[BreachExchange] Three Emerging Technologies to Accelerate Incident Readiness

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 13 15:14:37 EDT 2018


https://www.securityweek.com/three-emerging-technologies-
accelerate-incident-readiness

Cyber risk is now widely recognized as one of the top business risks
globally, and executives are asking their security leadership what they can
do to be better prepared and mitigate this risk. Dusting off that incident
response plan when something happens is far from adequate. Organizations
need strong incident response capabilities but also incident readiness. To
hone their skills, security teams are turning to various exercises designed
to help them better anticipate threats and practice their response. One of
these exercises is Purple Teaming.

In the last couple of years, we’ve seen an evolution from more traditional
simulation exercises that use a Red Team to identify vulnerabilities and
launch mock attacks and a Blue Team to detect and respond to attacks, to
Purple Teaming exercises. While Red Team/Blue Team models help
organizations understand vulnerabilities and prepare for attacks, they pit
“attackers” against defenders in exercises that can take weeks or months to
complete and learn from.

Instead of an extended war game, Purple Teaming is collaborative and
iterative. It brings the Red and Blue Teams together through a more
informed and continuous process designed to help the defenders actively get
better at mitigating risk from real-world, highly sophisticated attacks.
The attack force informs the defense force of the planned attack, executes
it, explains the security gaps it took advantage of, and then rewinds so
that the defenders can immediately refine their response.

The Purple Team model is designed so that organizations can improve their
security posture throughout the exercise to capture immediate and ongoing
value. But still, participants often rely heavily on manual methods to
execute and defend against attacks. This limits what you can accomplish
when resources are tight – both time and budget. However, what if you could
use technology to increase the frequency and depth of these exercises to
gain even more value, faster? These three technologies are emerging as
innovative ways to automate and fine-tune Purple Team activities.

1. Infrastructure analytics platform. Many organizations aren’t aware of
everything in their environment – across the network, data center, and
cloud – and this lack of knowledge gives attackers the upper hand. One of
the first steps in Purple Teaming is to understand the organization’s
infrastructure or attack landscape. With an analytics platform that
provides a very detailed, informed view of what the attack landscape looks
like, you gain an even clearer picture of the risks your organization
faces, faster. By automating reconnaissance and some of the attack mapping,
this technology allows you to quickly understand the critical assets and
the associated threat models. For example, with an inventory of everything
on your network, including versions and patch levels, you can correlate
that information to public threat and vulnerability databases to quickly
generate a list of potential vulnerabilities on the network. Red Teams can
use this information to develop more mature and sophisticated attack
scenarios, and Blue Teams can use this information to address security gaps
more quickly.

2. Application performance management. Developed years ago, earlier
iterations of application performance management (APM) tools were
cumbersome and lacked detail. Today’s more modern APM tools provide a
tremendous amount of information that can be used to help analyze code
security . Providing views into the objects and methods used in an
application, the data flow, and where data is being processed, you can
understand the weak points that attackers may use to their advantage. This
“inside out” approach to application analysis is much more efficient than a
manual, “outside in” approach and can greatly accelerate security analysis
activities. For example, when an attack force looks at a web application
for vulnerabilities, they look for web pages that aren’t supposed to be
there – test, dead or deprecated pages. Off the radar and long forgotten,
these pages are a soft spot that attackers look for and many times
vulnerable. APM tools can automatically perform reconnaissance to reveal
and add this level of detail to Red Team threat modeling and provide
security analysts on the Blue Team the insights they need to strengthen
defenses.

3. Security instrumentation platform. Automating much of the activities a
Red Team would do, this new technology does the heavy lifting of emulating
attacks on your network to test incident readiness. Using a device and
agents on different components of your network, a security instrumentation
platform helps demonstrate the impact of threats and malicious activities
within the context of an organization’s unique environment. It can be used
by the Red Team to rapidly target activities, such as emulating a specific
type of ransomware campaign or the latest denial of service (DoS) attack in
the headlines. The Blue Team can learn if their layers of defenses are
working as intended, identify true cybersecurity gaps, and determine how to
make the best use of the resources they have and where to prioritize
investments.

Purple Teaming is a boon to incident readiness and response. To continue to
hone its effectiveness, we need a blend of the right people, process, and
technology to enable forward thinking, security analysis techniques. These
emerging technologies are just a handful that you can use to gain the
visibility and automation necessary to get more from your incident
readiness and response efforts. I’m sure there are other innovations you
can think of to enhance your Purple Teaming process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180713/cb4c317f/attachment.html>


More information about the BreachExchange mailing list