Post the COVID-19 outbreak, organizations worldwide need to revisit their existing business model and bring in radical changes into the ongoing business operations by streamlining the various business processes and the underlying technology stack that will support the business operations. COVID-19 has made most of the global organizations to start working from home with the help of remote connection capabilities established in place. Such situations may continue very well even after the crisis get over. Because across the globe, organizations have a view that working from home kind of approaches give significant cost savings and productivity improvement. But the other side of such new approach will increase the cyberthreat landscape of the organizations, which is revealed by the recently emerging cyberthreats targeting remote workers.
By Vimal Mani, Head of Information & Cyber Security Operations of Bank of Sharjah
New methods and techniques need to be considered for implementation for bolstering the cybersecurity posture of organizations globally. There are many new techniques being explored for strengthening cybersecurity posture such as Zero Trust, Defence in Depth and others. In the same line, several global organizations have started building Red Teams, Blue Teams and Purple Teams as part of their Cybersecurity Capability Development.
What are Red, Blue and Purple Teams?
Red and Blue Teams are generally exercises carried out by military forces to mimic an enemy and his attack techniques and device counterattack techniques to prevent the attacks from enemy. This Red Team approach is being adopted by contemporary business organizations globally to device fool proof business strategies that will help them in winning over their competition.
In recent past, global organizations have started embracing the Red and Blue Team approaches for bolstering their cybersecurity capabilities for addressing the dynamically emerging cyberthreats from adversaries. Organizations conduct Red Teaming engagements through external consultants as well develop their own internal Red Teams.
What are Red Teaming Engagements?
Red Team engagements are full-fledged cybersecurity assessments in which consultants wear the hats of adversaries and try emulating real life cyberattack scenarios on the client organizations based on mutual agreements. This helps organizations in identifying the gaps, weakness, and single point of failures in the enterprise wide security architecture. The consultants use logical, physical, and social engineering attack techniques used by real hackers in the industry. But these attack vectors get customized inline to the agreement signed with the organizations, which will have defined boundaries for these Red Teaming engagements.
The following types of attacks may be emulated during the Red Teaming engagements:
- Physical Attacks
- Internal Network Penetration Attacks
- External Network Penetration Attacks
- Social Engineering (Phishing, Vishing, Smishing etc.)
- Wireless Network Penetration Attacks
- Achievement of goals agreed (Data Exfiltration etc.)
Who are Blue Team Members?
Generally an organisation’s in house IT Security & SOC Team members who fight against cyberattacks are considered as Blue Team Members. Blue Team members need to ensure that the critical information assets owned by the organization are secured from various kinds of attacks that may be targeted on them by adversaries and Red Team members who mimic the adversaries. Also the Blue Team Members need to handle the complete cycle of incident management which will be led by SOC team from the front. The following list of activities are performed by Blue Team members:
- Vulnerability Analysis
- Patch Management
- Internal Penetration Testing
- System Hardening
- Implementation of Security Baselines
- Configuration Reviews & Changes Implementation
- Compliance Reviews
- Log Monitoring
- Incident Analysis (Triaging)
- Remediation Planning & Implementation
Who are Purple Team Members?
Purple Teaming is a newly emerging concept in cybersecurity. Purple Team is a team of cybersecurity professionals playing both the roles of Red Team & Blue Team in ongoing and integrated manner for providing much reliable cyber assurance for organizations who employ them. As a Red Team, they will collect the intelligence on Tactics, Techniques and Procedures (TTPs) used by adversaries. Then as a Blue Team, they will analyse these TTPs and configure, tune, and improve the incident detection and response capability of the organisations who employ them. Another example is, as a Red Team, they can send out phishing emails to staff and as a Blue Team they can conduct structured security awareness trainings to staff. This Purple Team may not be a separate team and they will be the individuals who are part of an organisations existing Cybersecurity Team and their job is to maximize the effectiveness of their team in preventing the incidents in a timely manner.
Leveraging the capabilities of Red/Blue/Purple Teams in an integrated manner is need of the hour for organizations globally. It provides great opportunities towards bolstering and improving the cybersecurity posture of organisations. Development of Red/Blue/Purple Team capabilities and integrating them in a seamless manner should be considered as one of the critical action items planned by Information & Cybersecurity Teams in an organization every year. Using these Red/Blue/Purple Teams in an integrated manner will help an organisation in improving its incident management capabilities and introducing state of the art cybersecurity skills, solutions and improving the overall cybersecurity posture of the organization.
About the Author
Vimal Mani, CISA, CISM, Six Sigma Black Belt, is the Head of Information & Cyber Security Operations of Bank of Sharjah. He is responsible for the bank’s information & cybersecurity programs, coordinating security operations spread across the branches in Middle East. Mani is also responsible for coordinating bank wide security strategy and standards, leading periodic security risk assessment efforts, incidents investigation and resolution and coordinating the bank’s security awareness and training programs.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.