I got a call recently from a friend and colleague that worked with me over 7 years ago building out the Vulnerability Assessment and Penetration Testing functions at a large financial services firm. He has spent the last few years in the application security space and was just asked to lead a new Red Team at a large energy company. Interestingly, the new Red Team will report up to the Security Operations Center (Blue Team). He had lots of questions but the most important one I want to tackle here is: How do I transition from a Penetration Testing mentality to Red Team mentality and should I focus on Purple Teaming first?
A little background first
After 10 years as an internal offensive security professional, I joined SCYTHE to help organizations mature their security posture leveraging years of lessons learned. I created the Ethical Hacking Maturity Model (covered in SEC565) that documents how offensive security assessments evolved over time:
Most organizations start by scanning their infrastructure and web applications with a vulnerability scanner. There are many tools out there that do this automatically and output a long report focusing on patches and configurations that need to be applied. This assessment can be of higher value if someone validates the vulnerabilities and properly prioritizes the vulnerabilities for the respective environment using the environmental and temporal metrics of the Common Vulnerability Scoring System (CVSS). Overall this process is called Vulnerability Assessment and is part of the Vulnerability Management program
Penetration Testing goes a step further and exploits the vulnerabilities identified. This is the main differentiator from vulnerability assessment where vulnerabilities are only being verified. Penetration Testing involves exploiting vulnerabilities under controlled circumstances; in a professional, safe manner according to a carefully designed scope and Rules of Engagement.
We then realized that adversaries were not just exploiting technology but looking at the target organization holistically. This led to Red Teaming, looking at the organization from the perspective of the adversary. In information security, the Red Team is an objective based stealth engagement with the goal of testing, measuring, and improving people, process, and technology. In particular, Red Team tends to focus on the organizations resilience to an attack: detection and response. Running multiple internal Red Team engagements is different from a one-ff third-party Red Team Engagement.
As we looked at our goals and progress improving the blue team, we realized that working together, as a Purple Team, allowed for more efficient improvements. A Purple Team is a collaboration of various information security skill sets: a process where teams work together to test, measure and improve defensive security posture (people, process, and technology) by emulating tactics, techniques, and procedures (TTPs) and adversary behaviors. The biggest differentiation is that both the attack and defense are done together, sharing the screen, so everyone learns.
As a final caveat to this introduction, this was how we did it over the 10 years I was there and I understand not all organizations are going to follow the same path. The Ethical Hacking Maturity Model is not meant to be a step by step guide e.g. an organization doesn’t stop scanning for vulnerabilities because they are Red Teaming. Instead, these different assessments provide different value propositions; all of these assessments must provide business value!
Red Team Mentality
I think one of the biggest changes from Penetration Testing to Red Team is the mentality. Red Team is "the practice of looking at a problem or situation from the perspective of an adversary" (Red Team Journal). One of the main attributes of Red Teaming is to test assumptions. You may have heard this before as “Being the Devil’s Advocate”. Red Team Engagements are objective driven and stealth meaning the defenders in the target organization are not aware of the engagement. Red Teaming is not only a technical aspect but that will be the focus in this post.
In Information Security, the goal of the Red Team is to make the Blue Team better. One of the ways the Red Team can meet that goal is by emulating adversary tactics, techniques, and procedures (TTPs) to measure the detection and response of the blue team and determine if the organization is resilient to a real attack.
Shifting Focus from Prevention to Detection and Response
One of the main mentality changes is shifting focus from testing only preventive controls in technology to testing and measuring detection and response. One of my favorite quotes from teaching SEC504: Hacker Tools, Techniques, and Incident Handling is: prevention is a goal but detection and response is a requirement. There is value in identifying and exploiting vulnerabilities, but most of those are fixed by preventative measures such as patching and configuration changes. Red Teams may leverage exploits, but they are just a means to an end. Many times, the Red Team may not even need to exploit anything. These steps are called tactics, techniques, and procedures (TTPs).
Evolve from CVE to TTP
Looking at vulnerabilities in technology, we use the Common Vulnerabilities and Exposures (CVE IDs) and the Common Vulnerability Scoring System (CVSS) to report findings using two criteria:
- Status: Open or Closed
- Risk: Critical, Priority, High, Medium, Low, and/or Informational
As we begin to test Tactics Techniques and Procedures (TTPs), we have to shift the mindset of only focusing on prevention. We rarely use “open” and “closed” because we are testing adversary behaviors, not solely vulnerabilities in technology. We have to look at different criteria:
- Prevented - was not allowed to run (blocked)
- Logged - a log was created for the behavior locally or centrally
- Alerted - was an alert created based on the logged action(s)
- Detected - was the alert actioned by a human or automation
- Response - was the documented response process followed
Vulnerabilities in technology are reported and remediated by the system owners, operations teams, engineers, and/or developers. In Vulnerability Management functions, the analysts interact with the respective stakeholders to explain the vulnerability, how to reproduce it, the risk it has, and to recommend remediations. With Red Teaming, the customer is the Blue Team (or the defenders). This can include but is not limited to the Security Operations Center, Threat Hunting Teams, Digital Forensics and Incident Response (DFIR), and/or managed security service providers. If you think about it, everyone in an organization is a defender. Yes, even the Red Team is part of the defenders when a real breach is under way.
Leveraging frameworks and methodologies for building out your Red Team and Purple Team programs is a best practice to show your management, stakeholders, customers and clients you have a repeatable, professional offering. No one wants to hire or agree to an engagement without a plan in place that will bring value to the business. There are many frameworks to start with, some industry and some regulatory.
These frameworks are for understanding how attacks works so they can be emulated:
- Cyber Kill Chain – Lockheed Martin - educated many non-technical consumers on how adversaries work and the steps they perform during a breach.
- Unified Cyber Kill Chain – Paul Pols - university paper bringing together a number of Cyber Kill Chains by various industry contributors such as Laliberte, Nachreiner, Bryant, Malone, Lockheed, and MITRE.
- MITRE ATT&CK - the industry standard and language for Adversary Tactics, Techniques, and Common Knowledge.
These frameworks are for running Red Team and Purple Team Exercises:
- Purple Team Exercise Framework (PTEF) - SCYTHE and industry experts created the Purple Team Exercise Framework (PTEF) to facilitate performing adversary emulations as Purple Team Exercises and/or Continuous Purple Teaming Operations.
- G-7 Fundamental Elements for Threat-Led Penetration Testing - the Group of 7 nations provided guidance on performing Threat-Led Penetration Testing.
- CBEST Intelligence Led Testing – Bank of England - Regulation for financial institutions operating in England.
- Threat Intelligence-Based Ethical Red Teaming – TIBER-EU - framework that can be leveraged by any country in the European Union and offers cross-jurisdiction and mutual recognition of Red Team engagements
- Red Team: Adversarial Attack Simulation Exercises – ABS (Association of Banks of Singapore) - focused on financial institutions in Singapore
- Intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA (Hong Kong Monetary Authority) - focused on financial institutions in Hong Kong
- Financial Entities Ethical Red-Teaming – Saudi Arabian Monetary Authority - focused on financial institutions in Saudi Arabia
- Cyber Operational Resilience Intelligence-led Exercises (CORIE) - focused on financial institutions in Australia
- A Framework for the Regulatory Use of Penetration Testing and Red Teaming in the Financial Services Industry – GFMA (Global Financial Markets Association) - given all the country mandated regulatory requirements, the Global Financial Markets Association set off to create a global framework that would meet multiple country’s regulatory requirements.
Red Team or Purple Team
After 2 years at SCYTHE helping all types of organizations shift focus from prevention to detection and response, I now know and understand that every organization is different. For an internal function that has a solid vulnerability management and penetration testing function, building an internal Red Team is the most obvious next step. Working with the Blue Team should be done tactfully. Perhaps running a Purple Team Exercise before a stealth Red Team Engagement makes more sense for the collaborative goals of the program, especially if they report to the same manager.
Other organizations may have the internal Red Team in a completely different team and want to baseline how far an adversary would get in an end-to-end, holistic assessment of the organization. In that case, a stealth Red Team engagement would be the ideal place to start.
At the end of either engagement, the Red Team will be working with the Blue Team. Building a collaborative culture will be ideal to efficiently improve the people, process, and technology in the organization. Offense informs defense and defense informs offense. Having an understanding of both attacks and defenses will make for the most mature and prepared teams when the time comes to fight the real fight.
Does all this make sense? Ready to get started? Great! I am going to make this a series of blog posts so that they are easier to digest, reference, and practically use in your organization. The next blog will focus on understanding how adversaries operate and leveraging Cyber Threat Intelligence for performing Red Team and Purple Team exercises.
SANS Red Team and Purple Team Courses
SANS offers multiple 6-day courses covering Red Team and Purple Team; attack emulation and detection and response: