By: Michael Oglesby, Executive Vice President, Services and Innovation
The past few years have experienced a turning point in cybersecurity with the onset of ubiquitous connectivity, digitalization, and unrelenting flow of data. Understanding terminologies in the ever-changing landscape of cybersecurity can be confusing. Even more challenging is keeping up with the way particular terms may be used differently across different organizations.
For example, trying to distinguish between Blue Team, Red Team, Black Box, White Box – and now Purple Team exercises, it can be hard to discern if you are dealing with terminology or marketing buzz words unless you are a security testing insider. To complicate things further, some organizations have begun advocating for yellow, orange, and even green teams!
However, when it comes time to plan your security initiatives for the upcoming year, you need to know what kind of security testing is going to give you the best results. Are we talking about offense or defense? Internal or external? Penetration testing or a vulnerability assessment? One-time or ongoing? We can explore a number of these topics going forward, but I am going to specifically focus on Purple Team exercises in this blog, laying out key definitions, the purpose behind this style of exercise, key stakeholders you will want to involve, and what outcomes you should expect.
Going Beyond the Traditional Attack – Defend – Report – Repeat cycle
The recent trend of increased granularity when conducting a penetration test, along with its associated colorful naming system, demonstrates a strong requirement to align security testing with the capabilities of the organization. What this should signify is not the need to have a team for every color in the rainbow, but the recognition of a significant shift in organizations’ approach to IT-Security. These new color designations are primarily tied to the processes around remediation and proactive steps that will actually turn the dials on your security posture, quarter over quarter. In other words, people are starting to catch on to the fact that many will go from pen test to pen test or scan to scan, without any significant improvement to their security posture. So, there is a push for someone within (or on behalf of) your organization to own the tasks and outcomes. Someone has to be proactively implementing new controls, patching and remediating identified vulnerabilities, pushing policies out to end-points, training end users – basically growing your existing program.
The reality is, as hard as folks are working to protect themselves, budget or internal staff constraints mean that for most organizations, there is a strong disconnect between Red Team and Blue Team at the end of the day. Despite annual or quarterly penetration tests, many of the vulnerabilities identified are likely to go un-remediated due to the lack of time, budget, and internal expertise needed to effectively address the underlying gaps and vulnerabilities. Not to mention the gaps or vulnerabilities that were not uncovered that could end up becoming costly.
What kinds of testing and which kinds of teams do I need to understand?
First, let’s define our terms. While there are many terms and buzzwords people may reference, the most important thing to define are the goals and anticipated outcomes of your security testing process. Narrowing down which kind of testing will make the most impact can be a challenging question, but here are some key questions to help you through the selection process:
- What is your ultimate goal for testing?
- Do you have a dedicated IT Security team?
- When was the last time you undertook a live test of your Incident Response plan?
- Have you deployed new technologies since the last security test?
- During the last breach or IR exercise, were there gaps or blind spots identified?
Red Team Defined
In its purest form, a simulated attack is what you’ve heard called a Penetration Test, wherein a Red Team (typically external/outsourced) takes an adversarial approach to launching an attack on some part of your environment or a particular application to see how far they can get before the Blue Team finds or stops them. The goal of a Red Team is to identify any areas you may have thought were secure, but which may need some attention before they actually hold up in an attack. A Red Team goal is not to necessarily find every single weakness, every single time, because their goal is to take whichever route gets them in the door first, exactly like a real cybercriminal would. That’s why many organizations undertake a full-scale penetration test multiple times throughout the year and this does not take the place of other security duties, such as vulnerability management.
Blue Team Defined
A Blue Team is defined as the group of people who comprise your organization’s cyber defense. This includes each person who is tied into the implementation, ongoing evaluation, and effective management of security controls within your environment. Depending on how you have assembled your team, this would include anyone from your internal IT-Security teams, to whomever manages your security, to an outsourced cloud platform host, or manager or numerous cybersecurity vendors.
Before you turn a Red Team loose to undertake a formal attack on your environment, you will want to be sure the Blue Team has had a chance to assess for high-level gaps and remediate them first. Metaphorically speaking, no coach would walk into a preseason scrimmage without at least running a few practices, assigning positions, trying out some key plays, and providing instruction around known areas of weakness first.
Essentially, security testing is like a war game, in that the attack scenarios are exactly like those cyber criminals utilize, but no one actually gets hurt and your data is not actually stolen – nor are your systems actually hijacked or destroyed.
Where does Purple Team fit?
Purple Team Exercises pull everyone on the Red and Blue teams together for a pre-planned exercise that will include testing and remediation in one setting, like a coached scrimmage. Additionally, Purple Team Exercises typically include more than just the first available path to compromise your defenses. More like Tabletop Exercises, the Red Team will emulate multiple Tactics, Techniques, and Procedures (TTPs) throughout the engagement, launching the attack and waiting for the Blue Team to indicate detection and response of that particular style of attack, identifying any weaknesses or gaps in detection and response, and immediately supporting remediation of the issue.
The result of Purple Team Exercises is that the team walks away with a more comprehensive picture of what needs to be addressed, in addition to knowing that actions are being taken to harden and improve your environment right away.
Questions about Purple Team Exercises or your improving your organization’s IT environment? Reach out to Cerberus Sentinel.