Cybersecurity Purple Team
Rberny 2024
Almost always when we talk about cybersecurity, we say it from the point of view of someone who is defending and protecting themselves with everything they can, well that is a very great advance, I remind you the first thing is to prevent, and prevent, analyze and be very aware. of what we have, what we lack and what we will never have.
“Regardless of an organization's size and industry, one of the most effective ways to uncover infrastructure vulnerabilities and thwart potential cyber threats is to rely on the expertise of red and blue teams.”
Look, today I will talk to you about a scheme that will help us review how far we are on the right path to being properly protected, for this I propose the continuous emulation of adversaries, this has become a cornerstone of the continuous purple team methodology.
Traditionally
We can define that a red team performs penetration testing and vulnerability assessments, and a blue team responds to incidents while building and maintaining the organization's defenses, so as the red team has the responsibility of challenging the blue team's defenses, it is no surprise that there is a bridge between the two, some might even say they do not like it, however there is a way to bridge that gap, and that's where purple teams come in.
Well, this is a disruptive thought that we had already talked about before, at the time I mentioned that the purple teams are not used as much and have not existed as long as the red and blue teams, however, More and more organizations are moving away from the outdated “red team versus blue team” methodology and embracing cooperation between the two.
So this is how red and blue mixed together make purple, purple teams are there to help the two work symbiotically, with the ultimate goal of improving the security of an organization.
Shall we go deeper? Of course, let us see how it differs from traditional penetration testing and begin to explore the offensive spectrum of cyber exercises, simulating known adversaries within our own IT environments and aiming to transition from theory to practice.
Wow! Many will wonder, so how do I outline my business continuity plan or how do I plan incident responses? First, they do not change, unless penetration tests and vulnerability searches provide alert data, in this way we will see in a very concrete way practical strategies to implement adversary emulation effectively.
Our first reflection is based on analyzing and looking for mechanisms to optimize these complex tasks for your purple and blue teams, in other words, covering ways to simplify these tasks and making them more accessible, manageable for your purple and blue teams.
It is important to recognize, how will we meet this need? Be careful! Let us think that this does not negate the need for dedicated offensive activities that demand specialized expertise, on the contrary, these expert-driven offensive measures are vital for any organization and can be leveraged. Within our Continuous Purple Team methodology to perform certain tasks in an automated manner, enriching the general security strategy, it is nothing other than a continuous monitoring of vulnerabilities by dedicated personnel in each company other than IT management, Technical Support, and infrastructure.
Capabilities necessary for Adversary emulation.
Adversarial emulation tools can emulate certain tactics, techniques, and procedures (TTPs) of real-world attackers, with the goal of providing a realistic simulation of how an adversary might carry out an attack on an organization's network, which It can be useful to identify weaknesses and improve incident prevention, detection, and response capabilities.
There are two main forms of adversary emulation:
Manual full stack emulation:
We must consider that, unlike automated emulation, manual emulation is a more complete approach in which security professionals develop an adversary emulation plan and manually execute attack paths, I mean this process may require more work and a deep understanding of the adversary's TTPs.
Full-stack emulation considers the entire attack lifecycle, from initial reconnaissance to data breach, and provides a comprehensive examination of an organization's defensive capabilities.
Automated/scripted emulation:
I love both types of emulation. Now let's look at the other scheme, automated emulation, this approach uses automated tools and scripts to replicate specific adversary behaviors linked to the MITER ATT&CK framework.
The MITER ATT&CK framework is a globally accessible knowledge base on adversary tactics and techniques based on real-world observations. Today, automated tools can be programmed to execute a sequence of actions that simulate the TTPs of known threat actors. This form of emulation is often used to test specific security controls or to continually evaluate the effectiveness of implemented security measures.
Which tool is right for your business?
There are many aspects to consider when looking for an adversary emulation tool and many of these tools exist, of course, so before integration it is important to consider the various capabilities that align with your organization's needs and objectives. specific to your purple team exercises, from experience there are certain tools that will fit better into your technology landscape and others will be easier to integrate within your purple team.
Without being an official guide, below I show you a list of capabilities and considerations that I recommend when choosing your adversary emulation tool:
Ease of use and accessibility:
The tool should have an intuitive interface and complete documentation, which is particularly beneficial for teams new to adversary emulation, in this case a tool like Atomic Red Team, with its simple scripts and community-provided guidelines, may prove advantageous for rapid implementation and learning.
Automation features:
We are in control, and will determine the level of automation, from scheduled attacks to intelligent adaptation during exercises, in practice some tools may offer functions to identify misconfigurations or suggest improvements, such as Caldera 's adaptability to change tactics in response to network defenses.
Recommended by LinkedIn
Techniques coverage:
We must be certain to analyze and evaluate the scope and sophistication of the techniques available within the tool, referring to the MITER ATT&CK framework, for example: high coverage means less need to develop additional techniques. To give an example of sophistication, a tool that supports complex multi-stage attack scenarios, such as Cobalt Strike, could offer more comprehensive evaluations without the need to develop custom scripts.
Integration capabilities:
It is critical and important that the tool integrates well with your existing security stack and infrastructure automation platforms, say, if you use Terraform, this is a tool that can deploy agents using Terraform 's own scripts that makes setup faster, an example could be SCYTHE, which can integrate with various CI/CD pipelines for automated deployment.
Scalability:
This should already be embedded in all tools, however I find that it is always talked about, I strongly recommend that we verify that the tool can scale with your organization, considering all options, for example, if your operations span multiple environments, including the cloud, the tool should support it, in my experience I have seen scalable tools that allow the deployment of agents in different VPCs or cloud services without problems.
Reports and analysis:
One of the most important aspects of results are comprehensive reports, which are essential to obtain actionable information after the exercise, then, for management, tools that can track and present improvements over time or highlight specific threats. are invaluable, in this case it's the detailed reporting and trend analysis provided by business solutions like Rapid7's InsightIDR.
Realism:
We should choose a tool that offers realistic emulation to reflect real adversary actions, the tool should be robust and could include the ability to chain the results of one technique as input to another, providing a more accurate simulation of advanced threats.
Open Source vs. Commercial Tools:
This is a topic of debate, we must balance the cost with the potential return on investment, so open-source tools, like the Atomic Red team, can be cost-effective and community-driven, while commercial tools Like scythe they often come with additional capabilities and a curated database, usually this includes the latest threat information, attack vectors, new campaigns, and general support.
Community and Vendor Support:
There are many who leave this aside, for me it is an issue not only of cybersecurity, but of all IT, having solid support from the community or providers can significantly improve the effectiveness of the tool, tools driven by the community As Red Team Automation (RTA) benefit from shared resources and collective expertise, while commercial tools generally offer dedicated support and regular updates, I have personally seen the community react quickly to massive and international attacks.
Here is an example of how purple teams’ work:
Instead of performing an annual penetration test, the red team submits the report, the blue team responds with corrective measures, and they collaborate. The red team advises on how to prioritize vulnerability management and patch critical flaws while the blue team monitors the red team and shares information about the red team's activities and testing, to uncover deeper weaknesses in the system.
This approach will strengthen both sides. The blue team learns more about how to prioritize, measure and improve their ability to detect threats and attacks, and the red team learns more about the technologies and mechanisms used in defense. This can lead to finding more advanced attack vectors and understanding more sophisticated attack methods.
What makes Purple Teaming different?
I have seen, for years, that organizations have performed penetration testing in a similar way:
The Red Team launches an attack in isolation to exploit the network and provide feedback, this way the Blue Team only knows that an assessment is taking place and is tasked with defending the network as if a real attack was occurring.
The most important distinction between Purple Teaming and standard Red Teaming is that the attack and defense methods are predetermined, meaning that instead of attacking the network and delivering a post-evaluation summary of the finding, the Red Team identifies a control, test ways to attack or deflect it and coordinate with the Blue Team in ways that serve to improve control or defeat the deflection, then the teams sit side by side to collaborate and really understand the results.
I think the result is that teams are no longer just identifying vulnerabilities and working from their initial assumptions , it's not this way, they are testing controls in real time and simulating the kind of approach that intruders are likely to use in a actual attack, I have seen this change the test from passive to active and instead of working to outwit each other, teams can apply the most aggressive attack environments and run more complex what-if scenarios through which the controls and security processes can be more fully understood and corrected before an engagement.
I believe that the purple team exists to eliminate this possibility, of something slipping through undetected! However, in a slightly more mature environment, the red and blue teams working together means engaging in a constant transfer of knowledge and simulating real-life attack scenarios and if we think about it, the red team will improve the organization's vulnerability management process, while the blue team will get into the attackers' mindset, to develop better incident response programs and security processes. vulnerability detection.
In summary, as I mentioned previously, the goal of the red and blue teams is to improve an organization's security defenses, just as the organization's goal is to foster a healthy corporate cybersecurity culture, and with the purple team, the first incentive is strong and regular communication between offense and defense, a constant flow of information and symbiotic work.
Thank you very much for reading me, I hope we are in contact, I remain open to any questions or questions regarding this, greetings from Mexico
His friend,
Asistente de Socios en Muñoz Manzo y Ocampo S.C.
9moRubén, thank you very much for your articles, they are very helpful.