Dear Red Team: I just want to be your friend. Love, Threat Intelligence
Let’s be honest; professional rivalries can be frustrating, and those between the Red Team and Threat Intelligence are no exception. In every single mission I have ever supported, there’s been a clear line in the sand between the Red Team and their Threat Intelligence counterparts. But what’s that all about? The two should be natural allies! The Red Team needs to emulate enemies; Threat Intelligence has information and details on how to do that. So I took to the proverbial streets to find out why those relationships are so hard to build.
Red Versus Blue
One issue that consistently comes up when Threat Intelligence tries to reach out to the Red Team is the inherent mistrust between Red and Blue teams. The nature of their respective missions places Red and Blue Teams at odds with one another. In my role as a Threat Intelligence analyst, I find it difficult to earn the trust of Red Team operators , simply because — more often than not — my work revolves around the Blue side of the house.
On the rare occasion when I manage to establish a trusted relationship with a Red Team operator, we often come up against obstacles regarding what the Red Team can actually do. I once wrote up a very comprehensive, detailed list of the top ten spearphishing techniques used by an adversary of interest and passed it along to our Red Team. After a period of radio silence, I reached out to ask if the paper was useful. The operator came back and said that the paper was interesting, but none of their current missions allowed for spearphishing as part of the scope of work. Another restriction lies in the nature of Threat Intelligence. Some of the information threat analysts have access to might not be the type that should be shared in an open forum, and certainly cannot be used in a Red Team operation.
This is a delicate subject. When asked, almost all Red Team operators have their personally crafted way of executing Red Team operations. Red Team operators have their own specialty, preference, routine, tools, and tempo by which they conduct successful campaigns, which may be a carefully guarded secret in some cases. On more than one occasion, I have offered a known technique, tactic, and procedure (TTP) to a Red Team operator, only to be met with a wrinkled nose and a comment along the lines of “I don’t do it that way” or “I wouldn’t ever conduct an operation like that.”
In previous missions, Red Team operators have told my team that information Threat Intelligence had passed along was not useful to their missions, for a variety of reasons. In some cases, the information referred to exploitation of a vulnerability that had already been patched (or was never present in the first place). In others, the information was so outdated that it was no longer viable. In yet another, the data could not be applied to any operation because the adversary profile was not relevant to the networks involved. Due to the overabundance of information that is not helpful, Red Team operators may dismiss Threat Intelligence immediately.
So How Do We Fix It?
Adapt Forward has several core tenets of what makes a cybersecurity company effective. One of these guiding principles is… embrace the Purple Team. Although the concept of “Purple Team” is beginning to feel like a buzzword, we’ve been doing it since before it was cool. More importantly, it can be integral in terms of resolving the issues described above.
The trust issues can be alleviated with a working Purple Team, as the adversarial nature of both teams is lessened. Purple Teams open communications between the Red and Blue sides of the mission, which not only streamlines both teams’ operational tempos, but also uses the natural strengths of Red and Blue to enhance the overall efficacy of each team.
Purple Team operations can also help minimize the gap between Threat Intelligence and the Red Team. Awareness of mission parameters would allow Threat Intelligence analysts to provide actionable intelligence that applies to current missions. Additionally, with a Purple Team environment, Threat Intelligence would have a better understanding of the types of intelligence that are useful to both Red and Blue Teams.
Threat Intelligence can support Red Team operations and be beneficial, but only if you create an environment that encourages it. Companies that insist on keeping with the old Red vs Blue mentality may not be as effective as a Purple Team can be. When it comes to investigating and building defenses against cybersecurity threats, Adapt Forward is proud to be Team Purple, and as I see it, we’re all the better for it.