Red Teaming exercises are getting popular with the growth of security operations centers. These attack simulations aim to help companies improve their defenses and train the blue team. But solid foundations are necessary to get the most of such an exercise.
Penetration Test vs Red Teaming
First off, let us clear up any confusion. Penetration Testing is focused on coverage while Red Teaming is focused on stealth.
Penetration Testing is the way to go to identify weaknesses in networks and applications. Pentesters at Compass analyze IT systems and infrastructure and find plenty of vulnerabilities daily. We work together with system administrator, developers and IT infrastructure professionals with one same goal: find as many holes as possible and propose a way to fix them.
Red Teaming assessments are complex attack simulation that require long preparation and engineering work. The goal of the red team is to simulate a threat actor and complete missions while the blue team tries to detect and prevent the attack. It has the advantage to be more holistic, but need much more resources. It can also get frustrating for the red and blue team!
Blue Team Maturity
We do a handful of Red Team exercises every year for medium to big companies. We noticed that it is important to have a certain level of maturity for the exercise to pay off.
Level 0 – Logs Apprentice
You collect traces of potential malicious activities in your infrastructure: workstations, servers, firewalls, proxies, antivirus, EDR, self-developed applications, etc. are configured to audit and log.
You further configured systems so that log files are big enough not to be overwritten. You are confident that your logs are stored long enough to be helpful for a digital forensic investigation.
Good job! Now if you want to be a step ahead of the attackers, you need to monitor malicious behavior across devices and log sources.
Level 1 – SIEM Expert
Your logs are centralized into a central system, a so-called Security Information and Event Management (SIEM). Thanks to this, you get real-time visibility into your IT infrastructure and can track events and report on them.
You also correlate the aggregated logs in order to be able to detect sequences of events related to each other even if they come from different sources. This gives you unprecedented insight into user behavior.
Well done! You need to distinguish good from bad now in order to detect malicious actions.
Level 2 – Alert Master
You defined use-cases of “malicious” behavior and created alerts on them based on the logs you have. You fine-tuned your alerts to avoid getting tons of false positive. Your blue team is consistently notified of potential security incident.
You know all MITRE ATT&CK TTPs by heart and are confident threat actors will get caught in your web of detection and alerting.
Awesome! Now let’s work on the response to incidents.
Level 3 – SOAR Legend
You have playbooks defined for different types of incidents you defined. These are implemented in a Security Orchestration, Automation and Response (SOAR) system. This helps your blue team automate and standardize the response to incidents.
The team works well together and they are able to coordinate with other teams (legal, communications, management) as well as external stakeholders (law enforcement, regulatory bodies). Processes are well-defined and tested regularly.
You almost reached the top of the game. The next steps are proactive threat hunting and continuous improvement to reach SOC God!
Gaining Experience
A Red Teaming exercise is not particularly fruitful when the blue team has not a maturity that allows them to detect malicious behavior. In the model described above, it takes a lot of time and experience to go from one level to the next. Even more so if the Security Operations Center is operated by a third party.
We believe there is exist no off-the-shelf tool, service or solution you can buy that will bring you from zero to hero. Our recommendation would be to start simple with a few log sources and alerts. Test everything carefully and build up from that.
Purple Teaming
In the meantime, what can you do? We had good experiences doing purple teaming exercises to test the detection capabilities and give insights on blind spots.
Collaboration
In a Purple Teaming exercise, the red and blue teams work together. This improve efficiency and reduce frustration on both sides. Engineering effort is reduced to the minimum to assess only what techniques are detected, and how could detection be improved.
Broader Coverage
The flexibility allows a purple team to simulate multiple threat actors at different levels and to get a better coverage than what a Red Teaming exercise could offer.
Red and Blue Know-How
The experience of Compass’ red teamers is key to simulate the different actors and their techniques, but Compass’ blue teamers who are used to digital forensics and incident response are central to help building and improving detection.
Conclusion
Defending a corporate IT infrastructure is hard. Leveling-up your blue team requires lots of experience. Choose your weapons wisely and don’t go for the big boss too soon. GLHF
Sali Silvain,
sehr guter Artikel. Was aus meiner Sicht fehlt ist eine Aussage, was die minimale Maturität ist, um ein vernünftiges Zusammenarbeiten im Purple Team zu ermöglichen. Ausserdem bedeutet Maturität 0 wirklich 0 = no activity, Du beginnst also eigentlich bei 1.