Cybersecurity Teaming Against Evolving Threat Landscape


At early 2017, Govtech released an article which summarized the top cybersecurity prediction for 2017 from several organizations and companies. If we look back at 2016, cybersecurity attacks are evolved along with the rise of cloud computing, big data, social media, IoT, machine learning, AI, drones, etc. Cybersecurity has important roles to ensure and protect Confidentiality, Integrity, Availability, and Accountability with regard to the aspects of People, Process, and Technology.

Based on those predictions, most of organizations are mentioned IoT and Malware (including ransomware). For malware-related attack, we have heard about Advanced Persistent Threat (APT), Ransomware, and Fileless malware. I will explain more on other articles for these kind of malware-related attack. For IoT, surprisingly it can be used both as target and attack vector. One of well known IoT malware is Mirai. Mirai is a botnet which can perform DDoS attack by utilizing the infected IoT devices. We can find the analysis and (surprisingly) the source code.

I will not explain in detil regarding the cybersecurity predictions in this article.

Security Architecture

SABSA is the business-driven and risk-based methodology for developing Enterprise Security Architecture. Shorly, security is not just independently about People, Process, and Technology, but how we govern, manage, collaborate, and integrate those aspects. In my several engagements regarding enterprise security architecture or cybersecurity transformation, I always emphazise the importance of top-down approach. By the way, here is short explanation about SABSA.

Basically, security-related activities are part of risk management activities. Security practices are about how to minimize and mitigate risks, which can be a technical or process/procedural matter. If we look at top layer of SABSA, it is the same as first part in risk management, which is establishing context. Unclear context understanding will cause ineffectivity in managing and implementing cybersecurity program.

Why should we understand security architecture, while we want to talk about cybersecurity teaming? Let’s continue to understand it.

Cybersecurity Team

Refer to this article, we can divide cybersecurity team in three categories: Red, Blue, Purple.

  • Red : Offensive team; consists of penetration tester (internal and external)
  • Blue : Defensive team; implement security technology; consists of cybersecurity engineer
  • Purple: Integration and collaboration of Red and Blue team

If we look at the team categories, do you feel that there is something missing? Correct. There is no role above which can translate the Contextual Security Architecture into Operational Security Architecture. Especially in FSI, the context of security can be driven by regulatory compliance (e.g. Central Bank Regulation) and certain standards (e.g. ISO 27K, PCI-DSS, HIPAA). Let us call it the “White Team”, a team who has to:

  • understand how to fulfill the security requirements among the stakeholder of cybersecurity
  • understand what organization security posture and exposure
  • ensure that the organization comply with related regulation and standards
  • address the security risks and how to mitigate it
  • ensure that security practices covers the collaboration and integration of People, Process, and Technology
  • ensure that cybersecurity program align with the context of the organization in cybersecurity matter

Sample Case: Prevent Malware Attack

Assuming we want to prevent advanced malware attack. Here are the roles of each team:

  • White Team: Develop security control to prevent malware attack which refer to ISO27K, PCI-DSS and NIST SP 800–83; give awareness to information custodian and users regarding malware prevention
  • Blue Team: Enhance security technology capabilities; implement advanced threat defense solution, threat intelligence, and endpoint security; implement next generation SIEM to simplify monitoring process and improve visibility;
  • Red Team: Simulate malware attack (you can refer to Cyber Kill Chain)
  • Purple Team: Develop attack scenario using Cyber Kill Chain method or other approach; develop plan and evaluate active defense strategy

Note: Incident response and handling roles can be part of Blue or Purple team.


There are many attack scenario and active defense strategy we can develop to accomodate the effective method of preventing advanced attack and ensure that cybersecurity team have capabilities to identify, protect, detect, response, and recover the attack which more complicated along with the evolvement of threat landscape.