Red phish, blue phish, one phish, two phish. We hear a lot about red teaming. Blue teaming. Purple teaming. Huh? Red is Pentesting. Blue is defense. Purple is a blend of the two. We hear a lot about next-gen firewalls. Next-gen EDRP (endpoint detection, response, and protection). Next-gen WAFs (web application firewalls). I wanted to take a minute to give you my perspective on enterprise security.
Cyber Kill Chain
Attackers tend to follow what the red team calls a cyber kill chain (CKC). This is depicted here:
This approach of gathering data about the target, finding the right attack vector, delivering the attack, exploiting the target, installing the malware, controlling the victim’s computer, to achieve the desired objective has been talked about a fair bit in the pentest world. But I’d like to present what I call the cyber counter chain, or C3.
Cyber Counter Chain
C3 is the opposite CKC. It’s what the enterprise should be doing to counter each move on the cyber chess board:
To counter the advisories reconnaissance, we’re conducting or consuming threat intelligence (TI). That is, we’re training and staying aware of current and specific risks to our organization. As the attackers are building exploits, we’re conducting red team drills to fine tune our protective and detective counter measures. To stop threats, we deploy people and technology (as budget allows) to stop known attacks. We should always be monitoring logs and events generated by our technology to find attackers across our enterprise. This might mean running a SOC (security operations center) or partnering with an MSSP (managed security service provider) to do the work for us. The attackers are looking to bypass the protections we have in place, so adding honeypots, or tempting targets that will sound the alarms, can be a good way to detect attackers early. Speaking of detection, we know not every protection will work. Determined attackers will find a way in. So we need detection technologies on the network, endpoint, and perhaps even in specific apps. Finally, to counter the objectives of our advisories, we have an incident response (IR) plan in place to deal with breaches.
As you can see, it’s not necessarily about adding more of one thing or the other. The wise CISO, will have a balanced approach: It’s about using what you have. Assembling the right team. Training people to work with each other and the technology you already have. And of course, strategically choosing new technology and security partners as needed. Happy hunting!