The security community is continuously changing, developing, and learning from each other to better position the world against cyber threats. In the first post of our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talks with Jake Williams, Founder of Rendition InfoSec. In part two of this blog, Jake shares his best practices on how to structure and evolve red and blue teaming within your organization.
What are best practices for organizations ripening their blue squad?
First and foremost, go in and look at the event logs and turn on all of the logging that you think will be useful. I work with blue squads today up and down the Fortune 500, and I ask, “Where is this in your event logs? ” And they say, “I reckon maybe my endpoint detection and response( EDR) platform may catch that.” Windows catches that. Windows sees the thing we’re talking about if you have it configured. It’s more than 100 event logs, and a lot of them are empty and the ones that are inhabited are not logging the best things you can log. A lot of the reason for that is logs get big.
The second cybersecurity best practise is to use Group Policy Object( GPO) and increase the size of your event logs dramatically. I suppose the security event log pegs at 20 megabytes. The behavior that I explain this to folks is I’ve never been an instant responder and operated the case where I walk in and think, “What am I going to do with all these logs? ”
Third, actually walk through the audit policy. I crave you to go look at it. If you’re a systems architect or a systems engineer, you have to know what’s even available. Not knowing what’s available from an examination standpoint is almost like going to a restaurant, never reading the menu and saying, “I heard you had a burger so I’m going to have that.” And you have no idea what else could be there that could be way better. Go read the menu. Find out what examination logs are available and increase the size of them dramatically.
We’ve had folks do one but not the other. There was this heartbreaking case a couple of years back where they called, and I purposed up being on the flyaway squad. When they called, we asked, “What auditing do you have available? ” We told them to turn it on and increase the size of the event log, and they did one of those two. And when I got onsite, and I got into that server, there were 18 seconds of security event logs. 18 seconds. It was awesome that they turned some material on, but at the same time, I needed the log in general , not 18 seconds of activity. It was just heartbreaking.
Stop trying to be sexy. Each time there’s a major security meeting like a Black Hat or a ShmooCon, I get some red teamers who come back and say, “I just saw this super cool, super awesome technique.” I ask, “Are attackers employing that? ” and “theyre saying”, “I’m sure they will be.” When we have believable intelligence that they are, then we’re going to invest that time. Make sure you’re actually furnishing value back to the organization and understand what that means.
In late 2019, I was at a major insurance company and they have a red squad that is about a third of the size of their blue squad, which is just wrong. I asked, “Can I appreciate an example of a report? ” And the maroon team president says, “No.” I said, “You do know I have an NDA with you. We’re physically here at your headquarters.” He said that they only share these reports with the managers and that executives understand the health risks. He said that if they tell the blue squad how they’re doing everything, they’ll catch the red squad immediately.
The biggest outcome of this exercise became how do we stop doing red squad for red team’s sake, such as to be a bunch of cool hackers and go shatter material. How do we turn this around where the red team is providing value to blue team? Security is a service provider to the organization, and red team ultimately should be driven by blue team( their patron ). The red team’s goal isn’t to go sneak around and remain undetected for the purposes of the their egoes. The objective is to identify vulnerabilities, missing spots or misconfigurations, or find gaps in coverage for monitoring. The patron for that is blue team. I look at the blue team as tasking the maroon squad and saying, “Here’s what we need from you.” Red team’s hacking, sexy, cool material is secondary.
What kind of training would you recommend for red and blue teams?
If I’m a blue teamer, I’m going to be staying on the cutting edge of what’s the latest thing happening with system logs. I’m less about tools than I am about techniques. What do I have available from a detection standpoint? I’m not interested necessarily in my blue teamers going out and trying to figure out how to go through exploits, operated exploits. That’s a cherry-red squad kind of thing.
For a red team, send them to seminars. People don’t like to hear this, but the conferences are going to pay off better than any red squad courses for anybody who has get more than a year of red team experience. The reason is the networking. You network, and you start getting put in these private Slack groups or on email listings. Everybody knows everybody. You’re going to hear about those newer techniques. I’m less about formalized train than I am about get them into networking opportunities.
What do you think red and blue teams will continue to think about even after the pandemic? What modifies are going to build long-lasting impacts on the security industry?
This applies to both red and blue squads, and it’s understanding the attack surface. Something that we’ve seen more than any previous year has to be software-as-a-service( SaaS ). We shifted to work from home, is dependent upon which areas of the country, either over a 24 or a 48 -hour period all the way up to maybe a two-week period. By any measure, it’s insanely fast for a lot of folks to do, and so they made a lot of changes to get material done without actually looking at the long-term security implications.
I’m already discussing with patrons how to be going and memorialize what they did as we ran home. In late March, most CISOs I “ve talked to” didn’t believe we’d still be at home at the end of the year. They guessed this was a one-month or two-month situation so risks we were ready to accept for a month look a whole lot different than dangers we’re going to live with in perpetuity.
For the folks rolling into vacation standdown time , now is the time to make some of those changes. On the red squad side, another big one is: Know your scope, know your scope, know your scope. Just because I have data in Salesforce doesn’t mean you can go hack Salesforce. Your red squad needs to know what they legally can do and what they ethically should do and make sure everyone is aligned there. From a blue squad side, you figure out how you want them to evaluate the security of your Salesforce tenant. I think that’s really it, knowing what architecture alters we made as we moved into that amply remote environment, and how many of those need to be revisited. And the answer is a lot of them. I think it’s no secret that a lack of change control drives a lot of breaches.
Both red and blue should absolutely be using threat intelligence. That doesn’t mean every org need to see a dedicated cyber threat intelligence( CTI) analyst. It doesn’t mean run buy another threat intelligence feed. What I’m looking at is what we need to prioritize not based on what could happen but on what we know is happening. Those are two very different things. When I look at the scope of possible bad things that could happen to us, I suppose: What are we actually seeing in the wild, both in our organizations and in other organizations?
When you learn about a threat that’s targeting a different industry, like healthcare, should you be paying attention to it? The answer is obviously yes, you should be. Just because it’s a big push in one industry doesn’t mean it’s not coming to you. All things equal, I’m going to prioritize more in my vertical, but I have to have an ear to the grindstone for what’s happening in other verticals as well.
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity or on LinkedIn for the latest news and updates on cybersecurity.
The post The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 2 appeared first on Microsoft Security .
Read more: microsoft.com