Accepting that ‘if somebody wants to get in, they're getting in’ has stirred most into asking how exactly that will happen. Most testing though remains more about the defences than the defenders. This is the fundamental difference between Attack Simulation and Penetration Testing. It’s about reflexes and rhythm, not just controls. And while a thorough penetration test will begin understanding the target from without, with google-fu, enumerating the edge, and finding prey for phishing, entering the social to test avenues for initial access does not an Attack Simulation make.
Red and Purple teaming meanwhile, as the term ‘teaming’ implies, is the coming together to achieve common goals. In Attack Simulation, this is about the joint testing of exercise objectives. The guiding principle is to improve defender responses and remediate governance on down, far more than vulnerabilities on up. Whether a Red Team can gain initial access should be a much lower priority. Cyber exercises over time should look to establish metrics like Estimated Time to Detection (ETTD) and Estimated Time to Recover (ETTR), but primarily, sound objectives should seek to examine how defending Blue Team members manage adversarial strategies. When reviewing simulated attacks, the specifics of how logs weren’t effective, and how the attack surface permitted techniques to disguise tactics, is valuable, yet any good remediation should be asking these questions. In Attack Simulation, reviews should do more by looking at what team members are thinking, how their perceptions of what transpires shapes their actions, and how apt they are at identifying the procedures of the attacker as investigations unfold. Herein lies the art. Does the Blue Team understand their attacker? How well do they know themselves?
Two different types of drills help in this respect, double-blind and open-book. The former being Red Teaming which is the more clandestine. Planning is restricted to working groups so that Blues remain unaware of how and when manoeuvres will commence. Open-book drills are instead conducted in tandem, whether co-located or online, Reds and Blues work through individual plays together. Termed Purple Teaming for obvious reasons, these drills focus on running through established attack procedures alongside corresponding detection and response handling. Workshops may be used in each phase to discuss potential plays prior to live, or lab environment drills, but open-book exercises are still often best conducted after initial Red Teaming exercises. This way, match day strengths and weakness can be verified, and then improved upon through training day drills. There is however an element of Purple Teaming that occurs during double-blind exercises, which can be likened to something somewhere between coaching and refereeing. If manoeuvres are conducted in production environments, then there is a need to manage risks from the inside as campaigns progress. Likewise, observing defenders with an objective view of the playing field allows for better identification of possibilities not being considered on the field. Sideline Purple Team members therefore write the reports. These stakeholders might incorporate Red Team plants, Blue Team leaders, or other working group members such as Governance, Risk and Compliance officers.
Outcomes from these types of Cyber Exercises can be much more than a list of activities pinned to a checklist. Good objectives should be written to elicit qualitatively rich situations to assess how different narratives demonstrate or depart from the required outcomes. Attack Simulation at its best does this by investing in understanding people. This is because procedures tend to fall within high-level outlines and are fixed, or in the least slow to change. Bianco’s ‘Pyramid of Pain’ demonstrates this, showing how easy it is for attackers to change tactics, but not the combination of things they do to achieve their goals. While this adds attrition through the need to develop new methods, it also creates an equal and opposite need to improve defensive effectiveness. Good objectives must provide value for money by being holistic. Techniques that impair defences for example, can occur directly by modifying security controls, but they can also be indirect. When dealing with one major breach, teams still need to maintain their standing security posture. One objective therefore may be to create situations that produce choice overload and evaluate how this impairment affects both hierarchical and functional decision making. Gambits involving targeted misdirection often yield plenty of feedback for improvement.
Attack Simulation can exhaust even the largest of budgets. But here’s the pitch; it doesn’t have to. Whether building or bettering your Blues, doing something routinely will not only better protect the organisation, it will also demonstrate the effectiveness of defences as compliance and insurance increasingly demand more from monitoring and response. Red Piranha can help carry out simple incursions to keep teams on their toes, plan extensive campaigns, maturity programs, and guide CREST and ISO 27001 accreditation. The principal goal being to establish an organisational culture that understands not just its adversaries but one that is reflective about how it tackles them.