Red, purple and blue -- security teams keeping the hackers at bay
Regardless of how much money is spent on cybersecurity, the likelihood of getting hacked, is steadily increasing. The threat landscape is constantly evolving with new ransomware and extortion attacks being reported daily, in addition to adversarial nation states stealing personal information and intellectual property for nefarious purposes.
The reasons are manifold and complex. IT infrastructures are becoming increasingly more complicated, with new software development programs that introduce new vulnerabilities. Cyber criminals are becoming more sophisticated and better organized, with new advanced persistent threats (APTs) continually being discovered. Compounded by state-sponsored cyber espionage seeking anything that can be used for economic or political advantage.
Most companies seek to solve the problem by buying additional security software for specific purposes -- but these separate products do not necessarily offer complete protection and can occasionally create additional problems, by expanding the organization's IT estate and creating new responsibilities for maintenance within IT teams, but also by potentially leaving gaps between the solutions. Vulnerabilities, gaps and poor business processes allow malicious hackers to compromise IT infrastructures; and conventional cyber defensive applications cannot cope alone.
Think like a hacker
A solution is to find your own weaknesses and then remediate them, before they can be exploited by criminals. The best way to do this? A red team.
'Red team' is a term derived from military war gaming, intended to emulate an attacker and probe defenses. In such war games, the defensive side is termed the blue team. Purple teaming describes the attempt to align the two groups; that is, to use the methods discovered by the red team to allow the blue team to improve defenses.
In cybersecurity, a red team tries to breach a company’s security defenses to find and demonstrate ways in which real hackers might attack and compromise the organization. Red teams think and act like a hacker, and the operators are highly skilled and should be deployed in a focused way. Very large organizations sometimes have permanent red teams on the payroll, but most firms cannot afford this luxury and therefore do not often have dedicated resources.
Purple teaming in cybersecurity is the collaboration of both the red and the blue teams to improve the outcome of the overall engagement. This includes working together to identify weaknesses, and help to build a robust plan for the organization, including detection and remediation effort, in order to improve the company’s overall cybersecurity posture.
It is important to note that red teaming goes far beyond the traditional scope of penetration testing (pentesting). Pentesting looks for known vulnerabilities, whilst red teaming attempts actual exploitation through predetermined scenarios that include testing the people, processes, and technology, and how well all three components can work together. Often weaknesses in operational procedures, as well as locating exploitable vulnerabilities in the IT infrastructure, are discovered.
The purple teaming process is one of the most powerful ways of ensuring effective cybersecurity defense as they provide a holistic overview of the organization and have proven many times to be a worthwhile investment.
Red team successes
There are few published examples of red team successes since the results are primarily relevant, and often proprietary, to the company being tested. Google, however, has provided an illustration of one of its own red team attacks against itself.
The attackers sent a fake gift to employees -- a Google-branded plasma globe that could be plugged into a computer. Doing so delivered a system back door, and enough employees were compromised for the attackers to gain access. This initial access allowed the red team to move laterally toward their key target: Google Glass blueprints. The red team were able to access and download the blueprints to prove their success.
Another example comes from our own team. We were tasked with stealing data from the CEO of a FTSE 100 firm. An initial phishing attempt against staff failed, but this was followed by a telephone call where the red team claimed to be internal security staff trying to check laptops. This attack was successful and the 'attackers' gained remote access to laptops. Once inside, a misconfiguration allowed them to take over an administrator account -- which then gave them direct access to the CEO’s emails.
A typical red team scenario
We employ a red team methodology loosely based on Lockheed Martin’s seven-link cyber intrusion kill chain model (another term adapted from military usage).
The model has eight phases: planning, reconnaissance, initial attack, establish foothold, endpoint exploitation, lateral movement, achieving objectives, and reporting. The eighth is often out of scope for a genuine kill chain but is perhaps the most important for a red team exercise to be a success. This comprises a report on the red team operation, allowing the customer and its security team to understand and remediate any weaknesses in security posture before they can be exploited by real adversarial hackers.
Red teaming for all
For most companies, the best approach to red teaming is to use a ready made team from a specialist provider.
Firstly, this is the most affordable approach. Secondly, red team specialists from a provider will bring enormous, accredited experience. And last, but by no means least, bringing outside eyes to the problem will provide a completely new and unique approach to a company’s cybersecurity stance and cybersecurity weaknesses.
Dhruv Bisani is the Red Team Practice Operations Lead at Eurofins Cyber Security, with over 6 years of industry experience. Dhruv specializes in red team testing and has led and delivered red team engagements across several industries such as financial services, retail and private sector clients, including supporting projects under the UK CBEST scheme which is mandated by the Bank of England for top tier UK banks. In addition, Dhruv also manages and delivers several types of penetration testing engagements including applications testing, wireless testing, API testing and phishing exercises.