We have all heard that, “practice makes perfect'', right? This may have been motivating during school, or while playing on a sports team, but what about today? By now, you’ve probably figured out that it’s impossible to be perfect, and that is perfectly fine (pun intended). In the information security field, all organizations are bound to experience a breach at some point. Today, we are seeing organizations shift their investments to detection and response, rather than focusing on attack prevention alone. Some organizations are even operating under the “assume breach” model. Despite these different approaches, many of these organizations are failing to actually test and practice for a real, malicious attack. Many CISOs are not sure if their security investments are working as budgeted or advertised.
Practicing is key when learning to detect and respond to a breach. In this post, the argument presented is that there may be no better way to learn about your organization's strengths and weaknesses than by running adversary emulations via a Red Team Engagement or Purple Team Exercise. Check out our prior post on Ethical Hacking Maturity Model for more about the difference between these types of assessments but at a high level:
Adversary Emulation is a type of ethical hacking engagement where a Red Team imitates how an attacker operates. This leverages frameworks like MITRE ATT&CK to identify specific tactics, techniques, and procedures (TTPs) that a real threat actor might use against an organization. Rather than focusing on attacks less likely to occur, these engagements draw upon Cyber Threat Intelligence to identify adversaries with the intent, opportunity, and capability to attack. Adversary Emulations may be performed in a no-knowledge (Red Team Engagement) or full-knowledge (Purple Team Exercise).
These offensive assessments have the potential to become expensive, time-consuming, and potentially disruptive. However, proper planning can eliminate those difficulties. The key to success here, is investing in the correct people, process, and enterprise-grade technology. Adversary Emulations can deliver some very compelling benefits. Here are the top 10:
Organizations assume that they have various security controls because they paid for them. However, many vendors offer “ransomware protection” and companies purchase it without testing it. It is easy to assume that because the budget is allocated for a particular security control, it must be working. It is extremely important to have your red team test those assumptions.
There is a false idea that offensive security assessments only point out what does not work. By testing against adversary behaviors, your organization will identify and highlight what IS working. It is important to understand the strengths of the organization and continue to build and grow in those areas.
It is important to measure progress in order to truly see growth. It is difficult to pinpoint the exact time a breach occurs, which makes it even more difficult to properly respond. This is why red team exercises are so important. During a red team exercise, the team will capture the time of each action in order to effectively measure the detection and response of the people, process, and technology. If your red team chooses to use an enterprise-grade platform such as SCYTHE, detections can be paused, rewound, and even replay the attack chains in order to measure improvement.
People are a huge component of security. They are the first and best line of defense against an attack. This is coming from a staffer that identified a phishing email to a Security Operations Analyst, that recognized that running PowerView from an accounting system is not normal behavior. The information security landscape is ever changing; therefore, training must be a top priority. It is important to provide technical training and go over incident response plans and playbooks in order to work out the kinks in your team’s response plan before a real attack occurs. Think of it as a blue-team fire drill.
Response times will improve as your organization runs more Red Team engagements. Organizations can now measure detections within minutes. The ability to improve detections and then replay attack chains improves response time much quicker than a yearly manual detection.
Organizations have consulting providers on retainers for responding to attacks such as performing digital forensics and incident response (DFIR). By testing and measuring the people, process, and technology, organizations will be equipped to allocate an accurate budget to these service providers. This will allow them to test how fast their service providers can onboard to assist in a real attack.
The most obvious benefit of performing red team engagements is the ability to identify weaknesses in your defense. While penetration tests find weaknesses in your technology, red team engagements can identify the weaknesses in your defenses. This allows you to identify security tools that are not working as expected, and to understand which security controls have the capability to detect once tuned correctly.
Most organizations have a set of policies, standards, and guidelines that are seldom updated. Information Security is a fast-paced field, and year-old policies can rarely keep up. Red Team engagements allow you to see a holistic view of your organization and can lead to the updating of archaic documents. For example, it is no good if your password standard still a minimum of 8 characters. Red Teams can also benefit by helping the organization find places where policy non-compliance exists, and where tech debt has accumulated without ownership.
There are multiple regulatory frameworks that require threat-led penetration testing and adversary emulation in various industries and regions around the world. If your industry, Country, or region is not requiring these engagements, it is still a great idea to look into them and consider running an exercise following the industry standards at least once every two years.
“Would that attack be successful here”, is a most important question. This cannot be answered without testing against known adversary behaviors from previous attacks, nor through a data-driven conclusion. Senior management needs to be sure of the answer to this question. The only way to get that honest answer is to test the behaviors against yourself. Check out the largest, public repository of adversary emulation plans on the SCYTHE GitHub.
They say practice makes perfect. Therefore, it is logical to accept that Adversary Emulations serve an important function in measuring and improving your people, process, and technology. During a real malicious attack, organizations are beginning to accept that a breach is inevitable. This means that they are focusing on how to detect and respond. A breach, however, does not necessarily mean definite impact for your organization. It is important to build resilience in order to act in time and avoid business impact. This can be achieved by performing Adversary Emulations as Red Team Engagements or Purple Team Exercises.
If you are ready to begin performing Adversary Emulations, check out our other post:
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn able to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.