BLOG

Three Steps to Use Threat Intelligence, Red Team, and Blue Team Collaboration to Improve Security

by | Sep 15, 2020 | Blog, Outside Intel

For many medium and large organizations, a penetration test that results in a “data breach” is going to lead to numerous findings that take months and sometimes years to remediate.

In that timeframe, after operating systems are upgraded across non-production and production, Windows event forwarding is properly aggregated, and security analytics are appropriately applied, red teams, sometimes being fed by the cyber threat intelligence team, may need to repeat the attack (with some modifications) they did in the beginning over 1,000 times to ensure the appropriate alerting takes place.

Even after operating systems are upgraded across non-production and production, Windows event forwarding is properly aggregated, and security analytics are appropriately applied, red teams may need to repeat the original attack over a hundred times to ensure the appropriate detections are created and alerting takes place.

This is simply not scalable with the number of attack scenarios that are coming out each week. Instead, conduct the following steps for constant collaboration between red, blue, and cyber threat intelligence teams:

  1. Automate certain red teaming techniques to ensure numerous attacks can be replayed across numerous compromise scenarios with the blue team.
  2. Simultaneously, integrate “active in the wild” attack scenarios from the cyber threat intelligence team. How these scenarios apply in the enterprise environment in close coordination with the blue team (security operations, hunt team, MSSP, incident response) is a critical real difference maker especially when performed at scale.
  3. Implement the appropriate blue team response processes (eg. time to detect, time to respond, logging at scale to reduce visibility, etc) and decision matrix.

To take preparation a step further, the cyber threat intelligence team can observe advanced attackers testing attacks against other institutions. Sharing this information in a timely manner across the security team can enable a mature security team to be ready to act and possibly attribute the activity for law enforcement, when appropriate.

Check out Scythe CTO Jorge Orchilles’ use case of this occurring in his previous life at a major financial institution.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights Retainer℠
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks