You're reading from Purple Team Strategies Enhancing global security posture through uniting red and blue teams with adversary emulation

Product type Paperback

Published in Jun 2022

Publisher Packt

ISBN-13 9781801074292

Length 450 pages

Edition 1st Edition

Tools

Kali Linux

Concepts

Penetration Testing

Authors (4):

David Routin

Samuel Rossier

Simon Thoores

Michael Molho

View More author details

Table of Contents (20) Chapters

Preface

1. Part 1: Concept, Model, and Methodology

2. Chapter 1: Contextualizing Threats and Today's Challenges FREE CHAPTER

3. Chapter 2: Purple Teaming – a Generic Approach and a New Model

4. Chapter 3: Carrying out Adversary Emulation with CTI

5. Chapter 4: Threat Management – Detecting, Hunting, and Preventing

6. Part 2: Building a Purple Infrastructure

7. Chapter 5: Red Team Infrastructure

8. Chapter 6: Blue Team – Collect

9. Chapter 7: Blue Team – Detect

10. Chapter 8: Blue Team – Correlate

11. Chapter 9: Purple Team Infrastructure

12. Part 3: The Most Common Tactics, Techniques, and Procedures (TTPs) and Defenses

13. Chapter 10: Purple Teaming the ATT&CK Tactics

14. Part 4: Assessing and Improving

15. Chapter 11: Purple Teaming with BAS and Adversary Emulation

16. Chapter 12: PTX – Purple Teaming eXtended

17. Chapter 13: PTX – Automation and DevOps Approach

18. Chapter 14: Exercise Wrap-Up and KPIs

19. Other Books You May Enjoy

Key definitions for purple teaming

Before digging into a more practical understanding of purple teaming, we need to go through various definitions in order to set us up for the next chapters.

We will first see what the different teams look like within an organization, such as what a red and blue team is, before digging into recent key concepts that are often misunderstood or used interchangeably, like cyber range, breach attack simulation, and adversary emulation. We will also briefly describe a new standard terminology, which is threat-informed defense. However, we will not yet tackle purple teaming, as this will be described thoroughly in the next chapter.

The red team

The red team, also called the offensive team, is a term that originally came from military war simulations and became popular in the early 2000s within the infosec community. The idea is that this team will mimic the known threat actors' TTPs in order to perform real-life attack scenarios, trying to think and act like the enemy.

Contrary to usual penetration testing engagements, the red team (composed of ethical hackers) will try to exploit larger scopes. For example, social engineering techniques, physical access attempts, and unpredictable attack scenarios are usually allowed.

Some examples of red team scenarios are as follows:

Sending a package by mail containing a rogue Wi-Fi access point to a person on vacation in the organization. This will allow them to have a potential entry point without having to pass any physical security controls.
Dropping USB keys containing malicious payloads at the entrance of the building, expecting that someone will find and plug them in.
Coming dressed as a maintenance guy (maybe with a ladder, tools, and so on) and trying to bypass physical access restrictions this way to obtain LAN physical access, server room access, or worse, stealing a workstation by pretending they have to repair it.
Perform advanced social engineering attacks based on phishing, phone calls, post and email, and so on.

As we can see, we are far from the standard penetration testing with these examples, but in this approach, the objective is to simulate a threat actor that would like to infiltrate the corporate network by any means necessary and go as deep as possible.

In addition to the usage of standard penetration testing tools, they will also use a dedicated red team infrastructure to hide their offensive operations as much as possible and rely on more advanced exploitation tools, such as the usage of Cobalt Strike, which is a commercial red team solution, but also recently often used by threat actors.

A feature of the red team engagements is that usually, the blue team is not aware of the operations, as they are supposed to test real-life blue team detection and response capabilities and assess the organization's overall cyber resilience. Usually, the red team members have permission from the organization's management for all their activities, who have approved them.

The blue team

In opposition to the red team, the blue team's main objective is to defend the organization against internal and external threats. The team's main responsibilities and expectations can be listed as follows:

Prepare for defense (using at least the technologies listed hereafter).
Be able to anticipate threats before they happen (thanks to threat intelligence, vulnerability watch, regular audits, and so on).
Detect malicious activities, risky users, and suspicious behaviors to protect the organization.
Manage vulnerabilities with passive (vulnerability watch) and active (scanning and assessment) processes.
Respond to any cyber incidents.
Ensure all defense mechanisms are set up and working properly.
Continuously improve defense based on lessons learned, new threats, and adversary TTPs.
Provide information and key performance indicators (KPIs) to management.

To achieve these goals, they will rely on multiple technical and non-technical elements, which can be divided into three main topics:

People: Security awareness, security analysts (usually junior for triaging, and senior for case handling), detection engineers, forensic specialists, malware analysts, threat intelligence analysts, developers, DevSecOps, system engineers, and SOC/blue team managers. In smaller organizations or businesses, it is common to see multiple roles owned by one person.
Process: Usual NIST/SANS-based incident response process (preparation, identification, containment, eradication, recovery, and lessons learned), internal security policies, standard operating procedures (SOPs), and playbooks or guidelines.
Products and technologies: security information and event management (SIEM) as one of the main tool for SOC and blue teams, defined or provided use cases for detection, endpoint detection and response (EDR), intrusion detection systems (IDSs), network packet capture platform, threat intelligence platform (TIP), ticketing/case management system, digital forensic tools, security orchestration, automation and response (SOAR), reverse engineering tools (IDA, Ghidra, and so on), trap systems (honeypots, honeytokens, and so on), and vulnerability management platforms.

Blue teams are usually part of a Security Operations Center (SOC), with multiple analyst tiers organized in the following way: Tier 1 for triaging (basically, determining if an alert is a false positive or a true incident), Tier 2 for standard incident handling, and Tier 3 for complex cases (Subject Matter Expert (SME) analysis, malware analysis, and forensic investigation).

Usually, the red and blue teams are not really collaborating. The red team attacks the organization without informing the blue team (for better adversary emulation) and very few post-mortem activities are performed. The next section demonstrates what could be improved and how each side can be combined in a powerful synergy thanks to the purple teaming approach.

Other teams

For some situations, new team colors are introduced, often called the rainbow team or the infosec wheel. We will not discuss the relevance of those naming conventions, but here are some definitions we can find online. They also include the concept of blue, red, and purple teams:

The yellow team, or the Builders, is the team that builds infrastructure and applications.
The orange team is the mixing of the red and yellow teams, to ease knowledge transfer from an attack perspective to the builders.
The green team is the mixing of the blue and yellow teams to allow the better building of defenses by incorporating the yellow view with the blue needs.

Other resources, such as the regulatory framework from the Saudi Arabian Monetary Authority, introduce the concepts of the green team as a test manager provided by the regulator to supervise the intelligence-led red team exercises as opposed to the concept of mixing the blue and yellow teams. It also introduces the white team as a limited number of experts from the tested organization aware of the exercise.

Knowing all the different colored hats a defender can take within an organization is not critical for the rest of the book, but we should understand the difference between red and blue teams at a minimum. Let's now deep-dive into some key concepts in cybersecurity that recently became more and more popular.

Cyber ranges

Cyber ranges are designed as a simulation and representation of the organization's existing local systems, networks, tools, and applications that run interactively to safely enable hands-on cybersecurity training and develop new cybersecurity posture testing.

In an ideal situation, this should include simulated traffic, replicated web pages, exposed services, and interfaces similar to what can be found within the organization.

Cyber ranges provide an environment where the blue and red teams can work closely together to improve security capabilities and sharpen security analysis skills. They are used by professionals, cybersecurity analysts, law enforcement, incident handlers, students, trainers, and organizations.

Now, let's see how breach attack simulation solutions differ from cyber range solutions.

Breach attack simulation

Considered a form of advanced security testing, breach attack simulation (BAS) is part of the purple teaming arsenal. It is relatively new, as the term was first included in 2017 in Gartner's Hype Cycle for Threat-Facing Technologies 2017 report.

Originally, the blue team defenses were tested during red team exercises, but the main issue with this approach is that it is not automated, and it is considered to be partial because it depends on red team operator's preferences and skills, which can vary dramatically from one to another.

BAS is a concept allowing security engineers to replay attacks to and from any perimeter (external, internal, endpoints) manually or in an automated way and relying on specific solutions. They will classify and normalize the different generated attacks, map them to existing frameworks (such as MITRE ATT&CK), check if they were blocked or detected, and finally deliver a report.

The main advantage of this approach is the continuous updates from the vendors and the community allowing organizations to test new attacks and TTPs. Therefore, it helps us improve defenses in a continuous and automated fashion.

These tools also allow the continuous monitoring of the existing detection and prevention use cases' health to ensure they are still effective and working properly. It also prevents the risk of human error during tests, thanks again to the automated approach.

Let's now look at adversary emulation.

Adversary (attack) emulation

Adversary emulation is a different approach, which could be manual or automated with the use of tools.

The general concept is to use threat intelligence reports and frameworks (ATT&CK, for example) to select specific (generally advanced) threat actors that may be interested in trying to compromise you, then extract the TTPs they are using. It can also help managers to answer the question, "Could the recent attack, seen in the news, happen to us?"

The purpose of adversary emulation is to allow the red team to replay realistic threat models in your environment to ensure they are correctly prevented, detected, or blocked by the blue team.

MITRE ATT&CK mapping is incredibly useful as a reliable source of information, as it allows analysts to have a clear understanding of the TTPs for each attack layer (initial access, privilege escalation, lateral movement, and so on) that are used by each threat actor.

MITRE also published adversary emulation plans based on an existing APT groups, For example, the APT 3 emulation plan is based on a Chinese threat actor and includes the following:

A specific description of the group and its TTPs, classified using the MITRE ATT&CK reference model
An adversary emulation plan
A spreadsheet to fill during the test for coverage evaluation

Even if the choice of this APT group could be thought of as limited (and not updated since 2018), the selected TTPs are still relevant at the time of writing, and the prototype of operations can still be effective as a starting point in the adversary emulation process. Also, MITRE and the cybersecurity community are getting stronger and starting to provide free adversary emulation plans for organizations to utilize themselves.

Finally, adversary emulation also focuses on the human dimension, and this will help the blue teams to test and improve their skills and capabilities to respond to a threat. BAS solutions, on the other hand, will mainly focus on the validation of existing security controls. The difference between BAS and adversary emulation is well described by Scythe in its blog post, The Difference Between Cybersecurity Simulation vs Cybersecurity Emulation. We will also deep dive into the difference between simulation and emulation in Chapter 9, Purple Team Infrastructure.

We will close this section with one last definition – the concept of threat-informed defense.

Threat-informed defense

Threat-informed defense, in a few words, is exactly what purple teaming is trying to achieve. In the next chapter, we will see in more detail what it is exactly and how it works, but meanwhile, here is the definition from MITRE of the threat-informed defense approach – https://www.mitre.org/news/focal-points/threat-informed-defense:

"Threat-informed defense applies a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber-attacks. It's a community-based approach to a worldwide challenge."

Now that we understand the key definitions of the concepts in this book, the next section will highlight the cybersecurity issues organizations are currently facing.