Purple Teaming is a Boon to Incident Readiness and Response
Cyber risk is now widely recognized as one of the top business risks globally, and executives are asking their security leadership what they can do to be better prepared and mitigate this risk. Dusting off that incident response plan when something happens is far from adequate. Organizations need strong incident response capabilities but also incident readiness. To hone their skills, security teams are turning to various exercises designed to help them better anticipate threats and practice their response. One of these exercises is Purple Teaming.
In the last couple of years, we’ve seen an evolution from more traditional simulation exercises that use a Red Team to identify vulnerabilities and launch mock attacks and a Blue Team to detect and respond to attacks, to Purple Teaming exercises. While Red Team/Blue Team models help organizations understand vulnerabilities and prepare for attacks, they pit “attackers” against defenders in exercises that can take weeks or months to complete and learn from.
Instead of an extended war game, Purple Teaming is collaborative and iterative. It brings the Red and Blue Teams together through a more informed and continuous process designed to help the defenders actively get better at mitigating risk from real-world, highly sophisticated attacks. The attack force informs the defense force of the planned attack, executes it, explains the security gaps it took advantage of, and then rewinds so that the defenders can immediately refine their response.
The Purple Team model is designed so that organizations can improve their security posture throughout the exercise to capture immediate and ongoing value. But still, participants often rely heavily on manual methods to execute and defend against attacks. This limits what you can accomplish when resources are tight – both time and budget. However, what if you could use technology to increase the frequency and depth of these exercises to gain even more value, faster? These three technologies are emerging as innovative ways to automate and fine-tune Purple Team activities.
1. Infrastructure analytics platform. Many organizations aren’t aware of everything in their environment – across the network, data center, and cloud – and this lack of knowledge gives attackers the upper hand. One of the first steps in Purple Teaming is to understand the organization’s infrastructure or attack landscape. With an analytics platform that provides a very detailed, informed view of what the attack landscape looks like, you gain an even clearer picture of the risks your organization faces, faster. By automating reconnaissance and some of the attack mapping, this technology allows you to quickly understand the critical assets and the associated threat models. For example, with an inventory of everything on your network, including versions and patch levels, you can correlate that information to public threat and vulnerability databases to quickly generate a list of potential vulnerabilities on the network. Red Teams can use this information to develop more mature and sophisticated attack scenarios, and Blue Teams can use this information to address security gaps more quickly.
2. Application performance management. Developed years ago, earlier iterations of application performance management (APM) tools were cumbersome and lacked detail. Today’s more modern APM tools provide a tremendous amount of information that can be used to help analyze code security . Providing views into the objects and methods used in an application, the data flow, and where data is being processed, you can understand the weak points that attackers may use to their advantage. This “inside out” approach to application analysis is much more efficient than a manual, “outside in” approach and can greatly accelerate security analysis activities. For example, when an attack force looks at a web application for vulnerabilities, they look for web pages that aren’t supposed to be there – test, dead or deprecated pages. Off the radar and long forgotten, these pages are a soft spot that attackers look for and many times vulnerable. APM tools can automatically perform reconnaissance to reveal and add this level of detail to Red Team threat modeling and provide security analysts on the Blue Team the insights they need to strengthen defenses.
3. Security instrumentation platform. Automating much of the activities a Red Team would do, this new technology does the heavy lifting of emulating attacks on your network to test incident readiness. Using a device and agents on different components of your network, a security instrumentation platform helps demonstrate the impact of threats and malicious activities within the context of an organization’s unique environment. It can be used by the Red Team to rapidly target activities, such as emulating a specific type of ransomware campaign or the latest denial of service (DoS) attack in the headlines. The Blue Team can learn if their layers of defenses are working as intended, identify true cybersecurity gaps, and determine how to make the best use of the resources they have and where to prioritize investments.
Purple Teaming is a boon to incident readiness and response. To continue to hone its effectiveness, we need a blend of the right people, process, and technology to enable forward thinking, security analysis techniques. These emerging technologies are just a handful that you can use to gain the visibility and automation necessary to get more from your incident readiness and response efforts. I’m sure there are other innovations you can think of to enhance your Purple Teaming process.