Book Image

Purple Team Strategies

By : David Routin, Simon Thoores, Samuel Rossier
Book Image

Purple Team Strategies

By: David Routin, Simon Thoores, Samuel Rossier

Overview of this book

With small to large companies focusing on hardening their security systems, the term "purple team" has gained a lot of traction over the last couple of years. Purple teams represent a group of individuals responsible for securing an organization’s environment using both red team and blue team testing and integration – if you’re ready to join or advance their ranks, then this book is for you. Purple Team Strategies will get you up and running with the exact strategies and techniques used by purple teamers to implement and then maintain a robust environment. You’ll start with planning and prioritizing adversary emulation, and explore concepts around building a purple team infrastructure as well as simulating and defending against the most trendy ATT&CK tactics. You’ll also dive into performing assessments and continuous testing with breach and attack simulations. Once you’ve covered the fundamentals, you'll also learn tips and tricks to improve the overall maturity of your purple teaming capabilities along with measuring success with KPIs and reporting. With the help of real-world use cases and examples, by the end of this book, you'll be able to integrate the best of both sides: red team tactics and blue team security measures.
Table of Contents (20 chapters)
Part 1: Concept, Model, and Methodology
Part 2: Building a Purple Infrastructure
Part 3: The Most Common Tactics, Techniques, and Procedures (TTPs) and Defenses
Part 4: Assessing and Improving

Types of threat actors

In a far cry from the 90s, when teenage hackers sat in their bedrooms late at night and tried to break into systems for the thrill and challenge, the current typical threat actor looks quite different.

Nowadays, attackers' motivations are less noble and mostly related to financial interests, and the market is growing. Currently, some studies, blogs, and articles state that cybercrime profits are higher than all other crime profits combined, or that they would be in a list of the top 10 countries with the highest GDP. While we are not here to discuss those numbers, we can safely say that cybercrime has grown in its profits and popularity.

Interestingly, it seems that cybercrime-as-a-service – organized groups selling or renting tools, infrastructure and services – does generate more profit than cybercrime itself, allowing for new business models to emerge. Threat actors are now specialized in certain areas like initial access, renting infrastructure, ransom operations, and so on.

Of course, financial gain is not the only objective observed among threat actors. A common representation of threat actor types is based on their intents and objectives. Variations in the definitions of types exist between vendors, blog posts, papers, talks, and books, but overall, the picture looks like this:

  • Advanced persistent threat (APT): Usually state-sponsored or nation-state actor groups sit in the IT infrastructure for an extended period of time, with different objectives such as cyberespionage. Sometimes an APT could be linked with organized cybercrime.
  • Organized cybercrime: Mainly motivated by financial interests, they have several methods, such as extortion, ransomware, crypto mining, and so on.
  • Hacktivist: Individuals or groups breaking into computers for political or social reasons. Defacement of websites is a common method for hacktivists.
  • Insider threat: Employees, business associates, contractors, or trusted parties who try to steal data or abuse their access to break into other systems or exfiltrate and leak data.
  • Script kiddies: Low-level attackers that use already existing programs and scripts to perform basic malicious operations.

The Center of Internet Security has a similar inventory of threat actors, but also adds terrorist organisations.

Several security vendors have their own classification and naming conventions when it comes to threat actors. Let's go through some of them.

CrowdStrike described its naming conventions in its latest threat report. Adversaries are named mainly using animal names. Bear actors are linked to Russia, Kitten to Iran, Panda to China, and Spider to cybercrime, just to mention a few. As an example, Cozy Bear is a Russian threat actor likely linked to the Foreign Intelligence Service of the Russian Federation, SVR, and it is also likely the same threat actor as APT29 or Yttrium, which are names from other vendors.

Microsoft does not have an official statement on its naming conventions, but Jeremy Dallman, Senior Director at the Microsoft Threat Intelligence Center (MSTIC), stated in an interview with the Security Unlocked podcast that the MSTIC is using the periodic table of elements as a basis for its names, with no real logic behind it. They even tested dinosaur names! Yttrium is the naming convention for the threat actor that is supposed to be APT29 for Mandiant or Cozy Bear for CrowdStrike.

Mandiant has three main categories for threat actors: APTs, financially motivated adversaries (FIN), and uncategorized actors (UNC).

Palo Alto Networks does not have an official statement on their naming conventions, but if a threat actor already has a common name in the infosec community, they will use it.

Naming conventions can be an issue in the cyber threat intelligence (CTI) community. For example, old actors can be renamed by other vendors or duplicates can be created, which makes it hard for organizations to keep track of and follow threat actors.

Also, it is important to mention that security vendors often observe different things in terms of campaigns and Indicators of Compromise (IoCs), leading to new threat actor names. Different data is collected and only part of the full picture can be seen by each organization, which is known as collection bias, as stated by Robert M. Lee in his talk, Threat Intelligence Naming Conventions: Threat Actors and Other Ways of Tracking Threats. He explains that each security vendor has its own dataset and will only analyze the parts of this data that they deem interesting. Apart from this bias, he also highlights the fact that some tend to focus solely on the malware data dimension, whereas the victimology and infrastructure dimensions are not leveraged in the way they should when following the Diamond Model of Intrusion Analysis. Such bias can lead to CTI analysts keeping track of malware developers but neglecting malware operators.

But does it really matter who's who? The short answer is no – defenders should mainly focus on the how.

A word on attribution

Attributing a cyberattack to a country does expose an organization to geopolitical considerations. As an example, at the time of writing, Mandiant (previously Mandiant-FireEye) does not attribute the attack on SolarWinds to the Foreign Intelligence Service of Russia (SVR), whereas the US government does. Of course, Mandiant is not protecting any special interests by avoiding the finger-pointing exercise, but unless an organization has extreme confidence in the identity of an attacker, which probably only another intelligence service can have in this specific case, it does not bring any value for the majority of the defenders to know that the SVR is behind the attack.

In fact, it does not even help 99% of organizations to better protect themselves. On the other hand, clustering attribution does make sense in a way that it lets us identify groups that target specific organizations, countries, and industries, and that own specific infrastructure and sets of methods. This can help us prioritize efforts in improving our security posture by evaluating our defenses against those groups' tactics, techniques, and procedures (TTPs). In fact, this is the exact entry point to purple teaming, and in the next chapters, we will cover how CTI can help us identify which threats are relevant to us and how they operate, in order to simulate their TTPs and improve our security controls.

Now that we've seen the face of the attacker, we will define the many faces encountered within a cybersecurity department, as well as other necessary definitions.