July 20th, 2022
Author: Chris Clements, VP Solutions Architecture, Cerberus Sentinel (now CISO Global)
Editor’s note: The following is a sponsored blog post from Cerberus Sentinel (now CISO Global):
It’s pen test time again. Time to get updated quotes from vendors and put something on the schedule ahead of the compliance deadline, but will this year’s results be any different than last time? Year after year, pen testers find something you missed that gives them complete control of your network. You remediate according to their findings, rinse and repeat. But why are they so consistently successful finding pathways to your network, even after you remediate?
As an ethical hacker, I love penetration tests. Well, that’s not entirely true. I love the hacking part. Report writing is not exactly a gleeful weekend activity anyone is chomping at the bit to go do … but I digress. In my many years of pen testing full-time, I never tired of hunting through people’s networks for opportunities to pick off the systems and applications that would eventually give me control of their entire IT operations. It felt like being in a digital “Mission Impossible” movie, but it also led to some strange interactions with IT personnel responsible for defense, or the ”blue team.”
Let me explain. More than once, I encountered defenders with the attitude that they were bulletproof. That their network was a proverbial Fort Knox. That always struck me as deeply confusing. Do they know what I know? Do they know that I can download and execute exploit code completely in memory invisible to their antivirus? Do they understand that Windows stores their 20 character randomly generated password cleartext in memory and that I can read it directly from there without having to intercept it or crack it? (Note: both specific issues have been mostly mitigated in recent years).
In retrospect, I realize there was another approach that could have offered so much more value to clients and would have put us on the same team. After all, we both have the end goal of helping them strengthen their defenses because I always cared deeply about their security status and wanted to be supportive.
It was truly a feel-good experience to demonstrate real-world risk to organizations before attackers could take advantage. It felt supportive to give them specific actions they could take to improve their defenses, but even as comprehensive as I tried to be, I was still just giving them steps to prevent one path of the many I could have leveraged to compromise their networks. I was teaching them to stop a situation, but not how to stop me. As a rule, if you can’t detect and stop penetration testers, you have no hope of stopping an actual cyberattack.
So, how can ethical hackers give you more value and truly make a difference?
Purple Team: Make the Hackers Work for You
Purple Team exercises change the entire equation. Instead of a “red team” – where the offense works in isolation to minimize detection and response – a purple team exercise focuses on being purposefully collaborative with your defenders, the blue team. Professional ethical hackers work alongside your team, taking you though the entire process using expansive tools like the MITRE ATT&CK framework to validate your detection and response capabilities. These seasoned experts also walk through unconventional attack pathways utilized by real-world cybercriminals and help you design and implement defensive strategies in real time.
How is a Purple Team Different from a Tabletop Exercise?
Tabletop exercises are fantastic for conceptualizing overall risk and forming a plan for areas to invest in cybersecurity defense, but with a tabletop, you are strategizing about how a cybersecurity “fight” will go. The problem is that attackers rarely target your strengths. Instead, they adapt to seek out any weaknesses they can capitalize on. Mike Tyson’s famous quote about how plans go during a fight couldn’t be more apt here – “Everyone has a plan ‘till they get punched in the mouth.” A purple team is different than a tabletop exercise in that it allows the red team to test, while you adapt the defensive plan against the real-world components of a cyberattack in a proactive operation. In other words, the attackers and defenders are in a friendly sparring session together.
Imagine having a ransomware operator sitting with you as they worked and explained their actions. “I expect you to lock accounts after three incorrect password guesses, so I’m going to try “Spring2022!” once across every user account. Let’s talk about how to detect that.” (Side note, would this pass your password policy? Because it’s the first one I would try.) Or, “I notice you are running X antimalware that I know I can bypass with this encoding, so what’s our next layer of defense?” The important difference between a red team and a purple team is that the goal isn’t to identify and remediate a single attack pathway, but to be able to detect and shut down how an attacker operates.
The Benefit: Meaningful Defensive Improvement
By working hand-in-hand in a purple team engagement, red and blue teams together can accomplish more than either team working in isolation. By learning the techniques of attackers rather than their outcomes, defenders can identify better strategies to thwart an actual cyberattack by restricting a cybercriminal’s ability to operate in their environment with meaningful prevention and detection controls and processes. Purple teams can make an immediate impact on any organization’s cybersecurity resiliency but have tremendous value on an ongoing basis, as well.
Cybercriminals are constantly modifying and evolving their attacks. To stay secure, defenders need to stay up to date on new threats and continuously update their defensive strategies and tools to combat them, and purple teams are the perfect way to ensure that. Purple teams may be more costly or resource-intensive to perform, but it’s one of the highest-value cybersecurity investments that any organization can make.
First published on ISACA Now Blog