Improving Cyber Defense by Purple Team using OODA loop
Cyber defense isn’t getting any easier. The state of today’s enterprise network is constantly shifting, and attacker tactics, techniques, and procedures (TTPs) are constantly changing in a seemingly never-ending upward spiral. In order to stay prepared, it’s imperative to continually test and evolve your incident response (IR) processes. Organizations that don’t practice this game often end up falling behind, and ultimately, compromised with headlines to prove it. The unfortunate reality is with more preparation, many of these breaches could have been prevented, or their impact to the organization drastically reduced. This kind of preparation doesn’t have to be complicated or expensive.
sources: databreaches.net, IDTheftCentre & media reports
Enabling Modern Cyber Defense Capabilities
Modern security organizations create new capabilities within an overall cyber defense team by organizing themselves around a fundamental concept of an “OODA loop” — enabling teams to quickly make necessary decisions as they are responding to live or simulated incidents.
The OODA loop stands for Observe, Orient, Decide, Act — a concept developed by USAF Colonel John Boyd for fighter pilots. Handling incidents effectively requires this sort of cyclical and quick decision making. In this quick-decision cycle, the IR team becomes the Blue Team, the “attackers” comprise the Red Team and run attack scenarios, and an even more novel third team called the Purple Team proactively hunts the attackers. This structure allows organizations to “train like they fight,” enabling them to prepare for increasingly more advanced adversarial techniques.
“Everyone has a plan until they get punched in the mouth” — Mike Tyson
What makes a successful Red Team?
Red Teams are relatively common and have been instituted in military-oriented teams for many years. Independent Red Teams that are given the freedom to assume an adversarial role are operationally more successful in a modern enterprise. Although Red Team activities can be similar to traditional penetration testing, their goals and scopes are very different: a Red Team is more targeted and centers around testing IR detection and capabilities — modeling after the real-world adversarial techniques, where penetration testing teams would focus more on finding vulnerabilities, making attempts to exploit them, and helping the organization.
What is Purple Team, a hunt team?
The most novel of the three teams, Purple Teams often form by organizing members of a Red and Blue Team together — with a charter of hunting the attackers while leaning toward the defensive side of cybersecurity. Hunting is a component of an active defense strategy, and it can be defined as proactively exploring attack vectors that are currently undetected by an organization’s existing IR plan. Purple Team members should not only have an understanding of existing IR activities and capabilities but also penetration testing and adversarial techniques. Purple Teams help optimize security detection processes within an organization by reproducing attacks, determining if successful detection of these attacks occurred, and exposing existing deficiencies within the organization’s IR plan.
What makes a successful Purple Team?
The primary goal of a successful hunting operation should be to detect incidents that are not caught by existing IR activities. By taking the time to proactively review endpoint logs or other data for anomalies, you may be able to detect malicious activities that are not currently matching attack signatures for indicators of compromise (IOCs). Any successful hunting operation that fails to yield a detection should then be handled as an incident, and the debriefing phase of that hunting operation should focus on how to improve existing detection capabilities so that the IR team can begin detecting new IOCs. The same process applies for notable, high-impact incidents reported to IR that were not detected by IR.
The objectives of hunting operations should be discussed between cyber defense teams, planned in advance, targeted for a purpose, and have a defined scope of activity. Hunting operations should follow a mission planning cycle where there is dedicated time for planning, preparation, execution, and debriefing. Although some organizations elect to perform penetration testing activities annually, continuous hunting activities are highly beneficial for the security posture of any organization.
What do you hunt for, and where do you start from?
A good resource to start with is the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework (https://mitre-attack.github.io/attack-navigator/enterprise/), and it provides an outline of how cybersecurity teams can begin testing the existing monitoring and preventive controls of your organization.
As you start testing your existing controls, record and assign points for controls that have worked well, and also the controls that need improvement. Below is an example to get you going:
1. Perform Attack
2. Validate Control
3. Improve Control
4. Confirm Control
5. Begin Next Attack
Here’s an example test case tracking sheet:
What happens if you do not hunt and validate your assumptions?
Due to limited time and resources, IR test cases of known attacks are likely not exhaustive, and there might be gaps in what is detected. These gaps in detection can stem from a variety of restrictions, such as the lack of visibility on endpoints, the network layer, and logged but unparsed events in the SIEM. Hunting is meant to validate and continuously improve current use cases while also identifying new use cases. Furthermore, without hunting, an incident may go undetected or may be detected late in the kill chain after exfiltration or an adverse effect has occurred.
In this post, we discussed some of the fundamental steps you can take to enable your cyber defense team to be more effective: first, by organizing into Blue, Red, and Purple teams around the concept of an OODA loop; second, by running simulated exercises or scenarios that enable teams to “train like they fight”; and third, continuously performing Purple Team activities year round. These steps will help teams and organizations to build the muscles required to take a measured approach based on available information and defend against the modern attacker.
