Is there finally a way to tame APTs?
Is there finally a way to tame APTs?

With the increasing sophistication of Advanced Persistent Threats (APTs) looming over CISOs' heads, it's crucial to stay up to date on the latest and most advanced cybersecurity technologies. Lately, hardly a day goes by without another report on a new APT threat and the harm it inflicts.

The term APT refers to an attack on a network by a third party that gains unauthorized access and remains there undetected for a prolonged period. APTs are often particularly dangerous because of the strategic intent of the criminals planning, funding and running the APT campaigns. These threat actors launch APTs at target networks to gain access to sensitive data and systems, putting their targets at considerable reputational and operational risk. APTs are characterized by a high level of sophistication and covertness, often using bespoke software back doors and zero-day vulnerabilities.

The sophistication of APTs is growing at a rapid pace, and existing security controls are not keeping up. Massive breaches like the 2017 Equifax hack, which led to the data of 145.5 million US citizens being compromised, and the attack on Ukraine's electrical grid, in which hackers remained in the systems for over six months undetected and leftover 200,000 people without power, are no longer isolated events.

The sheer volume and complexity make it increasingly difficult, stressful and time-consuming to identify and resolve the threats needing the most urgent attention. This daunting reality calls for a change in the narrative: from a defensive approach to ongoing proactive and prioritized intervention, driven by innovation, analytics and greater operational efficiency on both sides of the threatscape.

Red teams, blue teams and the abyss in between

Adopted from the military and intelligence realm, red team–blue team exercises showed a promising start in the right direction: Hired to act as the ‘enemy', red teamers execute malicious activities along the full spectrum of the kill chain to identify potential vectors towards organizational assets. Red teams often imitate the behaviors and techniques of specific threat actors to assess how the existing security stack tackles such attacks. On the opposing side, internal blue teams are usually tasked with defending the networks from real life attacks, as well as combating the scheduled red team attacks to help improve the organization's security posture. 

Red teams are supposed to improve blue teams' capabilities by identifying potential threats.  Together they have been mildly successful at exposing and remediating some threats but fall short of providing an ongoing offensive-defensive strategy needed to combat APTs. Even the few organizations with budgets that can support internal red and blue teams are struggling to tie together tools, tactics and processes that can prevent real-life attackers, whose skills grow by the minute.

The key to working together

While red and blue teams are effective on their own, they can be divisive because the red team always “wins”. Harnessing hacker tools and techniques, the red teams' success rate of penetration and exposure of potential attacks is predictably high compared with the blue teams' ability to fend off red team attacks.

In the interest of providing a way for red and blue teams to work synergistically, organizations should consider a purple team that can focus both teams' efforts into one collective and fluid process. This approach helps the red and blue teams learn from each other and build the strongest security program possible. In the process, it helps shift blue teams from a purely defensive approach to a mindset that is more proactive in search of potential threats, indicators and compromise.

In theory, a purple team combines the attack vectors and vulnerabilities found by the red team with the defensive tactics and controls from the blue team to build the strongest security program possible. Purple teams are more than just a nice idea in the cybersecurity space; they are increasingly becoming a necessity for protecting digital assets and sensitive data against threat attacks that can work around security control systems.

What's missing in the purple space?

Hackers have figured out how to circumnavigate existing systems and take advantage of time lapses in-between fixes and patches.  Traditional threat detection methods are not only coming up short but also creating more problems - specifically an overwhelming number of false alerts that hinder employees' abilities to do their jobs effectively.

There is also a significant HR problem here: The demand for skilled information security analysts far exceeds the supply. According to Cyberseek, there are currently more than 20,000 vacant positions for cybersecurity-related analysts in the US alone. As organizations are forced to cope with fewer trained personnel, more data than ever, and attacks that grow more sophisticated every day, there is a clear need for automated security flows and processes on both sides of the threatscape.

For a purple team to do its job correctly, it is not enough to just combine the efforts of both red and blue teams; it requires a 360-degree view of its environment, in real time, 24x7. The pace of change in hacking is only going to get faster, and cybercrime tactics are only going to grow more sophisticated.

Empowering purple teams with automation

What is needed is an automated solution that runs constantly 24x7, without the guiding hand of a human resource. In other words, automated purple teaming.

If the red and blue team processes can be programmed to run in a continuous loop, using the latest hacking methods and techniques, it not only makes it possible for an organization to stay several steps ahead of hackers; it also solves the HR problem.

Automated purple teaming detects problems caused by human error, doesn't require a special team to operate effectively, and if configured well, can run in the background without disrupting network and users' day-to-day activity. This “auto-purple” mindset maximizes red team techniques and constantly improves blue team activities by raising their level of efficacy while reducing false alerts.

An automated purple teaming platform can provide a clear and prioritized remediation plan for any vulnerabilities and risks related to IT practices. Identifying a problem is only half the battle; if a company doesn't know how to fix what's wrong immediately, without time lapses, it will remain vulnerable.

With the purple team running continuously, companies will be able to follow prioritized remediation instructions and know as soon as an issue has been resolved, ensuring that companies are aware of any new flaws or cracks in the armor as soon as they appear.

Automated and continuous purple teaming is the future of cybersecurity because it combines the best of both worlds. It secures all critical assets through 24x7 real-time exposure and automatically delivers prioritized and actionable remediation.