With the constant threat of cyber attacks looming, the old adage “It’s not a matter of if you’re going to be breached, it’s a matter of when” still rings true. It’s no secret that the number of cyber attacks have sharply increased against organizations, each of them more destructive than the one before. Meanwhile, the attack surface is rapidly expanding leaving a wide open door for attackers to wreak havoc on the network.
All you have to do is look at the numbers. According to Symantec’s Internet Security Threat Report 2017[1], 100 new malware families were identified, more than triple the amount seen previously. Computer Crime and Intellectual Property Section (CCIPS) [2] reports that more than 4,000 ransomware attacks have occurred every day since the beginning of 2016, representing a 300 percent increase over the year before.
Growing adoption of cloud services also broadens the attack surface, creating and exposing new vulnerabilities that can easily be exploited by attackers. Underscoring this trend, tens of thousands of MongoDB (cloud) databases were hijacked and held for ransom in 2016 after users left outdated versions exposed, without authentication turned on.
To address an increasingly treacherous threat landscape, many organizations rely on both a red team and a blue team, which work respectively as offense and defense, to protect and secure the network data from attack. While a red team pinpoints threats and exploits an organization’s security defences, the blue team is designed to expose those threats and respond accordingly.
Today, having a red team and a blue team working together effectively is not a luxury, but a daily necessity for companies large and small. When a red team and a blue team work together effectively they will, ideally, be able to address a full spectrum of vulnerabilities within the organization’s network that can leave the organization susceptible to an attack.
That said, they both need the right tools. In order for this to happen, both the red and blue teams rely on automation, which allows them to work in tandem to create an offensive defense security approach. In addition to creating efficiencies and cutting costs, automation enables the red teams to proactively address threats before breaches occur. It also allows the blue team to be able to continuously monitor the attack surface and increasingly improve the organization’s security posture.
Image Credit: chasezephyr
Red team enablement–
While a red team is tasked with testing an organization’s defenses, the team often cannot keep up with the demands of threats while crippled by a lack of resources. This leaves red teams to reactively respond to attacks once the adversary has already penetrated the network, rather than proactively prevent them.
That’s where automation can be most effective. By leveraging automation in an attack scenario, the red team will have the time to proactively stop threats, making them less likely to break compliance regulations and more likely to prevent costly and damaging breaches.
Breach and Attack simulation platforms, coupled with a threat detection framework, that can test a myriad of attack scenarios, as well as adversary techniques, tactics, and procedures (TTPs) specific to each individual organization are a necessity. One example of an effective threat detection framework is an ATT&CK matrix created by MITRE Corporation, a not-for-profit company sponsored by the federal government that operates research and development centers. This matrix is a framework organizations use to assess their attack surface. The MITRE ATT&CK matrix is a visual representation of common adversarial techniques. Techniques can span multiple tactic categories signifying that they can be used for more than one purpose. Because ATT&CK categorizes the behavior of the adversary and not simply a current indication of compromise (IOC), it is extremely useful for organizations of all sizes to assess the effectiveness of their security controls, processes, and people.
Together, an automated, continuously running platform paired with an effective framework can help teams proactively detect advanced threats and ensure that their critical vulnerabilities are under control and are being prioritized and addressed.
Keeping the blue team on track – Conversely, a blue team’s job is to observe the attack surface, identify the gaps, decide how to best handle these issues and then act to prevent them. An effective blue team will find the security flaws or protection failures, analyze the security measures implemented by their organization and then determine the best plan of action to close all gaps or remediate. As such, they need to constantly educate themselves on the organization’s unique risk profile and resulting attacker TTP’s.
In order to expedite the threat detection process and increase efficiency, the red team trains with the blue team, constantly presenting new challenges and threats for them to evade. The blue team then learns the techniques and common weaknesses exposed by the red teams.
Ultimately, organizations need to think strategically about their security approach and whether or not they are still facing protection failures. While the right security strategy differs for every organization, in general businesses cannot afford to keep taking the same reactive approach to threats and mitigating data breaches after they have occurred — an outdated approach that is becoming inefficient, labor-intensive and costly.
Automation will allow red and blue teams to adopt the most effective security approach: offensive defense. Among other things, automation allows both red and blue security teams to analyze their attack surface faster and more efficiently, while remediating a larger number of protection failures than ever before. A change of approach can mean the difference between losing and winning against the cyber adversary.
[1] 2017 Internet Security Threat Report. (n.d.). Retrieved November 08, 2017, from https://www.symantec.com/security-center/threat-report
[2] Computer Crime and Intellectual Property Section (CCIPS) (2017). https://www.justice.gov/criminal-ccips/file/872771/download. How to Protect Your Networks from Ransomware: Technical Guidance Document. [online] Available at: https://www.justice.gov/criminal-ccips/file/872771/download [Accessed 9 Nov. 2017].
Like this article? Subscribe to our weekly newsletter to never miss out!
