Purple Teaming: The road ahead in ethical hacking

The explosion of the Internet of Things (IoT) compounded by the rapid acceleration of all things digital has resulted in a dramatic shift in the threat landscape. Threat actors are tapping these new-age technologies and developing more complex attack scenarios, which become increasingly difficult to detect and defend against. Malware continues to evolve and is more often custom-developed for specific targets, forcing security solutions providers to increase their detection capabilities. Many corporations have invested significantly in a multitude of security solutions that don’t always integrate or work together, leaving significant security gaps exposed, specifically against targeted attacks that often circumvent existing

Past incidents like WannaCry in 2017, are proof of how an attack can compromise organizations of any scale. These attacks not only resulted in financial damages totaling billions of dollars, but they also compromised the personal data of millions of users.

In the current evolving cyber security landscape where internal networks can no longer be assumed safe, organizations should turn towards advanced strategies that allow them to approach information security from the inside out. Security systems need to continually adapt and innovate in order to combat attacks efficiently and identify the gaps in their security system. Therefore, companies need to have the ability to validate the effectiveness of their prevention, detection and response capability, by testing their systems, processes, and capabilities, before an attacker succeeds.

For quite some time now, organizations have resorted to penetration testing as a means to better assess their systems’ security. Penetration testing has its limitations and more recently organizations subjected their security to Red Teaming (also referred to as ethical hacking), whereby security experts use real-life attack scenarios and tools to try breach a network and report on the security gaps they’ve exploited in their report. The objective or goal of a Red Team is often to demonstrate unauthorized access to the most critical systems and applications of organizations, whether they reside on-premise or in the cloud, and which would have a detrimental impact when compromised.

During a red team assessment, security experts imitate real-life threat actors and simulate realistic attacks by replicating the Techniques, Tactics and Procedures (TTPs) of real-world adversaries. This approach helps to assess the organization’s ability to detect, defend against and prevent plausible attacks. As a parallel objective to most red team assessments, the assessed organization’s leadership often expect the firm’s security operations team (often referred to as the ‘blue team’)to defend the system against these attacks and perform an analysis to ensure security, identify security flaws, and verify the effectiveness of each security measure. The Blue Team usually only knows that a security assessment will take place and they are tasked with defending the network as if an actual attack would occur.

There are obvious benefits to these type of security assessments, but these two teams are often separate and disconnected entities. If combined, these teams can offer much more than their designated roles of attacking and defending. This is where the concept of purple teaming comes into the picture. Purple teaming brings together the red team and blue team to work closely to enhance cyber capabilities of the defenders through continuous feedback and transfer of information. This collaborative effort focuses on building next-gen cyber security capabilities and defenses. The purple team ensures increased effectiveness of both red and blue teams by integrating the defensive tactics of the blue team with the flaws and gaps identified by the red team. It ensures a seamless exchange of information between the two teams for a more efficient and more prolific security system.

Purple teaming helps to enhance the capabilities of both red and blue teams. Instead of attacking the system and producing a post-attack analysis, the red team now works closely with the blue team to recognize, control and find ways of blocking the attack. They are not limited to just identification of the attack or defending the system, instead they test controls in real-time and provide visibility into the tactics used by threat actors.

Increasingly, organizations are investing in purple teaming to obtain regular feedback and visibility into the efficacy of their security systems. Purple teams are gaining in popularity with large enterprises to help evaluate and improve the effectiveness of their cyber threat prevention, detection and response capabilities. Many with an established security function are starting to realize they can benefit from purple teaming to improve the capabilities of their internal security team.

Purple teaming exercises can help an organization to effectively improve their security systems in the following ways:

• Detects newer TTPs of threat actors and enhancing the internal security team’s ability to prevent, detect and respond to them
• Helps solidify and uncover new investigative and monitoring methods
• The engagement serves as a sort of live-fire exercise where both red and blue teams can hone their skills
• Over a prolonged period of three to six months, an organization’s security team can train and enhance its detection and response capabilities
• Provides the firm with a detailed scorecard that identifies where security operations are thriving, areas of improvement, and strategic recommendations to strengthen the security posture
• It tracks the progression of the security team’s detection and response capabilities from the start of the engagement to the end
• It also demonstrates the ROI of the organization’s security spending
• Increases visibility into the company’s network, and ensures the vulnerabilities are identified before they become issues

Purple teaming may very well become the next-generation of security assessments. Apart from strengthening the security system of the organization, this practice also instills confidence in the current security controls by identifying gaps in the organization’s implementation, reducing risks while decreasing the likelihood of an impactful breach.

By Rob van der Ende , Senior Vice President, Asia Pacific and Japan , FireEye Mandiant