By: Evan Morris
September 24, 2021
Is Red Teaming Know-how Crucial For Cybersecurity Professionals?
By: Evan Morris
September 24, 2021
Cybersecurity professionals are like medical doctors. You cannot expect them to know everything about protecting IT assets. Instead, they have specializations or areas where they focus their expertise. For example, they are data loss prevention, IT architecture and policy, governance and compliance, penetration testing, secure DevOps, incident response and forensic analysis, or secure software development.
Independent information security consultant Kevin Beaver makes perfect sense in saying that it is unwise to pursue a cybersecurity career without deciding on a particular area of specialization.
"Information security is not just about keeping attackers away: There's an entire life cycle associated with the security and risk management process. From managing the core elements of computers and networks to overseeing the day-to-day work, security requires specialized expertise in various areas," Beaver explains.
But what happens when new trends in cybersecurity emerge? Do cybersecurity professionals take on new skills in response? How do they adapt to the changes in the cyber threat landscape?
The rise of purple teaming
One of the notable trends in cybersecurity is the shift towards threat-informed security testing, which gives way to purple teaming. Organizations can no longer rely on conventional blue teaming in defending their IT resources. Attacks are becoming more sophisticated and persistent. Establishing and optimizing security controls based on conventional cyber defense wisdom will not be enough in the face of more cunning and relentless cybercriminals.
Global professional services firm Booz Allen Hamilton published a paper entitled "The Future is Purple," which explores the strategic importance of reimagining cyber protection by emphasizing threat anticipation and prevention instead of fixating on response and recovery. As a result, purple teams gain prominence as they draw advantages from the collaboration between the attack and defense teams.
"Cybersecurity attacks have become more frequent, severe, and sophisticated. A proactive cyber threat program is the only way to keep up in an asymmetric fight. With an effective purple teaming program—having offensive experts (red team) simulating adversaries in-network, and defensive experts (blue team) measuring and improving prevention, detection, and response—organizations can get and stay ahead of the threat," reads the blurb of the whitepaper.
Some may confuse purple teaming with relatively new cybersecurity solutions like Continuous Automated Red Teaming (CART), designed to help blue teams concentrate their efforts on exploitable vulnerabilities and risk exposures. Simply put, the former is an approach in security testing that entails the collaboration between the red and blue teams. The latter is a tool intended to enhance the blue team's ability to find and remedy vulnerabilities in their security systems.
In other words, the purple team is a broader concept, while CART can be a way to achieve purple teaming in an organization. It enables threat-informed defenses and strategies by providing an organization's internal cyber defense team (blue team) with vulnerability information and insights based on various vectors and modules. It does not fully replace the red in purple, but it provides a continuous stream of valuable data and insights that can help improve the overall security posture.
The red team perspective
So, where does red teaming sit in all of these? As mentioned, purple teaming is increasingly becoming the new norm for security testing. This means that the organization's internal cybersecurity team (blue team) needs to adjust to a new paradigm of working with the red team.
Purple teaming is not about forming a new team with members from the red and blue teams working as a group. Instead, it is an approach in security testing that enables the sharing of insights between the red and blue teams. They still operate independently, but they collaborate by exchanging information and ideas about the results of their tasks. This collaboration allows both to improve in their functions. For example, the red team explores new ways to penetrate defenses, while the other side obtains new ideas on detecting and preventing adversarial actions.
To emphasize, defense teams learn from the red teams by gaining an adversarial perspective. They learn to think the way cyber attackers do with the help of them. As a result, they get to understand vulnerabilities better, particularly their origins and the ways they are being exploited. In purple teaming, the offensive team perspective is essential in having a broader and clearer view and understanding of existing and emerging threats. Without this vantage point, it would be challenging to evaluate security controls more thoroughly and effectively.
Also, as BizTech magazine Senior Editor Joe Kuehne suggested, "a purely defensive security strategy may not be enough." This is based on the consensus of several cybersecurity specialists who participated in Black Hat 2021. The addition of offensive tactics can significantly bolster a security program. An example of the integration of offensive tactics is the use of the MITRE ATT&CK framework.
Many organizations, including security firms, have already integrated this framework into their security systems. This globally accessible knowledge base of adversarial tactics and techniques helps cybersecurity professionals detect, identify, prevent, and mitigate cyber-attacks. Furthermore, it acts as a convenient and readily available tool for organizations to quickly gain an adversarial perspective in establishing, testing, tweaking, operating, and monitoring a security posture.
Is red team know-how important to cybersecurity professionals?
In light of the present-day cyber threat landscape, there's no doubt that red team knowledge and skills are crucial. Cybersecurity professionals understandably have specializations, but they cannot fixate on just being on the defensive or offensive side when it comes to security testing.
There are no rules or standards that require cybersecurity professionals to have red teaming skills. Cybersecurity specialists do not need to be white hats or have some experience in ethical hacking since they do not necessarily have to take red team members trying to do everything to defeat security controls. However, as noted earlier, they can collaborate with the red team to examine other ways of attack variants that have the potential of breaching security controls.
What's essential is for cybersecurity professionals to be open to new information or insights that can help improve their outcomes significantly. The rise of purple teaming does not mean that security teams on both sides (red and blue) need to acquire each others' skills and knowledge. They only need to collaborate to help each other boost their abilities to find and correct defects or spot and exploit vulnerabilities that are quite inconspicuous. However, it is also not a bad idea for cybersecurity professionals to aspire to become experts in both blue and red team activities.