Blue Team Training, Assumed Breach, and Shifting Security Left

The movement to “shift security left” focuses on mitigating risk as early as possible within the development cycle by engaging in open source code reviews and monitoring for reachable vulnerabilities. However, as part of this shift left movement, organizations are also changing their approach to post-implementation security monitoring. By taking an assumed breach approach to security, organizations shift security from reactive to proactive. This process follows the shift left mentality by looking for risks at the earliest stages possible even after deployment. Providing the right blue team training using an assumed breach paradigm establishes a proactive security posture that reinforces shift-left security practices. 

Understanding “Shift Left”

Traditional application development processes reviewed security controls as a final stage in the software lifecycle. As DevOps teams began embracing agile strategies and security became increasingly important, teams began building in security tests throughout the software development lifecycle (SDLC).

DevSecOps addresses security from the earliest possible development stage. It continues to incorporate reviews across the lifecycle as part of the continuous integration/continuous development (CI/CD) process. By reviewing application security continuously and consistently, organizations deploy more secure applications. 

Where Assumed Breach Fits Into the Shift Left Mentality

Underlying the shift left mentality is the goal of mitigating security risks as soon as possible. By building security directly into development processes, applications should be more secure. However, while this reduces risk, ongoing risk monitoring and defensive strategies remain fundamental to cyber resiliency. 

Security requires defense in depth, including validating people, processes, and technology. While securing applications during the development process mitigates risk, organizations still need to supplement that by ensuring the security of their production environments. The assumed breach paradigm treats the environment as compromised, accepting that data breaches are inevitable. Assuming all systems, networks, and applications have already been breached should be considered fundamental to Shift Left because it takes a proactive approach to security risk mitigation. By reinforcing proactive defensive capabilities, organizations “shift” their ongoing security activities left, moving away from simply reacting to a known security incident. 

Research indicates that organizations increasingly recognize the need to train their Blue Teams more effectively and “shift” their monitoring toward a proactive approach, noting that in 2020:

• 96% of Blue Teams performed regular tests
• 4% conducted tests at least once per month
• 46% conducted tests every 2-6 months
  

The same research found that the top defensive skills Blue Teams needed experience which included:

• Threat detection
• Incident response
• Knowledge of threats/tactics
  

This move toward a proactive approach to security - starting with the “shift left” movement and the assumed breach paradigm - highlights the value that Blue Team training offers organizations. 

Where Traditional Exercises Fail Blue Teams

While Red Teaming is often an organization’s focus, giving Blue Teams the experience they need with real-world threats and tactics is fundamental to taking a proactive approach to security. 

Tabletop Exercises

Though these are the most common exercises run by an organization, they solely focus on discussion. Tabletop exercises provide a scenario and allow the team to discuss their hypothetical responses. 

While these ensure the understanding of  roles and responsibilities, they lack the hands-on quality that provides real training for Blue Teams. The scenarios often assume that detections or technologies work as intended. 

Attack Simulations

Simulations offer the hands-on technology that Blue Teams need. They can validate an organization’s security technologies to a limited extent. 

However, simulations provide limited experience. Defenders may memorize a series of steps associated with one type of tactic, but the platforms often fail to give them real-time, real-world experience. 

Threat actors continuously evolve their methodologies, and many attack simulation platforms fail to provide the updates necessary to train Blue Teams on new tactics. This means they lack the training needed to be successful and proactively mitigate risk. 

Emulation with Attack, Detect, Respond (ADR) Technology to Educate Blue Teams

ADR educates Blue Teams by giving them hands-on experience with real-world tactics, techniques, and procedures (TTPs). 

Experience with New Threat Tactics and Techniques

With ADR, Blue Teams can create - or have their Red Teams create - synthetic malware in the production environment. These emulations can be updated and customized based on new TTPs seen in the wild.  Instead of running the same old rote-memorization simulations, ADR gives Blue Teams the evolving training they need to proactively defend against new types of attacks. 

Training with Complexity

ADR enables Blue Teams to test against realistic attacks by running emulations with multiple TTPs. Attackers don’t just use one way into an organization’s systems, networks, and applications.  This gives Blue Teams the hands-on experience with complex attack types that help them better prepare for a real-life incident. 

Incorporate Contextual Business Risk into Training

Different industries face different attack types. ADR gives Blue Teams a way to incorporate contextual business risk by emulating the tactics and techniques specific to an industry or region. By leveraging threat intelligence, Blue Teams can stay ahead of attackers who may be trying to target an industry with a specific malware type. 

Validate Tools for Enhanced Detection and Response Capabilities

With increased cybersecurity technology stack complexity, Blue Teams need a way to create high fidelity alerts for better threat visibility and reduced alert fatigue. Using ADR gives them the training needed to test tools against new tactics to ensure a faster response. This training enables them to implement proactive security risk mitigation. 

Upskill Blue Teamers Faster

To overcome the cybersecurity skills gap, Blue Teams can use ADR to empower less experienced team members. Blue Teams can run targeted emulations that help their team members get up-to-speed quicker. 

SCYTHE: ADR To Train Blue Teams for Proactive Security

Defense in depth requires ensuring that you have as many protective measures in place as possible. Securing the application development lifecycle is the first step to mitigating risk. However, organizations also need experienced Blue Teams who can implement successful proactive defensive security. 

SCYTHE’s ADR provides the necessary hands-on experience that Blue Teams need. Our easy-to-use drag-and-drop interface means that anyone can create malware emulations in real-time. Our non-intrusive ADR means that Blue Teams can run emulations in the production environment, giving them the ability to fine-tune security technologies, validate controls, and reduce alert fatigue. 

For more information on how SCYTHE’s platform trains Blue Teams, contact us today.