Purple Team like you’re preparing for war
Should Winston Churchill have trained his army to fight the Chinese during the war against Hitler and the Germans, he would not have had the success he did. When you saturate a SOC with successfully mitigated alerts to report on , and force your pen-testers to run post production web app scans continuously, you are training your defence for the wrong enemy, the wrong battle and setting yourself up for imminent failure.
“Simply running a purple team exercise will train and develop your internal offence and defence like nothing else can.”
It is expected that organizations run penetration tests now, which is great, as it shows that they really are taking security seriously. However, the structure of these tests needs a huge overhaul, as it stands the Red Team (RT) launches an isolated attack in order to exploit a vulnerability in a company infrastructure. Meanwhile the Blue Team (BT) are informed of the activity and tasked with defending against the RT, a known none-malicious threat. SLA’s (service level agreements) and the workload does not changed during this time, so there is little encouragement for a blue team member to switch from BAU (business as usual) and concentrate on RT activity. All the while the organised RT attack is potentially acting somewhat like a smoke screen to real threats that the company may also be facing, threats that may already be in the network. It’s usually the case that the BT miss a couple of things and the exercise is treated as a success from the RT perspective and a failure from the BT perspective.
Little is learned from the entire activity and the C level execs get a nice shiny report with some pie charts on. The same thing happens in 6 months to a years time with little change in outcome, but all the while providing reliable and regular work for the consultancies engaged to perform the RT function.
What I am proposing with purple teaming (PT) is taking the red team activity and making it stronger, combining it with threat intelligence, and internal intelligence gathering. Pulling in the blue team (BT) and actually getting some tangible benefit from the cyber security industry and apply it to your business moving forward. Conducting a purple team activity correctly will leave you in the strongest defence position you’ve ever been in, and will save you money in the long run.
Imagine if you could use reliable intelligence to study your enemy, predict their next move and remain strong during a battle? We’ve all heard those comments from CISO’s and senior managers alike
“if advanced threat actors want to get in, there going to, they’re is no point “wasting” resources trying to defend against them.”
Well, isn’t that just defeatist. I’m so glad Winston Churchill didn’t have that mindset. “Why bother?” — is not a defence plan. Learn how to fight a new kind of war, and build the machines this new kind of war requires.
Find out how to gather intelligence yourself, starting with the MITRE ATT&CK framework here.
Purple Teaming gives you the opportunity to run manoeuvres, practice your strategy, plan your deception, harden your defences and keep your team combat ready. If you want a basic over view of what purpleteaming actually is, and how to run a purpleteam function on a zero budget check out one of my earlier articles here.
Let’s have a look at what we, in the cyber security industry can learn from military strategy in the preparation of defence, and what we can learn from the actions of aggressive nations in the past.
Reduced spending and a reduction in soldiers equates to a weakened defence capability. Having 1 soldier, when you need 10 isn’t solved by throwing more guns his/her way and crossing your fingers hoping for the best. So why in cyber security do we have such a fascination with throwing more tools at a problem instead of making intelligence-based decisions? I understand that money is the core of the issue for most decision makers, but surely we all genuinely want a safer infrastructure for us all to do business in?
We can liken the home guard currently being trained and encouraged to bear arms in Latvia with the aim of defending the borders against what they see as an imminent Russian threat, to the training and awareness side of purple teaming. The end users in your ecosystem may not be the ones augmenting battle and, actively engaging in purple teaming but they play a fundamental role in the defence of your organisation. We know that email phishing campaigns are among the most prevalent attack vectors in advanced attacks and these can come in many formats, with a multitude of different complexities. We have to equip our home guard, our end users with the techniques and knowledge they need in order to defend the organisation’s Crown Jewels (CJ’s) from the periphery inward. A purple team does not traditionally deliver training and awareness to the wider business BUT it can certainly identify areas where that training and awareness (TnA) should focus.
It’s better to have something and not need it than to find yourself caught short when an attack strikes. Take Poland for example, they have spent the years since the alleged Russian attack on Ukraine buying up hardware in the form of tanks and submarines, and have gone one step further to build their own, increasing manufacturing in Poland and further hardening their infrastructure financially as a result (gotta love the Poles). Now I’m not saying go out and buy loads of gadgets BUT Know what is on your network. I guarantee that you have a multitude of unused functionality at your fingertips, get to grips with it. Windows and Linux come with logging and monitoring capabilities, PowerShall gives you the ability to control your network with basic scripts, so if you use what you already have to its potential you are off to a solid and cheap start.
Know your enemy
The whole point of having a spy behind enemy lines is to learn about your enemy. Understanding the cultural disposition of the enemy is a huge benefit and having influence over the cultural development of a nation is a huge benefit when understanding how they will react long term. We don’t have the ability to go and knock on Fancy Bear’s cave and ask to shadow them during an operation, but, PT gives us a similar capability. Through the threat intelligence gathering conducted prior to any PT engagement we can learn who may see us as a viable target, what tools they use and what techniques they employ, where they originate from and where they operate, and where they aim, and maybe most importantly why they pick their targets.
Identify your critical assets
WWII gives us a fantastic example of strategic defence. Germany had built an impressive fleet of motorised vehicles and produced an army that was dependent on them. Germany quickly found themselves in a tricky situation when they quite literally ran out of oil. The oil dependent machinery was rendered pretty much useless after Great Britain’s naval blockade in 1940 blocked oil imports from the Americas to Germany. Germany’s Crown Jewel was oil that wasn’t on their land, it was in the cloud so to speak, resident on someone else’s computer (or under someone else’s land in this case . . . ). Unsurprisingly Hitler invested in synthetic oil and although it helped, it was expensive and slow to produce. In what was probably a brazen but common-sense move, in 1941 Hitler decided to attack the Soviet Union and attempt to take the oil fields (Caucasus) with the aim of fueling the war and any later wars. Because Hitler was aware of the Crown Jewels of the Soviet Union he saw no benefit in attacking Moscow for anything other than vanity. He ordered his generals to invade the Caucuses, but General Franz Halder went against Hitler and invaded Moscow, something that is arguably the pinnacle moment that lost the Germans the second world war. The Soviet’s anticipated an act of war on their capital and were ready to defend it, furthermore they anticipated Germans need for oil and pushed a small German division out of the oil fields too. The Soviet’s understanding of their own critical assets meant they were in a strong position to defend themselves. Germany’s failure to anticipate the pipeline by which their Crown Jewels lay weakened them beyond recovery.
We can learn a lot from this, not only identifying your critical assets but also understanding their robustness, what they themselves rely on and how they are stood up is key. And where they reside, It’s important to also understand how much control you have over them and how quickly you can regain that control if it is lost. The last thing you want is to literally run out of gas mid fight.
Use what resources you have available
The Soviet–Afghan War lasted just short of 10 years, from December 1979 to February 1989. Soviets and the Afghan government were fighting the US-backed insurgent groups known collectively as the Mujahideen. When the Soviets withdrew, they Abandoned many Soviet T-55 tanks in the countryside of Afghanistan. It is now the Afghan military who have recycled these out-of-date relics, keeping them going through cannibalising parts from completely dead tanks, to keep the rusty but still functional tanks going. Their lone tank battalion is currently used during internal conflicts.
Now I’m not saying go out and find rusty old tool sets, but this is a prime example of using what you have available and making the most of it. Learn to use what you have for what you need and add in tools to cover blind spots you find during purple teaming exercises. This is the point. You are identifying areas of weakness through purple teaming, so don’t go out and spend a load of money without understanding why you need it and where you’d best place it. Have a look here at some changes you can make to your Windows 10 gold build to mitigate attacks
Exploit guard is shipped for free in Windows Defender and very few people are making the most of it. Here is a Linux server hardening checklist I found from a quick google search.
Using Windows Remote Management in Incident Response is perfectly fine if your environment permits, and you lock its use down properly. You may be in an environment where external tools with agents are needed, but find out what you can achieve by ‘living off the land’. Your attackers will, so get to know your operating systems, native tools and their functionality. Make the most of what you’ve got and supplement where possible, piling tool on top of tool on top of tool increases your attack surface and increases your exposure. Remember just because you spend a quarter of a million pounds on a new tool, doesn’t mean your attackers don’t know how to leverage it too.
Secure the perimeter
You should have already done this, and most will have, even if only to the standard defaults. Better than a kick in the groin.
Connisbrough castle is a perfect example of peripheral defences for the purpose of battle.
It’s on a hill, it gives visibility of incoming attack, it is surrounded by a moat that further sought to act as defence in depth (literally!) and makes the job of attackers notably harder. With a unique round design, it gives a much needed 360 view of the surrounding countryside. With a huge drawbridge and colossal external gateway, at the time it would have been a mammoth task for any attacking army to take a strong hold. Britain’s historic landmarks are beautiful and impressive architectural accomplishments but many of them served a much more practical purpose, they gave wide visibility and the ability to defend at short notice.
Although it didn’t do the owners much good in 1317 when it was besieged and captured by Thomas, Earl of Lancaster, in a private war over a love interest, (ill you to read that one).
What can we learn from the preparations for battle in the 1300’s? Well as it turns out quite a lot. . .
Visibility was key and in cyber defence it is too. You cannot run productive purple teaming without visibility of your network, or in castle speak “land”. For an attacker to gain a foothold on your network they first need to bypass peripheral defences, presuming there are some that is. Defence in depth is a cliche term for a reason: it’s true and it stood the test of time. Just like a moat, a drawbridge, a snout of an entrance and tall posts to neutralise the enemy from a great height, you need; visibility of incoming traffic with IPS systems, internal firewalls and network taps, limited points of entry (like the draw bridge, which you have the explicit power to close during an attack), preventing someone of unverified trust past the entrance. Also having the ability to safely neutralise threats will not only prove yourselves sufficient in defending your realm against your most likely attackers, it will put you in good stead to squash any future attackers from yet unknown sources.
Make your workforce you’re militia
Estonia and Latvia, among others take training their population to resist an invitation very seriously. Lithuania has issued a ‘civil defense book’ to its population to advise on how to handle a Russian invasion. These are all very recent examples of training your people to increase your chances of success in defence.
A purple team exercise, at its simplest, involves a member of the blue team or a SOC analyst, a pentester and a purple team mediator. But it’s important to realise that the human involvement is much wider than these 3 people. Although a PT exercise is transparent and not in the least bit elitist in its delivery, it will undoubtedly involve other players. An attempt at running a ‘sudo’ command while not being in the sudoers file is likely to raise the attention of a security conscious sysadmin, changing a stolen accounts password and subsequently locking out a valid user will again trigger a call to the IT helpdesk, triggering a minor investigation. All of these oddities depend on humans to notify and act, if they were to not do that an attacker could increase their foothold in a shorter space of time.
Training that sysadmin on only email hygiene and drive by downloads is not a proper investment in that person usefulness to the company. Training that person on social media security, the importance of patching and updating reliably and performing audits of the sudoers file are all things that are specific training and awareness requirements for that person’s role. The end users are your militia, they don’t have to be security trained to make a significant impact on the wider defence capability but they can certainly contribute, even if unknowingly, especially if they are equipped to do so.
Training and awareness that meets the needs of specific teams is something that purple teaming can highlight a lack of, paving the way for you to implement more relevant information exchanges and not waste resources on a generic click box Cyber Awareness Training LMS.
POST purple team fun
To add a little war game spy thriller pizzazz to the work environment, why not use the output of a purple team exercise to enlist the use of deception technologies. This need not be super expensive, creative thinking is key.
The aim of deception is to lure the enemy to decoy assets. From the attacker’s perspective they think they’ve hit the jackpot, but you on the other hand have an exciting opportunity to learn. This can be done through deploying honeypot systems, data and honey nets, otherwise known as traps in this context. Whilst navigating the decoy environment an attacker gives away information on their behavior.
“Winston Churchill deliberately encourages spies with corkscrew minds because he knew Hitler thought in straight lines.” [https://youtu.be/hBk3sSUB5X4]
Now I’d love to tell one of the worlds most thrilling war time deception stories but I’ll leave that to Even Andrews who described this impeccably on behalf of the History channel.
“During World War II, British intelligence officers managed to pull off one of the most successful wartime deceptions ever achieved: Operation Mincemeat. In April 1943, a decomposing corpse was discovered floating off the coast of Huelva, in southern Spain. Personal documents identified him as Major William Martin of Britain’s Royal Marines, and he had a black attaché case chained to his wrist.
When Nazi intelligence learned of the downed officer’s briefcase (as well as concerted efforts made by the British to retrieve the case), they did all they could to gain access. Though Spain was officially neutral in the conflict, much of its military was pro-German, and the Nazis were able to find an officer in Madrid to help them.
In addition to other personal effects and official-looking documents, they found a letter from military authorities in London to a senior British officer in Tunisia, indicating that Allied armies were preparing to cross the Mediterranean from their positions in North Africa and attack German-held Greece and Sardinia.
This intelligence coup for the Nazi spy network allowed Adolf Hitler to transfer German troops from France to Greece ahead of what was believed to be a massive enemy invasion. The only problem? It was all a hoax. The “drowned” man was actually a Welsh tramp” [EVAN ANDREWS 2018]
Conclusion:
So now I’ve said all of this and got you all excited about going to war, you’re full of drive to go to the office and speak to those key stakeholders and get this off the ground, but what if you have a leader lacking vision, or a penny pinching wallet holder? How do you get that budget holder who couldn’t care less on side? — well that is another post.
A bit about th4ts3cur1ty.company:
Unlike other providers we don’t identify areas of weakness and leave, we identify and then harden, or work with your internal teams to harden your defences. We have templates specific to different industries and we add in very bespoke sections to account for details related specific to the customer. To find out more click here.
References:
https://www.rand.org/pubs/research_reports/RR1253.html
https://www.wearethemighty.com/articles/russia-war-ukraine-latvia-estonia-poland-prepare
https://www.youtube.com/watch?v=kVo5I0xNRhg&list=WL&index=18&t=1s
https://www.youtube.com/watch?v=f2TRMeQXlTs
https://www.stripes.com/news/afghanistan-s-tank-battalion-is-melting-away-1.543030
