Purple Teaming With Lares
The following blog post summarizes some of the key points from the first extracted session of the inaugural Lares Customer Summit that took place on Wednesday, December 2nd 2020. We hope you enjoy the excerpts and the extracted session at the bottom of the page.
Blame Game: The Receiving End of a Pentest
Penetration testing reports tend to lead to the blame game. "Why does this gap exist?" "Who’s at fault?" There is blame because pentesting reports provide minimal context and understanding of the threat landscape at best. For example, actual ransomware attack methods may differ from those of a pentest. While some overlap exists, one does not truly gain full context.
Further, blue teams have minimal involvement in the creation of a pentest report. The defensive team typically sits in passive mode while testers execute. Purple team assessment elevates the role of defenders in the effort to cess out security maturity.
The Purple Team Difference
The difference between the passive approach and the purple collaborative approach is teamwork. Diverse customer teams lead to more meaningful collaboration and less blame. Further, the Lares Purple team engagements emphasize listening, hearing, and empathizing with clients over the operational challenges they face. Contextualization helps us replicate actual threat landscapes in the customer environment and thereby help teams defend better – and essential move the defensive needle forward. A Purple team is an investigation – an in-depth, intimate conversation about how operations have been happening – e.g., Here’s what we attacked AND where you lacked detection and logging to mitigate the attack.
Why Purple Teaming Wins
Our clients achieve wins by embracing Purple Team (PT) methodology. Simply, going through the motions discussing tactics, techniques, and procedures (TTPs) and shining the spotlight on everything – results in novel byproducts and capabilities (e.g., the discovery of novel functionality and features in defensive controls) of which clients were unaware they possessed. Teams become self-aware of gaps, latent strengths, and unpredictable finds outside of the statement of work (SOW) by the engagement’s end.
Our clients achieve the following wins throughout an engagement: the ability to Identify Data Gaps (e.g., adding low-level Windows logs), enhancing Defensive Maturity (e.g., ensuring controls are detecting TTPs as expected) that becomes possible in hours, not years, Identifying Controls Gaps, and evolving a client’s Education of themselves and capabilities to defend forward. We help people learn, going very low level and thereby improve security operations.
In the end, to see our clients “go from zero to anything is amazing!"
Making Purple Team Engagements Successful
There are four contributors to a successful purple team engagement. Teamwork fundamentally allows everyone at the table to provide input and perspectives and articulate purple team goals and objectives. Access to Data is critically essential for desired outcomes. We encourage more data than less across all business units and technology domains for the breadth of knowledge about a client and its environment. Support is key. While Blue teams focus on improved detection and enhanced logging, implementation, and technology leads, bring their depth of domain knowledge (e.g., Active Directory, network engineering) to the engagement, rounding out our overall understanding of operations. And then there is Time. Security is a dynamic, living thing. Our clients need Time to address low-level components for in-depth comprehension and feedback loops that produce a continuous self-discovery progression.
Avoid Purple Haze
The purple team engagement goal should be enforcing the idea that purple teaming is an investigative process with reliance on humans for success. Purple Teaming does not equate to testing for every component TTPs or matrices within the MITRE ATT&CK or similar framework. Some organizations get caught up in the popularity and hype of attack frameworks and flashy solutions that claim to automate and iterate through TTPs yet miss the context of attacks. We remind clients that tradecraft has preambles – i.e., tons of things attackers do before the attack stage. Our PT engagement goal is ensuring clients achieve proper contextualization for their environment while disregarding impertinent information.
Purple Team Reporting is More than Reporting
In the end, we want clients to have evolved defensive capabilities using relevant reporting. Where other firms use standard templates for reporting (e.g., executive summary, findings, and recommendations), Lares takes an inverse approach. We exclusively relay defensive content and the risk articulation to the client based on the long-formed" conversations and conclusions derived during the engagement. We contextualize data to define hunting strategies based on the client profile. We do NOT throw arbitrary solutions at clients. In contrast, we report out our client’s capabilities. At the end of the PT, the client will know ‘what they can and cannot defend’ and possess attack specificity about why things are happening in the manner they do in their infrastructure
Ultimately our job is to ensure immediate progress. That’s Lares’ core objective. We want you "beefed up" by the end of the assessment. When we wrap up, we want clients to say, "I learned all this stuff. I have the ammunition and knowledge now to go and do… right now."