Published by Security Testing and Assurance on 20 September 2024
Businesses in Australia and New Zealand are increasingly recognising the benefits of Purple Teaming, a collaborative exercise between offensive (Red Team) and defensive (Blue Team) security groups to simulate a real adversary attacking a network.
This approach reveals vulnerabilities that may not be typically uncovered in traditional penetration testing. As such, Purple Team is surging in popularity as a Security Testing and Assurance technique businesses are using to protect their organisations.
Analysing data from 100 Purple Team assessments conducted by CyberCX in the Oceania region, we have identified five key common mistakes organisations often make when securing their systems and networks. Reflecting on these, we have also included insights from CyberCX’s defensive Blue Team that show why these issues are so prevalent and how they can be improved.
1. Complacency in security controls
In cyber security attackers often have an advantage. As the saying goes, they only need to find a single vulnerability while defenders need to protect all potential entry points. Given enough time, dedication, and resources, a sophisticated and determined adversary with the knowledge to bypass security tools and abuse misconfigurations can slip past security teams.
Afterall, CyberCX’s Red Teams do this all the time. We regularly succeed in compromising ASX100 companies, despite their use of 24/7 security teams.
Thoughts from the Blue Team
From a defensive perspective, the advantage attackers have is something that all security teams are aware of to some degree. However, this asymmetric dynamic does not mean that all hope is lost. Instead, it means that organisations should focus their efforts on response, containment, and resiliency.
While breaches may be inevitable, major cyber incidents are not. Continuously assessing your defences against the Red Team helps to identify weaknesses, close them before a hostile threat actor exploits them, and drive down the likelihood of a major incident. Adversaries are constantly evolving their tactics and tradecraft, which reinforces the importance of regular Red Team exercises – what may have worked yesterday, may not work tomorrow.
2. Relying on a ‘silver bullet’ security solution (hint… there’s no such thing)
Everyone in the security industry has seen, at one point or another, an alleged silver bullet solution for all their security challenges. A single tool which will apparently defeat every attack and block every adversary. For example, a persistent idea across many security teams is that an Endpoint Detection and Response (EDR) tool is the be-all and end-all of an organisation’s security. Whilst a significant first step, EDRs by their very nature only have visibility to the endpoint on which they are deployed.
With an ever-increasing move to the cloud and adversaries living-off-the-land and performing network-based attacks, EDRs are unable to provide complete protection. To begin to move the needle in favour of the defenders, multiple security controls are needed for thorough defence.
The following controls are most often effective at hindering CyberCX Red Teams in Purple Team exercises:
- Endpoint Detection and Response although not the be-all and end-all, EDR can be effective, ideally with Extended Detection and Response (XDR) components such as identity modules.
- Protocol-aware firewalls to inspect and control network traffic at the application level.
- Application control to allow-listing of applications on all endpoints where possible.
- An adequate Security Information and Event Management (SIEM) with:
- Organisational specific detections
- Anomaly and outlier-based detections
- A team to monitor and triage the detections raised.
Thoughts from the Blue Team
The CyberCX Blue Team is generally engaged where customers already have several controls in place and have engaged CyberCX to investigate incidents 24x7x365.
However, CyberCX has found that a Purple Team exercise is often an extremely effective way for an organisation’s internal security team to effectively articulate the coverage they have with various controls, and to seek further funding to improve this coverage. Purple Teaming also allows an organisation to show the uplift in security provided by increasing this coverage.
3. Poorly configured tools
“Prevention is better than the cure” rings true when it comes to Purple Teaming. All too often we observe glaring misconfigurations in endpoints, applications, cloud, and Active Directory that allow for the execution of well published attacks to achieve objectives.
Eliminating easily exploited vulnerabilities and fixing key configuration issues provides an enormous return on investment by removing easy paths into an environment. This increases the likelihood of adversaries getting caught when they are forced to attempt trickier or more noisy approaches.
Thoughts from the Blue Team
As strong as the overall defences of an organisation may be, it is the purpose of a Purple Team exercise to find misconfigured or forgotten pieces of infrastructure in an environment. This is extremely difficult to combat, as it requires an understanding of both the context of the environment, and what its intended state should be. There are however several solutions which can lend a hand to this, including:
- Cloud posture management tools.
- Breach and attack simulation tools.
- Attack surface management tools.
- More esoteric types of tools, such as Bloodhound enterprise.
Simply put, the best way to identify misconfigured components of the environment is to let the Red Team have a look around.
4. A lack of containment and playbooks
When detections are made Blue Teams are often confronted with a stark realisation: identifying an event is only the start of an investigation.
What comes next is usually a series of confusing questions and difficult conversations, like:
- Does it need to be escalated?
- Who does it need to be escalated to?
- What if they are on leave?
- Is there a playbook for this?
- Do we need to contain this host?
- Are we allowed to contain this host?
- How do we contain this host?
Thoughts from the Blue Team
It’s not uncommon that customers are unable to respond to urgent security matters in a timely fashion, particularly when they have not rehearsed or prepared for these scenarios beforehand. This is especially the case when the customer requires input from teams outside their core security team.
The CyberCX Blue Team encourages customers to conduct tabletop or fully simulated incident response activities, particularly when these can be conducted in a way that includes non-technical teams throughout the business, such as the legal or communications teams.
Not only does this help customers get familiar with the process of handling an incident, but it provides the chance to identify and establish relationships with key stakeholders beyond the core security team. To put it plainly, these types of exercises build muscle memory within an organisation that becomes essential if a cyber incident is realised.
5. Having a false sense of security
Organisations are often overconfident in their controls. They display pride in how “they caught a pen tester on day one” or how they “caught an employee accidently executing a phishing payload”. These high-fidelity alerts lull executives and some security teams into thinking everything is working as intended.
However, you don’t know what you don’t know. It’s not uncommon to see jaws on the floor during Purple Team closeout calls when the full scale of what was accomplished undetected is revealed. This is usually because there was never a program to continually validate controls and simulate attacks aligned with current adversarial behaviour.
Log pipelines break down, API keys and secrets change, detections no longer apply. “We have a detection for that” carries less weight when it is discovered that the detection is broken and has not fired in years. Recurring control validation and Purple Teaming help find these gaps.
Thoughts from the Blue Team
It is incredibly difficult for defenders of an organisation to remain constantly alert. Naturally, any incident tends to come with a feeling of satisfaction at having caught an issue before it becomes a major incident. However this can also provide a false sense of security.
Red and Purple Team activities are an excellent way to keep defenders on their toes, as they constantly push your defences to be better. While threat actors are doing this same thing, very few of them are considerate enough to show you how they did it in a way that enables the Blue Team to improve for next time. Not only do these activities push the Blue Team to be better, but similarly they also help security teams articulate the constantly evolving threat landscape to business stakeholders.
The response and feedback from CyberCX customers have been overwhelmingly positive, with the most common point being the return on investment in Purple Teaming has been immense across all areas involved. And as a result, Purple Teaming has become a staple part of the overall testing program.
Learn more about CyberCX’s Purple Team offering and what we can do for your organisation