Red, purple, or blue? When it comes to offensive security operations, it’s not just about picking one color
When people find out that I’ve spent much of my career being hired by companies to steal their secrets, they usually ask, “Are we doing enough? Do we need a red team?”
The latter is not a question with a simple “yes” or “no” answer. Many companies want a red team to see how they would respond to a real targeted attack, but also because it’s cool to say to colleagues that hackers are lurking about. However, a red team is just one of the options when it comes to leveraging offensive security techniques to improve detection and response.
Organizations often operate under the mistaken impression of being in control without any evidence to support this perception. Unfortunately, this illusion is common because of (among other things) confirmation bias that lingers in board rooms and IT departments: “We haven’t had an attack yet, so we must be doing something right.”
The list of complaints about parachutes that didn’t open is rather short
As we’ve seen in many cyber incidents in the past few years, some attacks have devastating consequences. The problem with negative feedback models is that they don’t work for risk management, let alone cybersecurity in general.
Gradually but steadily building up the defenses of a company is hard work and it takes time – time that can often exceed the career length of those tasked with devising not only a cybersecurity strategy but also its execution. When dealing with businesses that have shareholders to please, how do you cement the future of an organization’s operations by ensuring that they:
- Protect what is relevant to the continued existence of the organization
- Keep their commitments to customers and relevant stakeholders
- Align and anticipate the moving threat landscape by considering the attacker’s viewpoint
- Practice crisis situations with different layers of management
- Continuously test, learn, and improve so that cyber security becomes an enabler and part of the culture (rather than being caricatured as a ball and chain-shaped cost center)?
Organizations with a red team (or those that have performed a targeted penetration test without preparation) are frustrated if neither a pass nor fail result materializes when expected – or if an attack doesn’t appear on their dashboards when it should have. This is even when red teamers can access organizations’ critical resources and identify the worst-case scenarios.
As counter-intuitive as this might sound, the fact is that offensive security testing, as part of a vulnerability management process, does not result in just a simple pass or fail. But that doesn’t mean red teaming is not effective when it comes to testing the sum of all security controls, defenses, training, and personnel involved.
Like a fine dining a’ la carte menu, there is an order to the way the complexity of tastes is being challenged. So, before ordering that red team operation, you should first ensure that the following is up to the level of what is considered the best practices:
Internal asset management as opposed to external asset mapping – What you think you are protecting vs. what an attacker might see
Perform an exhaustive investigation by a trained professional to discover your true attack surface, find any forgotten shadow IT, discover leaked credentials, and unearth domains with no obvious tie to your organization that might pose a risk. Not only does this show what it might be that the target organization is not focusing on, but it will also significantly reduce externally facing risks as one can now prepare and anticipate based on the exposed assets and the individual threat profile.
Blue teaming trains your resilience from the ground up and enables you to become efficient at identifying and tracking anomalies while knowing what process to follow and when
Blue team exercises focus on assessing the readiness and capability to respond to an attack by simulation, thereby giving a realistic view of the current resilience of the organization. The outcome of a blue team exercise is clear recommendations for improvements of key detection and response measures.
Purple teaming is a range of exercises designed to provide a definitive assessment of detection and containment capabilities
While many offensive security assessments tend to be objective-led, purple teaming exercises execute attack techniques across the kill chain in a de-chained fashion. This is to see if an organization’s detection and response tools can detect and contain simulated attacks with the right process, engagement, and timing. It ensures full exposure to the most relevant and current attacker tradecraft in use and provides a unique opportunity to learn and improve from any challenges encountered (be it in process, training, or technology).
Red teaming is the ultimate stress test to determine whether your cyber security suppliers will perform their duties as trained, or totally freeze up
Red teaming is where SOC and IT security suppliers train their technical skills and understanding of the company’s inner workings. It also helps them understand the capabilities and limitations of their detection tools and respond appropriately by containing the situation and attempting to eradicate the intrusion, all while documenting the proceedings for later review. The more diligent reader among you will have noticed that stopping a targeted cyberattack from occurring was not part of this equation: that’s because a targeted attack will always work.
Red team providers differ in focus, skills, and maturity. That said, if your red team provider cannot adapt and gets caught right off the bat, it might be time to increase your red team budget to hire the A+ teams. Red teaming should not become a rhythm exercise or a compliance check. It is there to perform a fire response test with everything but the fire. Red team testing goes beyond assumptions and tests what is vital to your business. The outcome provides invaluable information to organizations in knowing and understanding gaps that might lead to an undetected incident. Changes can be introduced and informed business decisions made only when the risks are known.
The binding factors to all of the above services are that areas of both strengths and weaknesses should be reported and highlighted. Additionally, all must be performed sequentially and continuously, enabling organizations to utilize the outputs from each development area and measure incremental improvement. Your IT infrastructure might be static from your perspective, and meeting rooms might be filled with utterances, but nothing has changed on our side. However, even if nothing has theoretically changed on your side, it doesn’t mean that attacks are not getting cheaper, better, and faster.
Cyber criminals are constantly finding new ways in and will take advantage of any gap or weakness they can find and on which to capitalize. Continuously running these four initiatives while being realistic, data-driven, and humble about one’s security posture keeps attackers at bay and generates success.