Simulated Attacks – Do we need them?

What is a simulated attack?

This is one of the first questions many organisations find themselves asking. A simulated attack is effectively an assessment which is carried out that mimics a real world attack scenario against an organisation. It attempts to identify vulnerabilities in your organisation in a safe and controlled manner.

But…. Isn’t that what a penetration test is?

Not exactly. A penetration test is typically limited to a physical or virtual system. This could be a web application, a piece of infrastructure, hardware or software in any form. This is often restricted to a “scope” which may be locked down to the following; a set of systems, certain accounts, certain types of testing, and often overlooks one fundamental area of security; the humans.

Why are people a risk to security?

Often, we are the weakest links. Organisations spend huge chunks of their budget targeting the hardware and software they use but often overlook the people who operate them. As a simple example, you could add all the latest security technology such as the latest firewalls, the latest endpoint security software like Anti-Virus scanning or e-mail scanning tools.

You spend thousands of pounds protecting your assets and ensuring your network has the best possible defences. One day, somebody walks straight through your front door, sits down in your breakout area and compromises your entire network.

But wait… How did this happen, I had firewalls, Anti-Virus and the best technology?

All that money spent on security and fancy technology did help secure you from a remote perspective. It stopped the common mail spam, it stopped the basic viruses from spreading around your network.

However, that person you hired to work at reception had no idea that they should stop and challenge people who look out of place. How could they? You assumed you were secure with all the technology you had in place.

So how do Simulated Attacks tie into this?

Effectively, a simulated attack is going to look at all possible avenues to attack your organisation and identify possible vulnerabilities. Typically, it is not limited to certain systems or any particular type of attack. Instead it looks at your organisation as a whole i.e.. the bigger picture, and using the attacker tries to find areas where the current controls may be exploited.


What does a Simulated Attack involve?

Typically, a simulated attack can be broken down into several phases. At a high-level, these phases might include

  1. An initial scoping meeting – Effectively a discussion to identify your concerns, what you want to achieve with the assessment, what the goals of the assessment might be. This will also cover what might be included in the assessment such as people, systems, websites, buildings and other assets.
  2. A proposal is created based on the information provided at the scoping meeting. Another discussion is held to cross the T’s and dot the I’s ensuring that all risks are considered and that everyone is happy with the proposed assessment.
  3. With everything agreed, initial intelligence gathering and implant design can be started. At this stage, testers will use a variety of sources to gather information also known as OSINT to attempt to gather as much information as possible about your organisation and its employees to assist in a successful attack.
  4. Once OSINT is gathered, typically a method of delivering an attack will have been identified. As an example, this might include sending of a phishing email as your organisation disclosed a lot of information about its employees online, their habits, their personal information. There was enough information that the tester felt they could exploit this, potentially tricking one of the employees into clicking a well-crafted email.
  5. The implant is created, the delivery method (email) has been selected and it’s now time to start attacking. An email is created with an attachment, this attachment contains scripts that are known to bypass any anti-virus solution once executed. The email is sent to all employees marked as urgent. The tester now waits.
  6. The untrained unsuspecting employee opens the email. They open the attachment not realising the horror that awaits them. Nothing happens… The employee closes the email and goes back about their day.
  7. The tester has now compromised a host within your organisation. No alarm bells were set off. No staff are aware of what is happening. The integrity of your data is now at risk as is the confidentiality of your organisations data.
  8. The tester will take steps now to maintain access and attempt to identify other systems within the network which they can exploit and gain further access to. All of their actions are logged and recorded, their successes, their failures, obstacles and weaknesses.
  9. Once they have compromised enough systems, or reached the end of the scope which has been agreed the tester will then begin compiling the report for delivery.
  10. A debrief meeting is scheduled. The tester will present their findings, the steps they took, the successes of the project as well as the failures. They will explain the risks associated with each finding along with remedial advice towards mediating the issues. Once all is said and done, a next steps meeting will be arranged to discuss how the remediation has gone and whether the controls are effective.
  11. Let’s remind ourselves that this is a very high-level overview of a simulated attack. Every organisation will have different requirements, some which are more straight forward, others which are far more complex.


You’ve sold me, tell me more about the benefits of Simulated Attacks?

Simulated attacks are a beneficial part of any organisations security testing agenda. They are tailored assessments which are typically not as restrictive as regular penetration testing and also cover more areas of an organisation which replicate a real-world attack.

They are beneficial not only to the organisation, but to staff of the organisation who will learn from the behaviour and actions during these assessments helping them identify and thwart real-world attacks. Your IT team will become more familiar with the types of attacks used and gain insight into some of the techniques readily used by trained simulated attack specialists.

Simulated attacks complement the existing measures such as penetration tests and endpoint security as their goal is to identify any weaknesses in an organisation as a whole. They effectively offer a safe and controlled method to test your organisations security and help identify whether any existing controls need improvement.

Before you go… Are there any disadvantages of a Simulated attack?

Sadly yes. A simulated attack by nature is bound by the agreements between the security provider and the client. If restrictions are in place with regards to the people who can be targeted, the systems which can be targeted then the assessment is limited to that extent.

A real-world attacker will not have the same restrictions, they will not have the same morals. As such, it is our recommendation that to get the most out of your simulated attack you choose a provider that has the experience, is willing to take the time to explain the risks and benefits for each type of assessment and who can work with you to tailor the assessment as best as possible.

It is commonly found that restrictions or caveats are only in place due to fear or lack of understanding. As such, choosing a provider who can explain and help you manage the risks during these types of assessment is crucial to a successful engagement.


Get in touch

ProCheckUp have fully trained CCSAS consultants and if you would like to get in touch with regards to the information provided above or if you would like to enquire about a simulated attack assessment, then please get in touch on 020 7612 7777 or send us an email at