You’ve invested a lot of time, money, and effort in cybersecurity and securing your organization. You’ve deployed firewalls, endpoint protection, intrusion prevention, and everything in between. Your decisions are driven by both established and trending cybersecurity best practices, combined with strong security policies and practices. Your networks, servers, endpoints, and data are secure. Or are they?
Verifying Your Security Posture
In a 2002 Department of Defense news briefing, former Secretary of Defense Donald Rumsfeld introduced the world to the concept of “unknown unknowns”—that is, you don’t know what you don’t know. No matter what security tools or security practices you have in place, the challenge you face is how to address the unknown unknowns of cybersecurity.
The only honest answer to the question, “Are your networks, servers, endpoints and data secure?” is “No,” or at best, “I don’t know.” You’ve done everything you think you’re supposed to do to make it so. Unfortunately, unless there’s an actual attack, you don’t really know how much you don’t know, or whether the security protections you’ve deployed will defend against a real-world attack. To begin to validate that your security is sufficient and to identify potential weaknesses, you need to think like an attacker and execute live attacks against your environment to find your security holes. That’s where Red Team / Blue Team—or Purple Team—assessments come in.
A Purple Team assessment combines penetration testing (Red) and defense (Blue) teams to conduct an active attack to determine how well your security holds up in the real world. The concept of Red Team assessments, or traditional penetration testing, has been around for years; however, organizations typically only conduct these exercises annually and as part of a compliance requirement within their industry vertical. If you are not conducting Red Team testing, you should be, and you should be doing so more often than annually. It is much better for both your organization and your sanity to identify and mitigate weaknesses in your security posture proactively, rather than learning about them the hard way.
Adapting to the Shifting Security Landscape
Everyone is familiar with the massive data breaches like those experienced at Equifax, Yahoo, and Target. Such data breaches expose or compromise sensitive information in millions or even billions of accounts. What is more concerning than individual massive data breaches, however, is the consistent rise over the past few years in the total number of data breaches. According to Dark Reading, 2017 was a record-breaking year, with a total of 5,207 data breaches exposing nearly 8 billion information records.
The 2017 Cost of Data Breach Study from the Ponemon Institute claims that the average cost of a data breach in 2017 was $3.62 million (USD). This average includes large-scale data breaches like the breach at Equifax, but the study also reports that the average cost per stolen record in a data breach is $141 (USD). That can add up pretty quickly, no matter what size the data breach.
Another consideration when measuring bottom line impact is the fines you could face from organizations like the European Union (EU). The General Data Protection Regulation (GDPR) went into effect in May, and organizations around the world that accept, store, or transmit EU citizens’ personal data (which theoretically could be just about every organization on the Internet) must comply with its requirements. Those who fail to adequately protect the data they are entrusted with could face massive penalties—up to €20 million or 4 percent of the organization’s global annual revenue.
Between the data breach itself and the additional potential fines, many organizations could face bankruptcy as the result of a single data breach. The problem with implementing security best practices without testing to ensure that they work as expected, or only testing periodically (such as annually), is that cyber attacks aren’t periodic. Your networks, servers, endpoints, and data are under constant threat from a vast array of attacks and malware that continuously adapt and evolve over time. Just because you were protected against the tools and techniques attackers used yesterday does not mean you are going to be protected against the tools and techniques they will use tomorrow.
Automated Purple Team Testing
One way to stay a step ahead of cybercriminals is to conduct regular Purple Team assessments so that you can discover and address any holes in your threat landscape before they are exploited. The next question then is just how often is often enough? Monthly? Weekly? Daily? Leveraging a professional Red Team for frequent assessments, such as weekly, can be very costly. You want to test as often as possible, but you cannot bankrupt your organization in the process of protecting it.
The solution is to borrow a tried and true technique used by cloud deployment tools to identify attackers during their reconnaissance. Automation is a key component of the attacker’s arsenal, allowing attackers to hunt for vulnerable targets and orchestrate large-scale attacks (e.g., botnets) against their targets. Some attacks are targeted, precise attacks; however, high-value attacks, including those using malware, are saved for when a target has been identified and the attack can be aimed with a specific purpose to perform actions such as pivoting through a network or exfiltrating data.
Likewise, you should also automate the assessment of your security posture and identify weaknesses and holes, instead of waiting for attackers to do this for you. To truly be effective, you need Red Team attacks that are as realistic as possible and Blue Team actions that accurately reflect the capabilities and depth of your security solutions and personnel in defending against those attacks. An automated Purple Team assessment should continuously emulate, assess, and validate current and emerging attack types and techniques, including near zero-day exploits and malware, and generate a prioritized list of steps you can take to remediate or mitigate any issues. Results should include the automated creation of tickets within your issue management system and the tracking of the ticket until resolution.
Instead of getting caught off guard because you don’t do Purple Team assessments or don’t do them frequently enough, or instead of investing significant resources in conducting frequent Purple Team assessments manually, you can automate and streamline the whole process. Your team can focus on addressing the prioritized list of issues discovered by the Purple Team assessments, and you can rest easy that your security posture really is as strong as you think it is.
David DeSanto,Director, Products and Threat Research, Spirent Communications