This is the first in a series of blogs that will describe the importance of conducting Red and Purple Team exercises. The first entry in the series gives an overview of how to properly conduct these drills with follow on blogs diving deeper into the specifics of Red and Purple team maneuvers.
The first realization most organizations have that their cybersecurity is, let's say, subpar generally comes right after it has been hit by a devastating attack. In many cases, security teams are baffled that the measures they had put in place to defend their organizations were ineffective.
At first glance, one might believe confusion is warranted because,after all, the security software the victim purchased was expensive; the staff was diligent in patching, and they taught their workers to be wary of odd-looking emails.
So, what went wrong?
Too often, an organization's first mistake is not testing its people, policies, procedures, and systems in a real-world scenario. Sports teams typically have pre-season games to work out their players and strategy to see if these elements come together into a coherent unit that will win once the season begins. The same should be true for security in all its facets.
This is where Red and Purple team testing comes into play.
However, unlike a Spring Training baseball game, a Red or Purple team event is a no-holds-barred, nasty attack designed to place the defenders on their heels and then attempt to break them using any fair or unfair method. This can include cyberattacks, physically scouting or penetrating a facility, generating fake personas, and getting in touch with employees, including the CEO.
But before one can put a client through this type of experience, its security team must prepare.
Purple Team: The Practice Before the Practice
A Purple Team exercise is the first step a security provider and its client should take.
As the word, or color, insinuates, Purple Teams fall in between Red and Blue Teams. Security analysts or senior security personnel from the third party or the organization itself often comprise the purple team.
This event is essentially a controlled scrimmage during which we manipulate the situation to place the defenders in the worst position possible. By having someone from the client help direct the attack, we can give the Blues a taste of what is to come during the Red Team exercise or in a real-life attack.
At Trustwave, we use a Purple Team as a teaching opportunity more than an adversarial engagement. For example, we often have the client pick a particular tactic from the MITRE Attack Framework, begin a controlled attack, and walk them through what we are doing and how they should respond.
At the end of the day, the Purple Team will analyze how the Red and Blue Teams worked together and make recommendations for future efforts.
So, how does a Red Team attack take place?
Setting the Stage
Red Team engagements are attacks conducted by an outside security firm playing the role of an enemy. Sometimes a Red Team is put together using an organization's people, but in most cases, a security team is brought on to conduct the engagement.
Still, in each case, their goal is to give the in-house IT staff, known as Blue Team, a chance to identify and react to realistic cyberattack scenarios.
Red Team attacks are not a pleasant experience. The attackers do their best to use the latest real-world tactics and tools to rip into an organization in an all-out attack and present the security staff with their CISO's worst-case scenario –a total disaster that endangers the entire company and its assets.
A Red Team Simulation Synopsis – How Trustwave SpiderLabs Conduct a Simulated Attack
There is nothing like having first-hand access to what our experts have learned in the field. Learn the tactics used in a Trustwave SpiderLabs red team in this short video as John Cartrett, head of our SpiderLabs in North America team, describes the methods used team to infiltrate and exploit an environment, simulating malware propagation throughout an organisation.
The primary focus is to find flaws in the people, processes, and technology the target organization has in place. This activity mimics what cyber gangs like REvil, DarkSide, or a nation-state-sponsored attacker would do during an attack.
The client's in-house security personnel, or the Blue Team, acts as the defender. The Blue Team makes its stand in the organization's Security Operations Center (SOC).
The expectation is for the Blues to detect, fight and defeat the Reds. The goal of the mock attack is to enhance the Blue Team player's skills by exposing them to a real-world attack.
Prior to an attack, the client decides which aspects of its defense it wants the attacker to test. These goals can include checking its employee's ability to spot a phishing attack, or if it's a manufacturer, it could be protecting access to its SCADA environments or CAD drawings. If the client is in financial services, account numbers might be the target.
In each case, the Red Team will do its best to accomplish these goals while the Blue Team attempts to fend them off.
There are two types of processes generally used during a Red Team engagement. A full-scope attack that takes about a month to run. These are attacks where the Red Team breaks into a network using various tactics, techniques, and procedures and gathers as much information as possible. The other assumes the role of an insider threat, and the attack proceeds from that perspective.
A full-scope scenario lasts about five weeks and will cover everything from studying the company's available information from places like LinkedIn to potentially sending people to scope out the target's facilities.
First, we look at the external attack surface. Which of the client's web servers and assets are exposed to the Internet and directly accessible? We will look at their employees on LinkedIn and other social media sites to see what information we can gain about the organization. We're going to go through a phase called Open-Source Intelligence, where we gather information about the company, how many locations it has, who the employees are, and where can we potentially interact with an employee from a trusted perspective to gain the knowledge needed to gain entry,
The next phase focuses on social engineering. We pick up the phone and call people, send staffers emails, text them, and hit folks up on social media. If there's a physical aspect to the contract, we'll send two guys on-site to do a physical reconnaissance for specific locations. Here they will look at the wireless technology being used to see if there's a way to breach the organization from that angle.
We then use the information gathered to launch a phishing attack, or obtain login credentials through a phone call, password spraying, or even through a vulnerability found on a public-facing website. The weaknesses that we can exploit are common across many engagements. Employees using weak passwords, either not utilizing or enforcing multi-factor authentication, and workers clicking on links and documents in emails are prime entry points
Once we gain entry to the network, the internal phase of the test begins.
We conduct reconnaissance of the system to understand where we're sitting on the network, what we have access to, and once we understand our surroundings, we look at how we can maintain access in case we are discovered and locked out.
At this point, we will have at least a standard user credential, and we'll pull all of the data out of the active directory that we can. Collect all usernames, email addresses, groups, and machine names.
Once the Red Team has reached the client's preset goals, the active part of the exercise ends, we then present it in an extensive report on our activities, pointing out weaknesses and how we managed to obtain access.
Consulting and Professional Services
Amplifying your current security tech stack with human-led testing and simulated attacks provides heightened visibility into your environment, identifying these gaps before a bad actor can exploit them. To learn more please click on the image below.