Cybersecurity strategists love quoting ancient Chinese military strategist Sun Tzu, who wrote the book on warfare.
“If you know others and know yourself, you will not be imperiled in a hundred battles,” he said. “If you do not know others but know yourself, you win one and lose one.”
Companies should think about that when setting up cybersecurity war games. Smart companies hold red teaming exercises, where a red team tries to attack a network and a blue team tries to stop it. But if those two teams focus only on their own needs and don’t interact properly with each other, they could do more harm than good, say experts. Welcome to the world of purple teaming.
If you’re already using red and blue teams, then you’re ahead of the curve. You’re actively gaming your own security to find weaknesses in it before someone else does, and then hopefully plugging them. The problem with this approach is that red and blue teams don’t always want to co-operate with each other, warns Haydn Johnson, senior penetration tester at KPMG. He and fellow security pro Chris Gates gave a joint talk at SecTor 2016 on the nuances of purple teaming, which you can see here.
“A red team or a pen tester may smash and grab and file a report,” he says, arguing that in adversarial engagements, the two may not want to give anything away, because office politics may get in the middle.
In many cases, there is a high degree of animosity between two teams, each of whom wants to ‘win’. Depending on the company culture, the stakes may be high. “The blue team may think ‘if they find any holes, my job’s on the line’,” he says.
That can play out in strange ways. He recalls some red teaming experts describing blue teams that would temporarily disable an internal red team’s IP addresses or even disable PowerShell on their specific machines. What does that accomplish, though, in real terms? Such short-term victories for the blue team are entirely Pyrrhic; they don’t help strengthen their defences in the long term, because they won’t see the real attackers coming.
Josh Zelonis, senior analyst at Forrester, says that if your red and blue team are locking horns, they’re doing it wrong. “Red teaming without engaging the blue team has no value to the organization, and it’s possibly detrimental,” he warns.
Companies engaging in red teaming exercises should be motivating both teams to work with each other. They should cover as many attack eventualities as possible, and collaborating to see what the blue team’s response was and how it can improve, explains Johnson.
“When a red team attacks a blue team, they can work together from the beginning to the end and do gradual iterative improvement instead of handing in a report at the end,” he says. “It’s much more valuable that way.”
This is why in their talk, Johnson and Gates argue that red teams with a more purplish hue should be aiming to get caught. The point isn’t to make your ‘opponent’ look bad. The point isn’t to be an opponent at all. The point is to trigger alerts and see what their response is (and also to identify those events that didn’t generate an alert at all).
“Just because you have a light turn on in your SOC saying ‘this is probably bad’ doesn’t mean that anything happened in response to that,” Zelonis says. He describes mitigation strategies as a sieve, and incident response as something to mop up those events that inevitably fall through it. “The important part of that collaboration is to identify where things are slipping through.”
To this end, it’s important to create stopping points where the teams come together and discuss what they’ve been doing. The red team can explain what attacks it tried, and the blue team can explain what events they triggered on its side, and and how it responded.
Getting red and blue teams to collaborate properly relies on a company culture that doesn’t embrace blame and look for scapegoats. “If your company is operating in an adversarial type of environment, where you need to specify purple teaming because your red and purple teams are not working together, there’s something wrong,” Zelonis warns.
Encouraging blue and red teams to be grown-ups and work together involves identifying a common goal and rewarding each team for supporting it, points out Johnson. If you reward the red team for infiltrating the company and reward the blue team for blocking it, then you’re setting yourself up for failure. If you incentivise them to learn and produce an informed plan to improve their alerting, mitigation and response operations, you’ll be keeping morale high and producing actionable results.
“The internal blue team and red team culture needs to change,” concludes Haydn. “It’s about a mature approach to security.”
2500 years after Sun Tzu walked the earth, it turns out that we can still learn a lot from him.