Providing different services to the organization_Cybersecurity Attacks：Red Team Strategies-QQ阅读男生都市网

上QQ阅读APP看书，第一时间看更新

Providing different services to the organization

A useful way to look at an offensive security program is that it is providing services to the organization. If the reader is familiar with red teams that focus on business processes or other aspects of an organization, this topic is primarily focused on the cybersecurity angle.

Providing service offerings means that other business groups, blue teams, and employees are our customers, so to speak. The modes of operation, responsibilities, and tasks of the penetration test team can differ quite a bit depending on what the scope and responsibilities are. It might or might not include design-level work and reviews such as threat modeling, but it certainly should include hands-on offensive penetration test work and finding and exploiting vulnerabilities for defensive purposes. Most of these services revolve around alternative analyses.

The following subsections are a list of services a penetration test team might provide to its customers. In very large organizations, these services might be provided by different teams and groups of individuals with dedicated focus areas, and at times even multiple teams providing similar services (such as operational red teaming) exist in one organization.

Security reviews and threat modeling support

A good way to get the offensive security team involved early is in the design phase of a system. It's the best way to get feedback before code is deployed or operational processes are established. Although it's not unlikely that systems are already deployed, it's still worthwhile to catch up and threat model systems, environments, and people. Some offensive teams might object to being included in this stage as it differs slightly from their mission.

Personally, I have always seen this as one of the biggest assets of having an internal offensive security team. When engineers or others in the organization have specific security questions on how to build a certain feature or develop a process to improve security, the pen test team can be a great group to bounce ideas off and to help improve security early on. If teams across the organization directly reach out to your team for advice, then you must have done something right.

Security assessments

An engineering team might develop a new feature or service and request help from the penetration test team to assess its security posture and potential vulnerabilities. These are more focused on application-level vulnerability assessments, and the goal is to find as many issues as possible using techniques such as white and black box testing. Some classify this as doing the classical penetration test.

Red team operations

Some of the most fun things for pen testers can be true red team work. Typically, these are covert operations where the stakeholders involved are not aware of the test being carried out, and the operation is authorized by leadership. Ideally, the offensive security team defines the objectives, gets approval, and carries out the test.

Depending on the maturity level of a red team and the organization, it might be valuable to emulate very specific adversaries to challenge the blue team (this is called adversary emulation). This can vary from emulation of a specific adversary or advanced persistent threat (APT) to simulating a crypto-currency adversary or performing a physical breach of a building to steal intellectual property. Red teaming is fun and creative – there are (or rather there should be) few, if any, rules.

The biggest challenge for a mature red team is that a true adversary will break the law. A red team does have to consider legal and corporate policies when operating. This, of course, has implications on how realistic certain scenarios can be played out – but certain scenarios should be at least played out on paper via tabletop exercises.

Purple team operations

The scope and goals for purple team operations are very similar to the operations defined for the red team. The core difference is that the focus lies on transparency and collaboration between red, blue, and engineering teams. The goal throughout all stages of the purple team operation is to improve the security posture of a system pretty much immediately by running attacks and validating detections and alerts. If attacks succeed and are not caught, detections are fixed and implemented, and attacks are run again right away–until there is a measurable improvement.

Purple teaming is one of the most effective ways to help grow your defenses quickly and help improve the maturity of the organization quickly, especially if you have an internal offensive security team that can work with the blue team throughout. We will discuss the benefits of close collaboration and leveraging homefield advantage a lot more in the next chapter.

Make sure to keep challenging your own processes and beliefs. The idea of offensive security and alternate analysis is to challenge the status quo.

The reason to not only perform purple teaming but mix in covert red teaming is to ensure someone is validating attacks with no (or few) limitations. If most of the organization only does purple teaming, the need to hire someone external to red team the organization increases. This becomes the test of the purple team, so to speak, to see if they were successful at improving the security posture of the organization.

Tabletop exercises

At times, it's not possible or feasible to perform certain attack scenarios operationally. This might be due to a lack of available resources, legal concerns, and/or technical concerns. A good and somewhat cheap alternative is to perform paper exercises with key stakeholders. Tabletop exercises can be a great way to get higher leadership and the board involved in exploring attack scenarios and challenging them to respond and identify gaps.

Research and development

This category falls mainly into two brackets, the first being security and vulnerability research. This is a core priority of an offensive security team. It includes research into new vulnerabilities and new vulnerability classes. The second part is the creation of tools and exploits to highlight the implications of vulnerabilities and test detection capabilities. These tools will be used during red team operations to test the countermeasures and mitigations in place to detect attacks and defend against them. The red team's goal is to drive fixes for the vulnerabilities and make sure that, if real adversaries develop similar exploits, they will be detected.

Predictive attack analysis and incident response support

If a security incident occurs, the offensive security team can assist with insights about what the active adversary might be looking for. The team possibly can predict the next step the adversary will take due to their unique attacker mindset. Credit for the term Predictive Attack Analysis goes to Farzan Karimi, by the way. This is part of the homefield advantage that an internal offensive security team can provide, and during emergencies, the team can provide critical information in order to be one step ahead.