What happens when offense and defense get lost in translation?
And why automated purple teaming is the answer.
Last year a wave of highly sophisticated attacks known as APTs (Advanced Persistent Threats) targeted personal financial data, intellectual property and infrastructure. Soon headlines about mega-hacks including Equifax, Yahoo, Uber, and even attacks influencing public opinion, dragged the cybersecurity industry into an arms race frenzy. The notorious attacks hurled cybersecurity high up on the boardroom agenda and raised the level of criticality to new heights.
As a result, global security expenditure was forecasted to soar to $86.4B in 2017 (Gartner) and showed no signs of abating. On the contrary, Gartner forecasted that industry spend in 2018 will grow to $93B, as traditional security measures such as firewalls and anti-virus software alone prove to be inadequate.
The new order
The forays of 2017 meant that in 2018 organizations are no longer asking if they can be attacked. Rather the question is… how? Realizing the perimeter is dead, organizations are waking up to a reality where the battleground is looming inside their network.
New threat vectors have been expanding an attack surface, forcing organizations to step up their knowledge of APTs, and adopt new tools and tactics for defending their network from within. Here we look at some of the steps organizations should consider in their attempt to tame APTs and prevent them from reaching their critical assets. But before we raise the hood and tinker inside attack paths, let’s clarify; what is an APT?
Anatomy of an APT
APT, or Advanced Persistent Threat, is a term stemming from the US military almost a decade ago. It refers to an attack on a network by a third party that gains unauthorized access and remains there undetected for a prolonged period. APTs are characterized by their high-level of sophistication and covertness, often using bespoke software back doors and zero-day vulnerabilities.
They are particularly dangerous because of the strategic intent behind the bodies planning, funding and running them. These threat actors launch APTs at networks to gain access to sensitive data and systems, creating a reputational and operational risk to their targets. They often take advantage of shadow IT incidences and poor digital hygiene, a problem thwarting organizations across the globe.
At the crux of the APT attack is the ‘Persistence’ factor, as the attacker aims to stay in the network undetected for a lengthy period, often months, until they pursue their end goals.
Today no organization, irrespective of size or type, is immune to these attacks. The sophistication of APTs is growing at a rapid pace, and existing security controls are not keeping up. What’s making matters worse is the shortage in security personnel, while at the same time hackers are becoming increasingly skilled. According to eSecurity Planet:
‘By the end of 2018 it’s predicted that 1-to-2M cybersecurity jobs will remain unfilled. About 6M cybersecurity analysts will be needed, with only between 4–to-5M available to fill the positions.
Red team – blue team dissonance
Although outsourced offensive red team services are hired to prod organization’s security posture and challenge internal defensive blue teams through ‘mock attacks’, there is a problematic time gap in between completed tests. There is also a lack of coordination between the team’s operations.
This daunting reality demands a change in the narrative; from a defensive approach to ongoing proactive and prioritized intervention, driven by innovation, analytics and greater operational efficiency on both sides of the threatscape.
The move to automation
Theoretically, red teams were supposed to improve blue teams’ competence and strengthen the security stack. But although they could boast success at exposing some threats, they fell short of providing an ongoing offensive-defensive strategy for diffusing APTs. Even organizations with budgets affording internal red and blue teams, struggled to prevent real-life attackers. Offensive – defense automation could be key to a more effective approach.
Automated purple teaming – next step to an optimal security flow
A purple team is the collaboration of red teams and blue teams that learn from each other to improve an organization’s defense. In theory, a purple team combines the attack vectors and vulnerabilities found by the red team with the defensive tactics from the blue team, to build the strongest security program possible.
Purple teams are ideally groups that work to maximize the effectiveness of red teams and blue teams. Beyond a nice idea, purple teams are becoming a necessity for protecting digital assets against threat attacks that can work around security control systems. To get them to work synergistically, it can focus both teams’ efforts into one fluid process that runs in a continuous loop. For a purple team to do its job correctly, it is not just enough to combine the efforts of both red and blue teams; it needs a 360-degree view of its environment, in real time. So, the onlyoption is an automated purple team that runs constantly 24×7, beyond the guiding hand of a human resource.
With a purple team running continuously, companies will be able to follow prioritized remediation guidelines, ensuring that they are aware of new ‘cracks in the armor’ as soon as they appear.
Combining the best of all worlds, an effective automated purple team can better secure all critical assets through 24×7, real-time attack path exposure.
It can then automatically deliver prioritized and actionable remediation without disrupting networks and users’ daily activity. Addressing real user behavior and exploits, it can deliver the big lift in digital hygiene.
By doing so it will help organizations to shut their cyber windows, and not just rely on locking their cyber door.
About XM Cyber
XM Cyber provides the first fully automated APT Simulation Platform to continuously expose all attack vectors from breach point to an organization’s critical assets in real time, 24/7. This continuous automated red teaming loop is completed by ongoing and prioritized actionable remediation of security gaps. In effect, HaXM by XM Cyber operates as an automated purple team that fluidly combines red and blue team processes to ensure organizations are always one step ahead of the hacker.
Addressing real user behavior and exploits, the full spectrum of attack scenarios is aligned to an organization’s network to expose all the back doors and blind spots. Each automated process is executed safely using the most up-to-date hacker techniques, without affecting network availability and user experience. Finally, the platform generates auto-reports comprising of key findings and prioritized actionable remediation, empowering the security team with insights and simple-to-follow guidelines.
XM Cyber was founded by the highest caliber of security executives from Israel’s elite intelligence sector. Together they bring a proven track record in offensive and defensive cybersecurity. The company’s offices in the US, Israel and Australia serve a growing client base in multiple industries including infrastructures, manufacturing and finance.