Purple Team engagements uncover security weaknesses

Our threat researchers at Lares encounter a broad range of security flaws and vulnerabilities when we conduct Purple Team exercises on behalf of our clients. Over time, the same unforced errors seem to come up so often that we warn security teams to develop standardized practices to defend against them.

The Lares Adversarial Collaboration Unit assists clients with defensive collaboration engagements and Purple Team assessments, which combine offensive and defensive techniques to strengthen security protections. Red Teams emulate external or insider attackers, while Blue Teams serve as internal security defenders. Purple Teams assist both sides by aligning the defensive tactics of the Blue Team with the threats attempted by the Red Team.

We recently released new research highlighting the Top 5 Purple Team Findings that we encountered over hundreds of client engagements in the past year. The most commonly avoidable mistakes included inadequate or unnecessary event logging; lack of offensive security knowledge; codependent relationships in the Security Operations Center (SOC); an unhealthy reliance on tools; and throwing good money after bad.

To properly defend their organizations, security professionals need to be aware of the latest threats and how to respond. Additionally, defenders should avoid becoming reliant on tools and instead focus on developing essential skills that cannot or should not be outsourced.

Top 5 Takeaways from the Lares Purple Teams Research

Inadequate or Unnecessary Event Logging: Events are a critical part of any organization's security posture. Many organizations should pay more attention to critical log events, or they collect too many unnecessary events that fill up storage and obscure important data. In their inattention, they may overlook important signs of malicious activity. Organizations should carefully select the events they collect to avoid these problems and ensure that all the collected data points are relevant to their security needs. In doing so, they can build an effective detection and response system and improve their overall security posture.

Lack of Offensive Security Knowledge: Monitoring an organization's environment for potential threats requires more than just a basic understanding of adversarial tactics, techniques, and procedures (TTPs). It is important to identify when and how these TTPs are being used to take appropriate actions to defend the organization. For example, security oversight may require monitoring of internal communications to identify potential indicators of malicious activity. By having a strong understanding of the organization's environment and adversarial TTPs, individuals tasked with monitoring can more effectively detect and respond to threats.

Codependent Relationships in the SOC: Many managed security operations centers (SOCs) introduce new issues for defensive teams rather than solve them. This frequently happens because managed SOCs struggle with excessive alerting delays, suppress critical events, and they cannot introduce telemetry that matters.

Alerting delays occur when the managed SOC fails to properly configure the tools and technologies to detect and respond to security incidents. Events that could be used to thwart attacks are delayed or never seen. Additionally, managed SOCs often suppress critical events due to pressure from upper management or external customers. Finally, managed SOCs often fail to introduce telemetry that matters to the incident. This is because they are driven by metrics that do not necessarily reflect the real-world impact of security incidents. As a result, many managed SOCs fail to provide the insights and data needed to understand and address the root causes of security threats.

Unhealthy Reliance on Tools: Another problem involves defenders who become too reliant on Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions, expecting them to find all the bad actors. This mindset can lead to false positives and incorrect attributions. EDR and XDR should be seen as part of a wider security solution, not the sole point of monitoring. Only by taking a more holistic approach to security can organizations stay ahead of the threat landscape.

Throwing Good Money After Bad: It is also common for organizations to outsource their knowledge when it comes to defensive measures. While this may seem like the easiest solution, it does more harm than good by preventing employees from learning the essential skills they need to be effective and costing the company more money over time. Instead of outsourcing all security knowledge, companies should invest in their employees and allow them to learn and grow. Companies should also implement detective and protective measures that directly map to adversarial methods and mechanics. This approach allows employees to gain the skills they need to succeed while saving the organization more money in the long run.

In today’s fast-moving cybersecurity environment, more is required than simply understanding an adversary’s tactics. Security teams need to remain mindful of the potential issues that can arise from their own defensive measures as well.

Image Credit: Wayne Williams

Andrew Hay is Chief Operating Officer, Lares.