To more effectively address the cybersecurity risks and challenges in 2021, try ‘purple teaming’ to assess, visualize and manage your existing investments.
A Canalys report predicted that, even in these challenging times, cybersecurity investment would grow by up to 6% in 2020, reaching US$43.1 billion globally. To manage the elevated cyber risks in today’s landscape, many organizations are reassessing their security posture and rethinking their cybersecurity approach.
To make informed cyber risks management decisions and better prioritise security investments, organizations first need to assess their current security posture and understand how their cybersecurity measures fare against current threats.
For many organizations, red and blue teaming exercises are key ways to assess their cyber defenses.
While these established practices can help organizations strengthen their security posture, they have their limitations. To effectively harness their current readiness to transform and develop a long-term cybersecurity strategy, organizations can look to ‘purple teaming’, which is also critical for organizations looking to transform their security approach and ramp up their cybersecurity investments by allowing management to visualize the security challenges on the ground and help security professionals translate technical cyber risks into business language.
CybersecAsia finds out more about purple teaming in an interview with Lim Minhan, Director for Assurance in Ensign Consulting, Ensign InfoSecurity.
What are the key cybersecurity threats and risks that organizations in Asia Pacific face in 2020, and will likely face in 2021?
Lim: 2020 saw organizations dramatically changed by COVID-19 as it exponentially increased the velocity and magnitude of digital transformation, resulting in the shift from manual processes to digital-based processes across all industries.
With the remote working arrangements necessitated by lockdown and safe distancing measures, employees needed to access corporate services and data through their mobiles and home networks, away from the typically well-defended enterprise networks. This provides a vulnerable and much easier access path for threat actors to exploit. Moreover, the rushed implementation of remote working technologies such as virtual private networks (VPNs) and virtual desktop infrastructure (VDI) may expose enterprises with poorly configured solutions, leaving them more vulnerable than before.
At the same time, cyberthreats continue to evolve, making 2020 an exceptionally challenging year for cyber defenders.
Organizations are seeing new waves of phishing campaigns as opportunistic threat actors exploit COVID-19 to launch more effective social engineering attacks. In a COVID-19 related phishing exercise conducted by Ensign, more than 35% of the organization’s employees clicked on the link in the mock phishing email and provided their personal information. This is 10% higher than the average result of past exercises. This proves that despite the normal level of vigilance observed in enterprises, a well-crafted phishing campaign exploiting the situation can still deliver exceptional results
Besides, COVID-19-themed attacks, threat actors are also devising more insidious attacks against organizations, such as waterhole attacks. This method enables threat actors to execute supply chain attacks where, for instance, they infect servers containing updates of popular software and replace these updates with malicious codes to spread malware. This allows threat actors to achieve mass infection, especially when the vulnerable web server is popular and trusted by end users.
We are also seeing increasing waves of cyberattacks aimed at the cyber supply chain of their targets as threat actors are constantly seeking the easiest ways to circumvent cyber defense. While large enterprises typically have robust cybersecurity measures in place, some of their suppliers or partners might not be as well-protected and can be easy points-of-entry for attackers.
Furthermore, organizations today are more reliant on technology services providers as they ramp up on cloud adoption and migration, as well as deploy more remote work and collaboration tools. If threat actors successfully breach and infiltrate one of these service providers, they can steal sensitive data, including personally identifiable information (PII) and intellectual properties (IPs) of multiple organizations using their platforms or services.
According to Ensign’s Singapore Threat Landscape report, the high technology industry—which includes cloud, data center, and web hosting service providers that serve many other enterprises—is already the top target for threat actors. The trend is likely to continue into 2021 as threat actors can achieve economies of scale by targeting these technology companies.
What should organizations take note of when tackling the cybersecurity challenges related to People, Process and Technology?
Lim: Managing cyber risks is an increasingly challenging task for organizations in today’s disrupted landscape. Besides protecting systems and networks from evolving cyberthreats, organizations also need to assure their customers, partners and regulatory authorities of the security, integrity and resilience of their digitalized and interconnected operations and processes.
As technology environments become increasingly complex, organizations will need a holistic and layered cybersecurity strategy that seamlessly combines People, Process and Technology. This way, they can more effectively manage the multitude of cyber risks they are likely to face, and protect their distributed networks.
Here are key recommendations that that organizations can take into consideration for each of these pillars while formulating their cybersecurity approach for 2021.
- People – While “people is the weakest link” is a common saying in the cyber industry, employees can actually be the first line of cyber defense, if organizations provide the right knowledge and training for their staff. Leaders in organizations should take the lead and walk the talk in engendering a security culture, versus one that is focused on achieving security compliance. Organizations should continue to improve the security awareness of employees through initiatives like phishing exercises and cybersecurity awareness trainings. This will strengthen organizations’ resilience to malicious campaigns and evolving cyber threats.
- Processes – Robust processes must be in place to help the management establish visibility on the ground, and identify weaknesses or gaps timely and systematically. This can be done through regular cybersecurity assessments to identify critical assets, gaps, vulnerabilities and risks, enabling the management to perform strategic planning and to prioritize remediation efforts. Incident response, patching and maintenance processes must also be put in place to reduce cyber-related risks and ensure that identified vulnerabilities are efficiently resolved to protect against exploits and cyberattacks.
- Technology – Organizations need to develop a short-term and long-term plan to solve immediate problems, and to build resilient systems. Since planning a long-term cybersecurity strategy, as well as investing and implementing certain solutions might take time, one immediate priority is to gain visibility over critical assets, and ensure continuous monitoring for cyber threats. These can be done through continuous anomaly detection solutions which can help detect and respond to any anomalous activities potentially targeting critical systems.
In the long term,organizations should adopt a more proactive strategy to threat detection. This would require greater accuracy and robustness beyond traditional signature-based threat detection models. Organizations should leverage on behavioral-based threat detection capabilities against evolving threats. Additionally, organizations should look at implementing endpoint detection and response solutions to further extend monitoring on user devices even if they are operating outside of the corporate network. To manage the larger volume of alerts from these tools, and avoid human errors that may result from alert fatigue, manual processes should be automated as much as possible.
What is ‘purple teaming’ and why is it essential for organizations in the current landscape? How is it different from red and blue teaming? How does it help in cybersecurity planning and investment?
Lim: Purple teaming is a cybersecurity approach where a team of experts take on the role of both red and blue teams with the intention of maximizing cyber capabilities through continuous feedback and knowledge transfer. The collaboration between the attacking and defending teams makes the greatest difference between typically red or blue teaming exercises.
Red team has traditionally been focused on taking up the role of the aggressor, and executing real-life adversarial techniques to help organizations identify and address vulnerabilities across their digital assets. Red teams are not expected to iterate through possible attack permutations, but rather conduct a “one-time” exercise to deliver objective-based security assessment of a targeted system. On the other hand, blue team would be the defenders in these exercises, where experts need to find ways to defend, change and re-group defense mechanisms to make threat response much stronger.
Red teaming exercises is typically used to identify weaknesses in blue teams’ defense, and the red teams’ success is usually a demonstration of weaknesses in blue defense. This puts both teams at odds with each other, and the lack of collaboration and comprehensive knowledge transfer between these two teams can hobble the organizations’ ability to validate security controls continuously and in depth, and impair their decision-making process.
As cyber threats continue to evolve, there is an increasing recognition that red teams and blue teams should take on a more collaborative approach. This gave rise to the concept of purple teaming.
The key distinction between purple teaming versus red teaming is that, with the former, the attack and defense plans are all predetermined. The attacker will first identify a control, and iteratively conduct tests to either attack or bypass it. At the same time, the attacker will coordinate with the defender in ways that either serve to improve detection or defeat the bypass. Often, the teams will co-locate to collaborate, the purpose of which, for example, is to observe how the permutating attacks on the identified control would be detected or otherwise, and discuss the optimal settings to prevent a bypass.
As a result, the outcome is no longer limited to purely identifying system vulnerabilities. Instead, both teams will be testing controls in real time and simulating the different attack profiles likely used by actual threat actors. This shifts the testing from passive to active where the teams can apply the most aggressive attacks and conduct more complex “what-if” scenarios through which security controls and processes would be more deeply understood. Any identified weakness could therefore be fixed more comprehensively.
Additionally, purple teaming exercises can also help bridge the gap in understanding between business leaders and cybersecurity professionals. One of the most common challenges we have seen in many organizations is, business leaders and management teams typically do not have visibility over the cybersecurity challenges faced on the ground. On the other hand, the cyber teams have difficulty translating the technical nature of security risks into business language. A purple teaming engagement can help bridge this gap as the exercise could include the emulation of attacks by known threat actors and provide evaluation on how an organization’s defense stacks up against these attacks. Such exercises will enable business leaders to better visualize the return on investments of the cybersecurity solutions, as well as understand the importance and need to invest in specific cyber solutions or services, moving forward.
What are some best practices for adopting purple teaming in an organization?
Lim: For organizations looking to conduct purple teaming exercises, there are three key aspects that they need to consider when planning for it:
- Defining clear and concise objectives and outcomes
Before executing the purple teaming exercise, it is important to clearly define the desired objectives and outcomes – one example could be to enhance detection against insider threats attempting data exfiltration. Charting out such goals can help team members understand what the organization is looking for in the exercise and allow them to focus on enhancing the key detection and response controls. It also helps build up different threat scenarios and relevant action plans modularly—hence the overall blue team competency—over time.
- Establishing relevant rules of engagement and responsibilities lines
Like other security assessments or engagements, purple teaming can have inherent risks. For example, simulated adversarial actions could potentially affect operational systems, and cause unintended business disruption. Therefore, it is important to define engagement rules and out-of-bound markers, limiting the attacking team’s actions only on permitted systems.
It is also important to identify responsibilities of other stakeholders in the purple teaming exercise, besides those of the attackers and the defenders. For instance, the system owners (involved in the exercise) should be identified, and procedures should be in place to recover affected systems expediently to minimize potential business impact.
- Detailed documentation of adversarial and defense activities
During the engagement, it is crucial to log all the adversarial activities detailing the commands issued, including the parameters used. Likewise, for the defending team, audit trails and all relevant logging functions should be turned on as far as practicable. Reviewing and comparing these data sources will facilitate the analysis to identify defense weaknesses and optimal security configurations for detecting latent threats.
Organizations need to bear in mind that purple teaming is a collaborative approach that hinges on healthy and iterative communications between the two involved teams to share knowledge, and be better prepared for cyber threats. By planning and structuring purple teaming exercises, organizations will be able to get more insightful outcomes, and have a more thorough and realistic assessments of their security posture. The information will be vital in enabling them to understand themselves better, and make more informed cybersecurity decisions when planning their future cybersecurity strategies and investments.