZ (web servers)
- Data center (critical servers)
- Cloud environments (AWS/Azure/GCP)
- Remote/VPN segment
# Example BAS scenario configuration
scenario:
name: "APT29 (Cozy Bear) Full Kill Chain"
threat_group: APT29
mitre_attack_techniques:
- T1566.001 # Spearphishing Attachment
- T1059.001 # PowerShell Execution
- T1547.001 # Registry Run Key Persistence
- T1003.001 # LSASS Memory Credential Dump
- T1021.002 # SMB/Windows Admin Shares
- T1071.001 # Web Protocol C2
- T1048.003 # DNS Exfiltration
phases:
- name: "Initial Access"
actions:
- deliver_phishing_payload:
type: office_macro
target: email_gateway
variants: [docm, xlsm, ppam]
- name: "Execution & Persistence"
actions:
- execute_powershell:
encoded: true
amsi_bypass: true
- create_scheduled_task:
technique: T1053.005
- name: "Credential Access"
actions:
- dump_lsass:
method: [procdump, comsvcs, nanodump]
- name: "Lateral Movement"
actions:
- psexec_lateral:
target: internal_server
- wmi_lateral:
target: file_server
- name: "Exfiltration"
actions:
- dns_exfiltration:
data_size: 10MB
encoding: base64
def map_bas_results_to_controls(simulation_results):
"""Map BAS results to security control effectiveness."""
control_scores = {}
control_mapping = {
"email_gateway": ["T1566.001", "T1566.002", "T1566.003"],
"edr": ["T1059.001", "T1003.001", "T1055", "T1547.001"],
"ngfw": ["T1071.001", "T1071.004", "T1048"],
"siem": ["T1053.005", "T1021.002", "T1087"],
"dlp": ["T1048.003", "T1567", "T1041"],
"ndr": ["T1071", "T1021", "T1040"],
}
for control, techniques in control_mapping.items():
relevant = [r for r in simulation_results
if r["technique_id"] in techniques]
if not relevant:
continue
prevented = sum(1 for r in relevant if r["result"] == "prevented")
detected = sum(1 for r in relevant if r["result"] == "detected")
missed = sum(1 for r in relevant if r["result"] == "missed")
total = len(relevant)
control_scores[control] = {
"total_tests": total,
"prevented": prevented,
"detected": detected,
"missed": missed,
"prevention_rate": round(prevented / total * 100, 1),
"detection_rate": round(detected / total * 100, 1),
"effectiveness": round((prevented + detected) / total * 100, 1),
}
return control_scores
Validation Schedule:
Daily:
- Malware delivery simulation (email gateway test)
- C2 communication simulation (firewall/proxy test)
- Known ransomware behavior simulation (EDR test)
Weekly:
- Full kill chain simulation (APT scenario)
- Lateral movement simulation (network segmentation test)
- Data exfiltration simulation (DLP test)
Monthly:
- Full MITRE ATT&CK coverage assessment
- New threat group TTP simulation
- Regression testing after security control changes
On-Demand:
- After firewall rule changes
- After EDR policy updates
- After new threat intelligence (zero-day response)