Purple teaming is starting to become the new favorite approach when it comes to security testing. Organizations are seeing the benefits of the collaboration between the red and blue teams in validating security controls. By enabling the sharing of insights between red and blue teams, organizations achieve more thorough security evaluations that lead to a better security posture.
“Purple is the symbiotic relationship between Red and Blue in a way that improves the security of the organization, constantly improving the skill and processes of both teams,” said Walmart Director of Incident Response and Hunt Jason O’Dell in an RSA Conference session as he explained how the world’s largest retailer improved their cyber resilience. Walmart is one of the biggest global organizations that employ purple teaming.
The company has been the target of numerous hacking attempts. In 2005 and 2006, cybercriminals managed to siphon sensitive company data including its POS source code from its headquarters to a computer in Europe. Early this year, the company suffered another serious hack attack that resulted in the theft of a subsidiary’s backup database.
With all of these, it would likely surprise many to find out that Walmart’s new tool versus cyber-attacks has a natural affinity with hacking. The very tool they use for protection against hacking and other forms of cyber assaults can be bolstered by embracing the hacking culture.
Purple teaming and the hacking culture
While many companies prefer to invest in a purple team simulation module, some still prefer to employ manual purple teaming, and surprisingly, hire hackers for the job.
The unlikely relationship between purple teaming and hacking has been discussed in a Microsoft Voice of Community blog post featuring Microsoft Product Marketing Manager Natalia Godayla’s interview with Hacker House CEO Matthew Hickey. The discussion focused on how purple teams can adopt the hacker culture to improve cybersecurity.
“Hiring hackers to join your purple team used to be taboo, yet hackers often make excellent defenders. Embrace hacking because it’s a problem-solving mentality,’ Hickey said. The cybersecurity expert acknowledged how valuable the hacker perspectives and strategies in purple teaming are in establishing enterprise security.
“The information is out there, and your attackers already know it. You might as well know it too, so hire hackers. I’ve heard people say hackers are the immune system for the internet when describing how their behavior can be beneficial,” Hickey added.
Working with those who have an extensive understanding of the techniques and tactics in penetrating security systems is not a new approach in security testing. This has been undertaken with the implementation of red teams. Organizations hire white hats to attack their systems and evaluate their cyber defense’s effectiveness. However, the conventional idea of separate red and blue teaming means that these two never interact or share insights.
This separate and independent red and blue teaming arrangement has the advantage of simulating what is actually happening on the ground. After all, hackers and cyber defense teams never coordinate with each other. However, sticking to this simulation of the real-world threat situation can be inefficient and costly. It would take a lot of time and exhaustive efforts on both sides to explore all possible attack scenarios.
In contrast, if the red and blue teams collaborate, they are more likely to cover more ground. The red team can provide hints or even orient the blue team on how they successfully defeated security controls. In return, the blue team can offer insights on how the red team can tweak or retool their attacks to exploit vulnerabilities or defeat protections.
In a way, purple teaming promotes the integration of the hacking culture in security assessments to speed up testing outcomes and examine more variations or evolutions of attacks in an efficient manner. As Hickey said, “purple teams are typically constructed as an internal resource, which can reduce reaching out to external experts for advice.”
Hacking culture in cybersecurity testing platforms
Those who have tried using cybersecurity testing platforms most probably have seen purple team modules or functions as they undertake tests. These modules generate security information and insights, particularly on adversarial techniques and tactics, to guide cybersecurity teams on the weaknesses they need to address in their systems.
These purple team modules can be used to create and automate security control assessments to help optimize defenses relative to the specific environment, processes, and scenarios of an organization. They can execute tests recurrently including the importing and modification of payloads and executables. Also, they can perform execution chaining for input and independencies.
It is also worth noting that many security solutions have also integrated the MITRE ATT&CK framework in their security testing routines. This serves as an important tool to be updated with the most recent cyber attacks and the methods or schemes they employ to breach security controls. The framework emphasizes the need for organizations to be aware of harmful activities observed throughout the full cyber kill chain.
Purple teaming with MITRE ATT&CK is like having a guided tour into the latest strategies cybercriminals are using to assail the cybersecurity of organizations. However, simply having them does not equate to embracing the hacking culture to fortify enterprise security. They only serve as tools to enable better mindsets and achieve greater agility when it comes to cyber threat detection and response.
Embracing the hacker culture in cybersecurity goes beyond the use of tools that promote threat-informed cyber protection. It requires relevant education and training to ingrain in the cybersecurity team the need to always be updated with the latest threats, persistent in validating security against these threats, and ingenious in detecting and blocking attacks.
As such, organizations need to be able to smartly react to threats as they emerge. The MITRE ATT&CK framework and purple teaming modules do not serve their purpose well if cybersecurity teams fail to respond to security alerts accordingly. Utilizing purple teaming is by itself not the embracing of the hacking culture to enhance an organization’s security. It is only the start, a crucial one at that.
A culture of persistence, up-to-dateness, and ingenuity
Essentially, embracing the hacking culture in security testing requires an emphasis on the perspectives of attackers. It infers not just a higher level of awareness of adversarial techniques and tactics but an acknowledgment of how persistent and creative attackers can get. This is why cybersecurity testing platforms nowadays no longer settle with periodic testing. Many are already doing continuous automated evaluations.
In line with the hacker mindset of relentlessly launching attacks and creatively exploiting vulnerabilities, purple teaming helps organizations develop the tenacity to continuously be on the lookout for new threats and tirelessly making sure that security controls hold up against them. Purple teaming greatly helps in mirroring the attitude and skills of hackers on the side of cybersecurity teams—making them better equipped for continuous security validation, updated with the latest threat intelligence, and ingenious and efficient in the way they respond to threats.