Published by CyberCX on 9 October 2023
Shifting organisations from traditional point-in-time security assessments to a holistic view of overall security requires an innovative approach to cyber security assessments. This article aims to provide the historical context of why our new approach is important to improve the security of the organisations we work with.
The only constant is change. In the world of cyber security, that rings true now more than ever.
Rapidly changing technology, shifting politics, and more efficient ways to safely monetise malicious activities across borders are putting increasing pressure on organisations today. Additionally, regulatory bodies are implementing more stringent requirements across Australia and New Zealand to curb the growing number of cyber incidents and data breaches.
In response, organisations have had to change their approach as preventative controls alone are proving insufficient. Organisations are investing more time and money into detection and response capability than ever. But it’s not just the security landscape that is constantly evolving. New technologies and paradigms are arising such as cloud computing, dev ops, and infrastructure as code.
Importantly, the shifting landscape also changes the types of vulnerabilities present that adversaries seek. While your traditional exploits such as authentication bypasses and remote code execution still surface from time to time, shifts to the cloud and software as a service has led to the proliferation of more configuration-based vulnerabilities such as: over provisioned permissions, multi-factor authentication bypasses, and inadvertent exposure of assets to the internet.
All this has highlighted the need for organisations to review security holistically from not just a preventative basis but also a detection and response basis and to continually perform these reviews as changes are frequently made within organisations.
Traditional Security Assessments
Traditional point-in-time security assessments such as penetration testing, application, and configuration reviews, which form the basis for a security testing program within an organisation, will focus on finding vulnerabilities and suggest remediation focused on prevention. These are also typically tightly-scoped on key focus areas. Often, penetration testing does not take detective controls, nor the response processes and playbooks invoked during an actual incident into account.
Red team exercises, on the other hand, are a great tool to simulate a real-world adversary or incursions for the scenario where preventative controls have failed to operate correctly or have been bypassed. These wider-scoped exercises provide organisations an opportunity to see how their defences hold up at an end-to-end scenario across technology, people and internal processes.
Both penetration testing and red team exercises are crucial and serve distinct purposes, but they have gaps and limitations. Combined with the evolving technology landscape and the emergence of new vulnerabilities for criminals to exploit, there may be a need to think more broadly when it comes to best practice security testing and assurance. That’s where Purple teaming comes in.
Both teams work together with the Red teamers performing these actions and providing the Blue team with the opportunity to evaluate the state of their current detections, threat hunting capabilities, and identifying gaps within their technology stacks, coverage or response playbooks.
Imagine for a second that you have a team of ethical hackers using their expertise and knowledge of the latest technology exploits to find vulnerabilities and break into your organisation (Red team), while another team of defenders (Blue Team) uses their expertise to defend your organisation from the attackers. But instead of waiting until the end of the exercise to compare notes they constantly engage, discuss, and dissect actions, thought process and decisions. That’s Purple teaming.
This approach allows for collaboration and discussion between the two teams, which in turn leads to the Red teamers exploring more paths and variations. For the Blue team, there is an invaluable opportunity to gain critical insight into an adversary’s thought process and practical execution of attacks. The ability to create, adjust, and replay detections ensures that various permutations are considered.
Additionally, it provides insights into the performance and potential limitations of technology implementation and interactions with third party service providers. One example is the time duration from when an action is performed until a detection is raised. If the detection is accurate and matches up to the activities performed, and if enough context is contained with such an alert, a defender would be able to make an informed judgment call.
Purple teaming exercises provide assurance across areas that cannot be fully tested through penetration testing or Red Team engagements, but also provide an opportunity for extensive knowledge transfer and upskilling of a Blue team. With a rapidly changing technology landscape presenting new vulnerabilities and exploits every day, the importance of new and creative security solutions cannot be understated.
In the next instalment of the blog series, CyberCX will provide insight into CyberCX’s Purple team offering and the public release of our PurpleOps tool.