Threat-Informed Defense: The Evolution of Red Teaming in Cybersecurity
Blog Article Published: 05/31/2023
Originally published by Coalfire.
Written by Mark Carney, Executive Vice President, Coalfire.
Continuous adaptation of defensive strategies is needed to mitigate, detect, and respond to modern threats. Ensuring that investments achieve the required level of agility should be a primary objective of any company’s offensive security efforts. While technology-centric vulnerability assessments and semi-annual point-in-time penetration tests are often the centerpiece of offensive security programs and offer important outcomes of an offensive security capability:
- Validate performance of security controls
- Identify previously unknown vulnerabilities within an environment
However, their ability to inform and support defense strategies is hindered by two things: their cadence, and their inability to demonstrate how testing and associated output impacts the organization's mission.
Offensive security that defines defensive priorities and establishes urgency requires an adversarial perspective, engaging in a continuous and collaborative process focused on validating and improving the organization's ability to defend against real-world threats. These efforts prioritize testing probable scenarios over spending time demonstrating the possible.
What are the different security testing approaches?
The industry has established a set of core categories of security testing that address an array of tactics from multiple angles. Among these are three approaches to cover in more detail: penetration testing (or pen testing), red team testing, and adversary emulation. But first, let’s review the overall concept of vulnerability management, which is the precursor to any methodology.
Vulnerability management involves identifying, prioritizing, and mitigating vulnerabilities in an organization's systems, applications, and networks. It quickly assesses a company’s overall risk posture, validates the effectiveness of patch and configuration management activities, and addresses compliance requirements. This approach can be hampered by an overreliance on tools and their output as a means of directing security activities. This often leads to well-intentioned security teams placing pressure on system administrators and application developers to fix long lists of vulnerabilities. These actions are rarely achievable, nor are they the best use of company resources.
Prioritization is common in vulnerability management programs, which typically use asset value, network placement, and Common Vulnerability Scoring System (CVSS) scoring. The relevance of these activities can be strengthened by adding threat intelligence and an adversarial perspective to assess and perform additional testing to illuminate impact. The Cybersecurity and Infrastructure Security Agency (CISA) also maintains a catalog of known exploited vulnerabilities (currently over 850). Enhancing prioritization with tools like this establishes further relevance and drives timely remediation efforts.
Detailed approaches to security testing
Pen testing identifies and validates a wide range of vulnerabilities. It also evaluates the effectiveness of security controls and addresses compliance obligations. A typical example includes assessing the security of web applications, mobile applications, and APIs to identify vulnerabilities such as injection attacks, cross-site scripting (XSS), and other standard security issues. These tests are performed at the end of a development cycle as a final assessment of an application's production readiness. It ensures there are no serious flaws within the application itself, but can also indicate the effectiveness of upstream application security practices. While this is a valuable approach for specific use cases, there are limitations. Application pen testing focus is usually limited to vector(s), and the results represent a point-in-time evaluation of the security posture. This narrow focus and the cadence typically associated with penetration testing makes it difficult to maintain relevance to a changing threat landscape that would inform defenses.
Red team exercises provide a more comprehensive assessment of an organization's people, processes, and technology (PPTs), while pen testing assesses the security of a specific system, network, or application. Red team engagements identify systemic weaknesses in security controls, policies, and processes and evaluate security operations' ability to detect and respond to attacks. Highly skilled testers approach an attack from an adversary's perspective, a key ingredient to achieving offensive security with the credibility to prioritize and support defensive capability. Use cases include assessing organizational response and processes and evaluating technology. It’s also used for capability development, such as creating analytics or the additional data sources required. When executed collaboratively with the defensive capability (blue team), this approach makes real-time improvements in an organization's ability to mitigate, detect, and respond to threats.
While vulnerability assessments such as penetration testing and red teaming add value and are well-suited for specific use cases, they do not necessarily represent the actual threats an organization might face. Enter adversary emulation–an intelligence-driven discipline used to research, model, and execute cyber adversary tactics, techniques, and procedures (TTPs) to assess and improve cybersecurity.
What is adversary emulation?
The central attribute of adversary emulation is a disciplined approach that mimics known adversary behaviors supported by cyber threat intelligence reports. These tests can be executed to simulate an entire attack path of an adversary, or micro-emulations can be leveraged to test a single TTP. Since all TTPs and mitigation requirements are known, there is more robust transparency and collaboration without a winner-takes-all mentality. Stakeholders share the same objectives and focus. This holistic offensive security strategy improves or validates an organization's ability to mitigate, detect, and collaboratively and continuously respond to known real-world TTPs of relevant threat actors — an integrated and central component of modern defense.
How does adversary emulation support a threat-informed defense?
Business and security leaders want to understand if their cybersecurity investments in people, processes, and technology can mitigate, detect, and respond to a cyber threat. Vulnerability assessments like penetration testing and red teaming only offer partial answers. While each is an effective approach for specific use cases, to achieve the greatest value, the emulation of known threats must be a part of any holistic offensive security program. Without this context, there can be a disconnect between how companies prepare for an attack and actual attacker behaviors.
Right now, cybersecurity analysts and penetration testing positions are the roles with the greatest shortfall in hiring numbers. This means that every log or alert reviewed and test performed must explicitly improve an organization's ability to mitigate, detect, and respond to the known techniques used by the most likely threat actors. Offensive security efforts should always align with the right desired outcome to guarantee the effective use of these finite resources. Adversary emulation provides the best value in informing a security program.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.