From the SolarWinds attack to the attempt to poison Florida city’s water supply and the Colonial Pipeline shutdown due to ransomware, recent months have demonstrated how aggressive cybercriminals have become—which raises the question: are modern cybersecurity solutions really that ineffective?
With one major attack after another, the expectation is that organizations would have already undertaken measures to review their systems and enhance their cybersecurity. Alas, this has not been the case. Some settle with the thought that these major attacks are state-sponsored, so defying them would have been virtually impossible anyway.
In view of all of these, it is worth revisiting the lessons from the U.S. Cyber Command following the September 11th terrorist event and the rise of cyber-attacks. The last decade has seen the United States making its transition from a defense-heavy approach towards a “threat-informed defense” strategy.
This new direction in dealing with cyber risks is comparable to what is known as purple teaming in the field of security testing. Instead of focusing all efforts on what the defense team can do, the security team collaborates with adversarial “insiders” to enhance their insights on how attacks are made more effective at bypassing security controls and infecting systems.
Purple Teaming and the U.S. Cyber Command (USCYBERCOM)
The U.S. Cyber Command (USCYBERCOM), one of the unified combatant commands of the Department of Defense that focuses on cyberspace operations, offers lessons useful in dealing with the worsening problem of cyber-attacks at present.
In a discussion about threat-informed defense between former Defense Department employees and cybersecurity experts Jonathan Reiber and Ben Opel, three lessons from the U.S. Cyber Command were examined. These are (1) the need to understand the adversary’s approach, (2) the identification of valuable data and defense capabilities, and (3) the establishment of tight links between teams to target threats and validate defenses.
Reiber says “a blue team becomes “purple” when it emulates the adversary as a means of self-evaluation. In the process of adopting a threat-informed defense strategy, blue teams should ask whether they understand the most dangerous threats they face; they understand their organizational mission, the center of gravity, and critical vulnerabilities; and understand and trust their security control architecture and teams.”
No New Team Needed
“The good news is that integrating an adversary mindset requires organizational effort but not necessarily new team members,” says Reiber as he explains the shift towards a threat-informed purple team defense approach as an emulation of the adversary to bolster self-evaluation.
This applies to all kinds of organizations. Even Managed Security Service Providers (MSSPs) can offer purple teaming without significant changes in their security testing infrastructure. They can employ a purple teaming module designed for penetration testers to facilitate the formulation, automation, and provision of red-blue team exercises that ensure active protection through the optimization of the SOC’s ability to detect threats and rev up incident response.
Reiber describes the Commander of USCYBERCOM as the “Director of Threat-Informed Defense” for cyberspace, considering that the role and position is similar to what a purple team does. “The role will not require a new team member, but someone who is dual-hatted to lead purple teams forward in a threat-informed defense strategy,” Reiber says.
Purple teaming does not necessarily mean the creation of a new team in addition to the red and blue teams. It only means a new paradigm or methodology that involves cooperation between the attacker and defender sides, which still operate independently but are being emphatically bound by the same goal of fortifying an organization’s cyber defenses. The independence between the two is crucial for them to perform their separate tasks without presumptions and previous knowledge of what may be undertaken.
However, the teams that assume completely opposite responsibilities actually get to share insights that can aid the tweaking of each other’s actions. The blue team may help in making attacks less detectable and more effective at penetrating security controls by sharing with the red team details they are unsure about. For example, they can share the changes they implemented in the Microsoft Windows Server 2016 R2 domain policies to give white hat attackers an idea of possible vulnerabilities and exploits.
Conversely, the red team can help in strengthening defenses by sharing with the blue team the how’s of their attacks instead of leaving them to figure things out on their own. They can advise the blue team if their SIEM solutions, IDS and IPS software, or endpoint security are not working as intended. They can offer guidance on what may have been missed in the course of analyzing network logs and device memory to detect anomalous activity.
Moreover, organizations can rely on external support such as the MITRE ATT&CK framework, which is a threat-informed defense approach in detecting and understanding adversary behavior to establish active defenses and better responses. Many purple teaming systems, including the USCYBERCOM, take advantage of this globally accessible framework.
Continuity, Consistency, and Cooperation
In 2018, the USCYBERCOM created a “small group” that focused on state-backed attacks including Advanced Persistent Threats (APTs) aimed at tampering with the U.S. elections. This group demonstrated the close links between the USCYBERCOM and National Security Agency to operate in a mutually beneficial intelligence-operations cycle that accelerates the search and following of leads.
At present, the U.S. Cyber Command has the defense-oriented Cyber Protection Teams as the main body that focuses on adversary techniques, tactics, and procedures. They take on the role of white hat attackers constantly bombarding organizations with cyber-attacks to test their ability to detect, prevent, mitigate, and remediate cyber assaults.
There has been a conscious effort to make sure that the persistence and ceaseless evolution of attacks are dealt with. However, no security system can ever be perfect. There were still successful attacks, most notably against government entities, even with the presence of the USCYBERCOM.
This does not mean that the improvements have been futile. In many cases, the attacks succeeded because of human error or negligence. The 2020 United States Federal Government incident, which was a supply chain attack on SolarWinds’s Orion software, had the human error signs all over it. For one, the U.S. Federal Government did not have a Director of the Cybersecurity and Infrastructure Security Agency (CISA), who was supposed to serve as the top cybersecurity official. As a result, several cybersecurity recommendations from the federal level have been left unimplemented.
Additionally, if organizations have been consistently and continuously implementing purple teaming, red flags would have been planted all over SolarWinds’ requirement for organizations to disable their antiviruses during the installation of the SolarWinds software. With many organizations reporting this risky process, something could have been done about it and the warning about the company’s FTP server security would have been taken seriously.
For the idea of purple teaming to work, it has to be consistent and continuous. Cybercriminals never stop and do not follow schedules for their attacks. It only makes sense to have a cyber-defense strategy that is equally unending and also automated to solidify threat hunting capabilities and optimize incident response playbooks. This continuity and automation also lead to better APT simulations and swifter correlations between security control test results and attacks.
Also, cooperation or collaboration is a key ingredient that should never be taken for granted. Purple teaming does not work if the people manning and overseeing it are dysfunctional from the start. The U.S. Cyber Command has indeed imparted valuable lessons about the viability of purple teaming, but it also showed how vital it is to have the right people in place as purple teaming, even with automation, does not automatically result in guaranteed protection.