Three Steps to Use Threat Intelligence, Red Team, and Blue Team Collaboration to Improve Security
For many medium and large organizations, a penetration test that results in a “data breach” is going to lead to numerous findings that take months and sometimes years to remediate.
In that timeframe, after operating systems are upgraded across non-production and production, Windows event forwarding is properly aggregated, and security analytics are appropriately applied, red teams, sometimes being fed by the cyber threat intelligence team, may need to repeat the attack (with some modifications) they did in the beginning over 1,000 times to ensure the appropriate alerting takes place.
Even after operating systems are upgraded across non-production and production, Windows event forwarding is properly aggregated, and security analytics are appropriately applied, red teams may need to repeat the original attack over a hundred times to ensure the appropriate detections are created and alerting takes place.
This is simply not scalable with the number of attack scenarios that are coming out each week. Instead, conduct the following steps for constant collaboration between red, blue, and cyber threat intelligence teams:
- Automate certain red teaming techniques to ensure numerous attacks can be replayed across numerous compromise scenarios with the blue team.
- Simultaneously, integrate “active in the wild” attack scenarios from the cyber threat intelligence team. How these scenarios apply in the enterprise environment in close coordination with the blue team (security operations, hunt team, MSSP, incident response) is a critical real difference maker especially when performed at scale.
- Implement the appropriate blue team response processes (eg. time to detect, time to respond, logging at scale to reduce visibility, etc) and decision matrix.
To take preparation a step further, the cyber threat intelligence team can observe advanced attackers testing attacks against other institutions. Sharing this information in a timely manner across the security team can enable a mature security team to be ready to act and possibly attribute the activity for law enforcement, when appropriate.
Check out Scythe CTO Jorge Orchilles’ use case of this occurring in his previous life at a major financial institution.