Purple Teaming with Attivo Networks Deception
Written by: Joseph Salazar, Technical Marketing Engineer – In a previous blog, I made a reference to a 1992 movie called Sneakers, which I believe is the first movie portrayal of a Red Team in action. The movie starred Robert Redford, Dan Akroyd, Sidney Poitier, David Strathairn, and River Phoenix as a team of security experts who hire themselves out to companies who want to test their security systems. The term “penetration test” didn’t exist at the time, but nowadays many people have heard of penetration testers and Red/Blue teams, or perhaps “purple teaming,” though they may not be clear on specific functions.
Penetration (or “pen”) testers run an authorized, simulated, cyberattack on a computer system to evaluate the security of the system. Note that this is meant to evaluate specific controls, not to realistically attack the system. On the other hand, Red Teams are meant to play the attacker role. Although organizations may employ an internal Red Team, they are often external entities brought in to test the effectiveness of a security program by emulating the behaviors and techniques of likely attackers in the most realistic way possible. This provides the attacker’s view of the efficacy of a set of security systems, protocols, and processes. To defend against these real and simulated attacks, organizations often run Blue Teams, referring to the internal security team that defends against both real attackers and Red Teams or pen testers.
Organizations have often run Red Team and Blue Team tests with the Red Team “attacking” the organization in isolation, and the Blue Team only knowing that there is an evaluation in progress. The Red Team’s goal is to exploit the network and then provide an evaluation, while the Blue team is meant to defend against the test, but only recently has the concept of “purple-teaming,” or Red and Blue Team tests run collaboratively, emerged as a new approach to testing security.
Purple-teaming is not entirely different from what organizations might already be doing, but instead of each team working separately, they work together to fully evaluate security controls and processes. An important distinction between purple-teaming and standard red-teaming is that the methods of attack and defense are predetermined. The Red Team is no longer seeking solely to exploit the network but to improve the network’s security by putting the organization’s controls and the Blue Team capabilities to a realistic test. This means the Red Team is identifying a control, testing ways to attack or bypass it, and then coordinating with the Blue Team in ways to improve the control or defeating the bypass.
The teams are no longer just identifying vulnerabilities and working based on assumptions. Instead, they are testing controls in real-time and simulating the type of attack scenario likely to occur if a network is attacked. In comparison to a passive pen test or Red Team assessment, purple-teaming is actively identifying gaps in security controls and processes to fix prior to a compromise. By simulating an actual attack, the blue team can test its technical controls and the people responsible for implementing them to identify gaps in coverage. Both teams work together to provide a complete audit of every test that was performed, what succeeded, what didn’t, and why. This is where deception technology can help.
People often talk about deception technology as “better detection against better attackers,” because they gain visibility on in-network attack activity, but what they don’t always consider is how else this visibility can improve an organization’s defenses. Security teams focus on actionable alerts to quickly respond to incidents but may not consider how the attacker bypassed security controls to move laterally inside the network. Deception technology can provide visibility into when and how the attacker bypassed these controls.
The Attivo Networks ThreatDefend® Deception and Response platform gives defenders the ability to detect an attacker successfully engaging with the deception environment, providing early and accurate detection to in-network attack activity. With the visibility and forensic evidence the ThreatDefend platform provides, defenders can identify what security controls the attackers bypassed and how they succeeded. Given its ability to validate the resiliency of network security controls, the ThreatDefend platform is ideal for purple-teaming.
By implementing the ThreatDefend platform, an organization can enhance its purple-teaming activities. The Blue Team gains a detection mechanism that blends in with the operational environment, giving them a chance to detect when the Red Team bypasses a defensive control and engages with a decoy. The Red Team must now be more deliberate and targeted, making for more realistic attack scenarios that truly test the resiliency of a security stack and the processes in place to respond to an incident. The ThreatDefend platform’s visibility features can identify misconfigurations and exposed credentials an attacker can leverage on each production system, giving the Blue Team visibility into where and how the attack can progress. These capabilities work to enhance both the Red and Blue teams, making for more effective and efficient purple-teaming activities.
Organizations are adopting Purple-teaming as a more effective way to evaluate their security controls, and the ThreatDefend platform fits right in.