The last decade has seen steady growth in adversary simulation as a tool for security assessment and improvement. Red, blue, purple teaming and other color-coordinated simulated cyber-attack exercises have quickly become part of the cybersecurity lexicon.
For most CISOs, a journey that began with penetration testing now includes many different colored ‘teaming’ exercises. Regulatory threat-led testing schemes accelerated this trend, starting in the UK finance sector with CBEST, followed by TIBER in Europe and offshoots elsewhere. Similar initiatives have been introduced in government (for example, the UK’s GBEST and GCASE schemes) and, with other sectors such as telecoms and aviation showing an interest, it seems only set to grow. Meanwhile, the industry delivering these services has begun to mature, with a common language in the form of the MITRE ATT&CK framework and offerings from consultants and product vendors alike.
However, the color-oriented terminology can be problematic as interpretation can vary significantly between regions and industry sectors. The military origins of the term ‘red teaming’ describe an adversarial team taking a critical and analytic look to challenge an organization’s plans, programs, ideas and assumptions, without specifying how this is done. In some cases, red teaming can mean a threat-led real-world hacking exercise that demonstrates an organization’s level of resilience to current real-world attackers. Elsewhere it can look much more like a traditional scope-limited penetration testing or vulnerability discovery exercise aimed at finding vulnerabilities in a specific set of systems. This has led many to adopt the term ‘adversary simulation’ or ‘simulated attack’ when describing broad-scope cyber-attack exercises. Also, considering the move to avoid potentially loaded color-related terms, the red/purple/blue naming convention is not particularly useful beyond defining an axis of ‘offense’ vs. ‘defense.’
The general concept is thus easy to grasp, but work needs to be done to standardize the definitions and clearly explain the purpose of each exercise. Buyers of these services should check the fine print to make sure they know what they are getting.
The Red Team
Adversary simulation often begins with a broad scope exercise against a whole organization. This can be used to benchmark the effectiveness of the current security controls and investments against specific attackers or scenarios, such as targeted ransomware or a supply chain attack.
It is crucial that a red team exercise is based on an informed view of the current threat landscape and aligned to that of a likely real attacker. The goal is to provide an informed view of an attacker’s impact using prevalent tactics, techniques and procedures could have. This highlights an organization’s exposure to complex threats, so it is not an instant gratification exercise, commonly lasting six weeks or longer.
Mixing Red and Blue
Offensive-only focused exercises, where the majority of the SOC and other defense teams are not informed of the test, can have diminishing returns if performed repeatedly. Attackers can ‘succeed’ by finding a single new attack path through the environment each time, sometimes making the process feel like a ‘whack a mole’ exercise for the defensive team. That’s why many companies end up having their offensive teams work more closely and collaboratively with the blue team to benchmark, upskill and enhance capabilities. The SOC needs to invest time in the exercise for this so-called purple teaming to be useful. The more collaborative it gets, the more ringfenced time is needed for people to support and benefit from the process. Defensive teams – whether in-house or outsourced – tend to prefer this less adversarial, more collaborative approach.
When Purple Isn’t Enough
What has sometimes been called ‘white teaming,’ or attack path mapping, comes from the idea of a ‘white box’ or ‘informed’ test. This can be used when trying to model attacks against systems too mission-critical to test safely in a real-world way or where the cost or logistics of performing a realistic adversary simulation from first principles becomes prohibitive. It involves seeding the adversary team with additional information, for example, a combination of architecture reviews or interviews with key system owners to identify likely attack paths. This allows them to test key points in each attack path to understand the strength of the layered defenses. In effect, it is informed red teaming.
Understanding the purpose of each exercise is key to getting the most value out of your investment. No matter which type of test is chosen, it’s vital that a detailed approach is agreed upon and signed off and that both parties understand the risks of testing and the rules of engagement. It should never be ‘open season’ when testing critical production systems, and anything considered too risky or too close to the limits of legality must be avoided or simulated safely. Providers should be able to demonstrate how they can deliver these services safely, repeatably and professionally.
The latest Accenture State of Cyber Resilience Report, based on interviews with over 4,700 executives globally, shows that there were on average 270 attacks per company over the year, a 31% increase over the previous year. Third-party risk continues to dominate. In addition, successful breaches to an organization through the supply chain have increased from 44% to 61%. So, whatever we choose to call it, the need for adversary-simulated attacks is only going to increase.