A Proactive Cybersecurity Paradigm

By Daniel DeCloss, CEO, PlexTrac, Inc.

Cybersecurity is hard, and attackers are relentless.  The job of protecting an organization from cyber threats can feel overwhelming and stressful.  The industry is short on talent and inundated with tools, vendors, and snake oil that further complicates the approach to building an effective security program.  Despite these challenges, the expectations placed on the security team is to deliver a mature product that protects the organization’s most critical assets.  So, what can a team do to ensure they provide the value the organization expects with the limited resources of time, budget, and talent?  This article cannot possibly claim to provide the complete answer to that question; however, we will discuss the paradigm shift needed with the most important piece of your security program – assessments.

We use the term assessment very purposefully.  A security assessment is truly any activity conducted to determine the efficacy of security control.  Examples of assessments include penetration tests, vulnerability scans, risk assessments, compliance assessments, security questionnaires, etc.  All of these activities have the purpose of identifying gaps in security controls and yet they are often disjointed activities and spread across multiple departments.  Thus, the current assessment paradigm involves multiple assessments by multiple teams (internal or external) where security issues and gaps get identified and then handed over to engineers or analysts responsible for investigating and ultimately remediating the risk.  This is a perfectly logical approach, but too often it is highly ineffective.  The time it takes to conduct an assessment, deliver the findings, remediate the issues and then reassess the issues can take months if not years.  Additionally, this is a reactive approach to cybersecurity.  In a world where threats and exploits change by the minute, we propose a better solution.  That solution is proactive engagements through effective purple teaming.

To break down the new assessment paradigm, it’s critical to break all functions and roles within your organization as either red or blue, where the composite of your entire team is purple (red and blue mixed, for the artistically challenged like myself).  The red team is any team, person, or function that is proactively seeking gaps in the security posture.  The blue team is conversely the function responsible for fixing those gaps and attempting to prevent new techniques.  The old paradigm leaves little room for the blue team to be proactive on the prevention of new techniques, and it leaves the red team in a position where they often report the same issue time and time again with little challenge to thwart new defensive measures.

Purple teaming, the new paradigm, reduces the meantime to remediation of security issues through centralized communication, effective collaboration, information sharing, and joint research.  Let’s dive into a thought exercise that highlights how this may actually occur within an enterprise security team.  First, everyone must understand their function and role.  The function is either red or blue, but the role is strictly purple, the common mission to prevent loss via a cyber-attack.

Second, there are no timelines with effective purple-teaming.  Yes, there may be deadlines for compliance reporting or quarterly board reports, but attackers don’t have cycles or timelines, and thus neither should the purple team.  Proactive assessment is perpetual.

Third, red team activities must be targeted, specific, and focused.  Yes, there are times when a full scope penetration test is going to occur, but that must always occur via an external team contracted to do so.  The internal red team should always conduct exercises in small phases.  For example, the red team may decide to evaluate the organization’s capabilities for detecting or preventing certain attack techniques drawn from MITRE, such as a privilege escalation techniques related to DLL Search Order Hijacking (https://attack.mitre.org/techniques/T1038/).  The ideal steps should be as follows:

  1. Establish the test cases needed for evaluation
  2. Communicate with the blue team the anticipated test cases and anticipated timeframe of the test
  3. Execute the test and observe results
  4. Communicate with the blue team on any findings and recommendations
  5. Store these results in a central repository where both teams access, collaborate and track the ongoing progress in real-time.

These steps should happen in the matter of a week at most, then the blue team can quickly evaluate the results, prioritize remediation steps, and quickly execute the fix for expedited risk reduction.

Another example might be a red team activity of evaluating a security control related to PCI compliance.  Let’s say the red team wants to ensure the Cardholder Data Environment (CDE) contains proper access logs related to all administrators who access the system.  The red team should execute steps 1-5 in a quick and iterative fashion, identifying the steps for evaluation and what evidence is needed.  Then storing those results in the same central repository or platform for collaboration and tracking.

Fourth, blue team activities must be focused and disciplined to concentrate 70-80% of their efforts on proactive remediation.  Today’s current paradigm is to respond to alerts and events that come out of the SIEM or other alerting mechanism.  The team then investigates, plugs the hole if it exists, and writes an analysis report.  This is a very reactive paradigm and can turn into a never-ending cycle of reactive remediation.  Instead, the optimal approach is to split resources within your blue team to be proactive and reactive where the proactive members represent a majority.  These team members should be working closely with the red team to identify key gaps in the current security posture, and then researching additional mechanisms for remediation and any potential future threats that may result.  The reactive blue team members should be working on responding to alerts and remediating the assessment findings.

For example, if the red team is testing privilege escalation techniques, the proactive blue team should identify what controls the organization has in place today and also research all possible techniques that might get used by the red team.  They can then proactively implement the fixes independent of the red team’s testing.  Whereas the reactive blue team members should be monitoring logs and events in an attempt to identify the red team activities.  This approach ensures that the organization is focusing on all aspects of the attack lifecycle from prevention to detection and response.

Finally, the most important piece to highlight in this paradigm shift is that assessments must move from single points in time to quick iterations and small but effective evaluations throughout the year.  This ensures that at any point throughout the year, the purple team can take a snapshot of their current security posture to communicate to stakeholders.  No more need to provide a document from six, nine, twelve, or even eighteen months ago, but rather a real-time look at the progress being made today.  The only efficient way to implement such a shift requires constant collaboration and tracking of the assessments on a daily basis.

In conclusion, the shift to a proactive cybersecurity program can be accomplished through the building of an effective purple team.  This can start with simple mindset shifts about the functions of each member of the team, regardless of skillset.  This paradigm shift is necessary and vital to truly shifting the needle in your cybersecurity maturity.

About the Author

Dan DeCloss is the Founder and CEO of PlexTrac and has over 15 years of experience in Cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies including serving as a Principal Consultant for Veracode on the penetration testing team. Dan’s background is in application security and penetration testing, involving hacking networks, websites, and mobile applications for clients. He has also served as a Principal Security Engineer for the Mayo Clinic and a Sr. Security Advisor for Anthem. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program.

Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications. Dan has a passion for helping everyone understand cybersecurity at a practical level, ensuring that there is a good understanding of how to reduce their overall risk.

Dan can be reached on LinkedIn at https://www.linkedin.com/in/ddecloss/ or on twitter @wh33lhouse and at our company website https://plextrac.com/