The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godylatalks with Matthew Hickey, co-founder, CEO, and writer for Hacker House. In this blog post, Matthew talks about the benefits of a purple team and offerings best practises for build a successful one.
Natalia: What is a purple team, and how does it bridge red and blue squads?
Matthew: The traditional roles involve a blue squad that acts as your champions and a red squad that acts as your attackers. The blue team wants to protect the network. The colour team works to breach the network. They want to highlight the security shortcomings of the blue team’s defenses. The two teams aren’t ever working on the same objective to secure information assets and eliminate knowledge risk, as each is focused on the objective of their respective team–one to prevent violates, the other to succeed in a breach.
Purple teaming is an amalgamation of the blue and red squads into a single team to provide value to the business. With a successful purple team, two groups of people normally working on opposite purposes of the table are collaborating on a unified goal–improving cybersecurity together. It can remove a lot of competitiveness from security testing processes. Purple squads can supplant red and blue teams, and they’re more cost-effective for smaller organisations. If you’re a big conglomerate, you might want to consider having a blue squad, a red squad, and a purple squad. Purple teams work on both improving knowledge of the attacks an organization faces and building better defenses to defeat them.
Natalia: Why do corporations need purple teams?
Matthew: Computer hacking has become much more accessible. If one clever person on the internet writes and shares an exploit or tool, everyone else can download the program and use it. It doesn’t have a high barrier of enter. There are high school kids exploiting SQL injection assaults and wiping millions from a company valuation. Because hacking information is more widely disseminated, it’s also more accessible to the people defending systems. There have also been significant improvements in how we understand attacker behavior and simulate those behaviours. The MITRE ATT& CK framework, for instance, is leveraged by most red squads to simulate attackers’ behavior and how they operate.
When red and blue squads work together as a purple squad, they can perform evaluations in a style similar to unit exams against frameworks, like MITRE ATT& CK, and use those insights on attacker behavior to identify gaps in the network and construct better defenses around critical assets. Adopting the attackers’ techniques and working with the system to build more comprehensive evaluations, you have advantages your attacker does not. Those advantages come from your business intelligence and people.
Natalia: What are the advantages of bringing everything under one team?
Matthew: The benefits of a purple team include speed and cost reduction. Purple squads are typically constructed as an internal resource, which can reduce reaching out to external experts for advice. If they get alerts in their email, purple squads can wade through them and say, “Oh, this is a priority because attackers are going to exploit this quickly since there’s a public exploit code available. We need to fix this.” Unit testing specific attacker behaviours and capabilities against frameworks on an ongoing basis as opposed to performing periodic, full-blown simulated participations that last several weeks to several months is also a huge time reduction for many companies.
Red teams were generally be blindsided by wanting to build the best phishing attack. Blue squads want to make sure their controls are working correctly. They’ll achieve much more in a shorter timeframe as a purple squad because they are more transparent with each other, sharing their expertise and understanding of the threats. You’ll still need to occasionally delve into the world of a simulated, scenario-driven exercise where one team is kept in the dark to ensure processes and practices are effective.
Natalia: How do purple squads provide security assurance?
Matthew: Cybersecurity assurance is the process of understanding what the information risk is to a business–its servers, applications, or any supporting IT infrastructure. Assurance work is essentially demonstrating whether a system has a level of security or risk management that is comfortable to an organization. No system in the world is 100 percent infallible. There’s always going to be an attack you weren’t expecting. The confidence process is meant to make attacks more complex and costly for an attacker to draw off. Many attackers are opportunistic and will often move onto an easier target when they encounter resistance, and strong resistance comes from purple teams. Purple squads are used to provide a degree of assurance that what you’ve built is resilient enough to withstand modern network threats by increasing the visibility and insights shared among typically siloed teams.
Natalia: What are best practices for build a successful purple team?
Matthew: You don’t need to be an expert on zero-day exploitation or the world’s best programmer, but you should have a core competency of cybersecurity and an understanding of foundational basics like how an attacker behaves, how a penetration exam is structured, which tools are used for what, and how to review a firewall or event log. Purple squads should be able to review malware and understand its objectives, evaluation exploits to understand their impact, and make use of tools like nmap and mitmproxy to scan for vulnerabilities. They likewise should understand how to construe event logs and translate the attack side of hacking into defenses like firewall rules and policy enforcement. People come to me and say, “I didn’t know why we were building firewalls around these critical information assets until I learnt person exploit a PostgreSQL server and get a root shell on it, and abruptly, it all made sense why I might need to block outgoing internet control message protocol( ICMP ). ”
Hiring hackers to join your purple team used to be taboo, yet hackers often construct excellent champions. Embrace hacking because it’s a problem-solving mentality. The info “re over here”, and your attackers already know it. You might as well know it too, so hire hackers. I’ve heard people say hackers are the immune system for the internet when describing how their behavior can be beneficial. Hackers are following what’s going on out there and are going to be the people who watch an attack and say, “We use Jenkins for our production develop. We better get that patched because this new 9.8 CVSS scoring vulnerability came out two hours ago. Attackers are going to be on this really quickly.” Breaking into computers is done step-by-step, it’s a logical process. Attackers find a weakness in the armor. They find another weakness in the armor. They combine those two. They get access to some source code. They get some credentials from a system. They hop onto the next system. Once you are familiar with the workflow of what your attacker is doing, you to be all right at knowing which systems will need host intrusion, enhanced monitoring, and their reasons for. Hackers are the ones who have a handle on your risks as individual organizations and can provide insight as to what threats your squads should be focused on addressing.
Matthew: Making sure people have the right training and the right tooling for their job is also difficult. You walk through any expo floor, and there are hundreds of containers with imagination illuminates and a million product portfolios. You could buy every single box off that expo storey, and none of it’s going to do you any good unless you’ve got the right person operating how that box studies and interpreting that data. Your people are more important in some respects than the technology because they’re your eyes and ears on what’s happening on the network. If you’ve got a system that mails 50 high-risk alarms, and no one is picking up and reacting to those alertings, you’ve just got an expensive box with flashing lights.
If you’re hiring someone onto a purple squad, make sure they are supported to attend conferences or network with industry peers and invest in their training and education. That is always going to give you better makes as they learn and are exposed to more insights, and your people will feel more valued as well.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post How purple squads can embrace hacker culture to enhance the security showed first on Microsoft Security .
Read more: microsoft.com