Daniel Green, Pursuit Lead
24 mins read
The Annual Cybercrime Report estimates that cyber crime will cost USD $6 trillion by 2021 (more than double the USD $3 trillion in 2015) . In correlation, global spend on cyber security, including products, services, and staff, has never been greater – on track to surpass $133 billion by 2022, having increased by more than thirty times what it was 13 years ago .
With growing recognition of the threat posed by attackers, organizations are undertaking cyber simulations – namely red team exercises) – to prepare themselves for a possible cyber incident. Their goal is to assess their current level of cyber resilience.
An effective red team exercise enables an organization to experience an authentic simulation, mimicking the unfolding of a cyber incident without being subject to a real attack. This enables it to measure its detection and response capabilities against the tactics, techniques, and procedures (TTPs) of an advanced attacker in a safe and controlled environment.
Due to the severe threat to people, businesses, and governments alike, many regulator-led schemes have emerged to standardize the quality and scope of cyber simulations. This has seen greater prevalence in highly-regulated industries, such as financial services and banking. Around the world, noteworthy schemes have been established, including CBEST for the Bank of England, TIBER with the European Central Bank, iCAST with the Hong Kong Monetary Authority, AASE with the Association of Banks of Singapore, and most recently FEER with the Saudi Arabian Monetary Authority.
However, organizations undertaking simulated attack exercises fail in many cases to demonstrate an appropriate level of core capabilities, thereby limiting the value that a simulation can offer. For example, the first round of the Bank of England’s CBEST tests “identified weaknesses in core firms’ cyber resilience... the need for further investment in capabilities to detect, mitigate and respond to attacks... to invest in their people, processes, and technology”.
While red team exercises are an effective tool in an organization’s broader cyber security program, they are not optimized for building and developing an organization’s capabilities; rather, they provide an opportunity to exercise an existing capability and demonstrate its level of effectiveness.
Since the launch of CBEST 5 years ago, the security industry and cyber threats have evolved. In response, there are now a broader range of initiatives available to support the development of an organization’s cyber-security capability. Colloquially referred to as a “rainbow team”, this incorporates a combination of red, blue, purple, and gold team activities.
1. Blue – Threat detection capability development
2. Purple – Threat enumeration, emulation, and detection
3. Red – Targeted attack simulations
4. Gold – Cyber crisis management simulations
Conducting rainbow team exercises as part of a continuous cyber development program in the sequence defined in Fig. 1 enables organizations to utilize the outputs from each subsequent exercise and drive targeted improvements. Each of these activities will support organizations in identifying key development areas, measuring improvement over time, and demonstrating capability uplift across different areas of the firm’s cyber security capability.
Industry-standard cyber security development frameworks (such as those popularized by Gartner and NIST) can be overlaid against a rainbow team approach to highlight the different capability areas being addressed with each exercise. Utilizing a program of rainbow team activities will provide good coverage across such frameworks by delivering holistic improvements, spanning a range of capability areas.
Each rainbow team exercise should also aim to evaluate the organization’s capability in a holistic manner across people, process, and technology (PPT) by answering the following questions:
People – Does the organization have access to suitably skilled and experienced security personnel, who are able to utilize the technology available to them, and effectively detect and responding to malicious activity?
Process – Does the organization have appropriate threat investigation and incident management processes in place to identify an attack and respond in an effective and efficient way that minimizes the impact to the business?
Technology – Does the organization have the required tooling to detect and respond to advanced cyber TTPs?
An effective capability will always balance people, process and technology, as each of the pillars are interdependent. For example, the most advanced tooling and technology is only effective if personnel have the skill to operate it and search for and identify positive indicators of malicious activity. Ensuring the right combination of PPT provides a framework to optimize development initiatives.
For the reasons stated above, if you have not yet undertaken a blue or purple team exercise, or have recently undertaken a red team exercise, it is recommended that you consider broader rainbow team activities before undertaking a further red team exercise.
While it is optimal to begin with a blue team exercise, beginning a rainbow team program with a red team exercise (for example, if you have recently undertaken one as part of regular security testing) can be just as successful. Sequencing aside, resilience demands a balance of activities to ensure that exercises and outputs are not duplicated, and improvements are realized in a cohesive and efficient manner – maximizing the benefit of activities, and optimizing ROI.
More information on each of the exercises, and how they relate to one another, is provided below.
Understand the network and build cyber resilience by implementing key detection and response measures
Many organizations looking to undertake a red team exercise without first undertaking wider rainbow team activities may lack the capability to detect the TTPs utilized by offensive security testers and threat actors alike. The capability gaps can be broken down as follows:
Traditional monitoring solutions rely on signature-based detection, which involves monitoring the network for “known bad” malicious files and activity. However, many modern techniques have been developed to bypass these traditional solutions. Recognizing the evolving nature of cyber threats, many organizations have begun to implement more effective solutions. These observe behaviors, not signatures, and lead to the introduction of advanced capabilities such as threat hunting, which involves proactively searching for Indicators of Compromise (IoCs) inside the network perimeter.
F-Secure defines the routes an attacker is likely to take when traversing a network as “attack paths”. Developing an understanding of high-risk, high-probability attack paths relevant to the digital estate can help organizations plan and implement effective cyber defense strategies by predicting the movements an attacker will make when moving toward a given objective.
In particular, more esoteric and difficult-to-detect attacker techniques associated with a covert, highly targeted attack can be challenging to identify for in-house security operations teams. This is especially true where they typically operate using SIEM-driven solutions characterized by low-fidelity, high volume alerts, primarily on the internet-facing network perimeter. The technologies used should enable skilled personnel to identify more esoteric IoCs and ingest additional monitoring sources, for example at endpoint or application level.
By undertaking regular blue team activities, organizations can build and continually develop their cyber resilience.
Organizations that have undertaken activities to understand their network composition from an attacker’s perspective can benefit from additional, regular blue team exercises. For example, as network architecture continues to change with implementation of cloud-first and hybrid environments, and attacker techniques evolve in accordance with the new attack surface, it is important that organizations refresh their understanding of the network to ensure that emerging attack paths can be understood and integrated into security monitoring.
Similarly, organizations that have developed a baseline or intermediate capability but are still unable to detect more sophisticated TTPs can look to conduct targeted capability development exercises, to improve capabilities in accordance with the identified gaps in skill or coverage.
The next rainbow team exercise in the process, purple team, provides mechanisms for organizations to identify potential skill gaps in order to conduct targeted training as part of blue team exercises.
Measure and improve an organization’s ability to detect indicators of malicious activity
Purple Team exercises involve the enumeration and technical validation of whether an organization’s security controls are effective in either preventing or detecting malicious activity, by testing them against simulated attacker TTPs.
This can only be effectively undertaken once the organization’s critical virtual assets have been identified, the paths an attacker can traverse to compromise said assets are understood, and sufficient threat detection measures across people, process and technology have been implemented.
Red Team simulation exercises are often the standard choice for organizations looking to assess their security capability and level of resilience. However, unless the organization has already performed a thorough and comprehensive assessment of its capabilities, a Red Team can be a suboptimal means of achieving the desired outputs. A Purple Team exercise hybridizes a conventional Red and Blue Team exercise by applying a collaborative focus on development with the emulation of attacker TTPs, to produce a larger suite of remediations and improvement areas.
A red team exercise will typically follow the path of least resistance, taking the shortest and narrowest possible route to the organization’s critical assets. This means fewer controls are tested, and fewer improvements can be identified. A high-level comparison is provided below.
A purple team exercise should involve a holistic assessment of detective capability to determine whether:
An effective purple team engagement will determine an organization’s level of prevention and detection capability across the discrete stages of an end-to-end cyber attack (as represented by the cyber kill chain) against different levels of attack sophistication. The outcome: focused improvement areas to be identified, with clear and measurable outputs.
When run cyclically as part of a rainbow team program, purple team exercises can help firms to continually enhance their cyber resilience in an evidential manner; they are able to identify key development areas (to be addressed through blue team activities) while tracking and demonstrating improvement over time. This approach establishes a clear roadmap of activities towards cyber resilience.
When the organization is confident that there are enough opportunities to detect malicious activity on the network, across varying levels of attack sophistication (including more covert attack techniques utilized by advanced threats), a red team exercise can be undertaken to train and test the established capability.
F-Secure uses the MITRE ATT&CK™ (Adversarial Tactics, Techniques, and Common Knowledge) framework when conducting purple team exercises to provide an industry-wide benchmark for attacker TTPs. ATT&CK is continually updated as TTPs are identified in real-world breaches. Firms who have a good coverage of ATT&CK should be confidently able to detect and respond to a broad range of threats of varying sophistication.
Assess detection and response performance through an authentic, targeted adversary simulation exercise
Only once a firm has “secured” its Attack Paths, fine-tuned its controls, trained its people, and is able to demonstrate evidence-based confidence that the firm is capable of repelling a cyber-attack, should it consider a Red Team test.
A simulated targeted cyber-attack – aka Red Team – is a highly effective method of providing an organization with an understanding of how a real-world attacker will adapt and operate within its environment. It will also give the firm an appreciation of how well it would fare when attacked by an adaptive and capable threat actor or group.
Red Team exercises are most effective when used to evaluate the firm’s capability against business-level objectives which, if realized by an adversary, would result in significant impact upon the business’s ability to operate.
The attacker objectives could include, for example:
Rather than identify all possible methods of achieving these objectives (as may be in-scope of a Blue or Purple Team exercise) Red Team exercises are not exhaustive. Rather, they identify the shortest and easiest route to achieving the objective, in order to prove or disprove that the objective is achievable by an attacker.
Similarly, rather than focusing on the discovery of vulnerabilities alone, Red Team exercises simulate all of the methods at an attacker’s disposal – across People, Process and Technology.
A typical cyber-attack – both real and simulated – will not involve purely technology-based exploits. Attackers utilize a range of techniques, from social engineering to acquire account credentials and establish a foothold on the estate, to abusing legitimate functionality within a network to move laterally and position further attack activities. Therefore, focusing on vulnerabilities alone is not an effective method of simulating a realistic cyber-attack.
By undertaking a realistic cyber simulation using a range of technical and non technical methods with tangible, executive objectives, security professionals can better justify cyber security investment. These objectives can be clearly understood by board-level stakeholders and business executives in the context of business risk, demonstrating the company-wide benefits of advancing cyber resilience.
It is easier to achieve buy-in for cyber defense investment when broader issues and risks can be illustrated Unpatched vulnerabilities fail to strike a chord, because in patching them, just one means of achieving the attacker objective is mitigated, not the risk itself.
The output of an effective Red Team engagement is to:
These outputs can be used to inform further blue team capability development – for example, conducting deeper investigation into the attack paths traversed by the red team, developing skills that would enable the attack techniques used to be detected, or using the scenario as the basis for a business-wide gold team exercise.
Practice and develop the business-wide response to a cyber incident to mitigate business impact
It is highly advisable to conduct gold team exercises as part of regular cyber security development and readiness activities. Regardless of the capability of the firm’s security team or the quality of its security solution, it is recognized across the industry that even the most resilient defenses will eventually fail to protect against a persistent, funded attacker using advanced techniques.
If conducted as part of a cycle of rainbow team activities, a gold team exercise can leverage the outcome of a red team in which the attacker was successful , using it to build the simulation scenario. This can help to further reinforce the impact of the red team to executive stakeholders and model the extent and impact of the compromise following the successful attack.
In F-Secure’s first-hand experience of how organizations fail to effectively manage security incidents, observations include:
Being unprepared will inevitably lead to organizations missing opportunities to contain and resist attacks at the earliest possible point, when damage could have been minimized. At worst, organizations’ responses to an incident serve to increase the severity of the compromise, harming the recovery effort, and increasing the time to restore normal business operations.
Many gold team exercises focus purely on the executive response, when, in reality, there are multiple tiers of activity, communication, and decision-making associated with the business response to a crisis. This includes levels of technical, non-technical, and executive decision-makingThese functions must work together in translating technical actions and discoveries by IT and security professionals to executives, as well as communicating actionable guidance back down the chain of command.
The business-wide response to an incident is just as vitally important as the organization’s response at ground-level. Designated crisis management team members at all levels need to be ready to act in an incident scenario as operational personnel, in order to maximize the organization’s ability to respond to and recover from a cyber incident.
A rainbow team approach can be utilized as part of a perpetual program to continuously develop an organization’s cyber security capabilities, and build resilience in response to the latest threats. The cyclical, cross-specialism activities used in the rainbow team framework are fundamental to any organization’s continuous cyber security development, regardless of how or when they are deployed.
Each cycle through the rainbow will evidence improvements in cyber resilience. However, it is important to recognize that there is no end-state: just as defenders improve, attackers (both real and simulated) will develop and utilize the latest TTPs designed to overcome defensive innovations. This is the true definition of an Advanced Persistent Threat (APT).
Before launching a rainbow team program, organizations will benefit from being cognizant of emerging and evolving threats by subscribing to contextual and relevant Threat Intelligence (TI) feeds (in-house or external). Firms would do well to assess their ability to consume and action such TI in order to drive Blue and Purple Team development activities – for example, staying ahead of emerging attacker TTPs and advanced detection techniques to rapidly update detection rules based on newly discovered technical Indicators of Compromise (IoC). This will naturally increase the organization’s level of preparedness for the latest threats – whether faced during a simulated Red Team, or real-life incident.