Practitioner Blog

Webinar Recap: Injecting Attackers to Build Immunity

Zero Trust isn’t just about preventing a compromise: It’s also about protecting your data after attackers break through the walls. Recently, Crossbeam and Symmetry Systems partnered with Praetorian to run a purple team exercise to uncover how security teams can best defend their cloud assets post-compromise. 

This simulation’s complete results and analysis are explored in Injecting Attackers to Build Immunity: How to Use Red Teams to Test Your Cloud Data Security. In this webinar, cybersecurity experts Chris Castaldo (CISO at Crossbeam), Mohit Tiwari (Co-Founder and CEO Symmetry Systems), and Richard Ford (CTO at Praetorian) unpack the value of purple team exercises, outline tactics for surfacing hidden vulnerabilities, and explain how security teams can achieve a Zero Trust posture in their cloud environments.

While the full webinar can be viewed on-demand here, this article will also review some of the panel key insights.

font-family: 'Jost', sans-serif;

Click here to get on-demand access to the entire webinar with our expert panel right now.

How to Leverage Purple Team Exercises

The Value of Purple Team Exercises

Like a penetration test, a purple team exercise puts an organization through a simulated cyber attack to understand the effectiveness of that organization’s security architecture. What’s different about a purple team exercise is that it uses both an attacking team, a “red team,” and a defending team, a “blue team.” While these exercises are more complex and resource-intensive than standard pen testing, they allow cybersecurity teams to learn more about their current approach and its deficiencies. 

Ford, who ran the red team, explains, “Purple team exercises like this are much more detailed, in-depth assessments. For some of the SOC or red team exercises, the goal is for the defender to survive so they can tick that box. The goal here was very different. It genuinely explored questions like how does this system work? What assumptions were made and did they work? Where can we see the attacker? Why can't we see the attacker?”

The comprehensiveness of purple team exercises means they offer incredible value to the businesses that run them. Castaldo, whose cloud environment was under attack in the simulation, believes it’s ten times ROI: “Purple team exercises are a win-win. It's a ten ‘X’ value for the investment because you get so much more out of it: you get confidence in your system; you get confidence in your partners like Symmetry Systems; and you get confidence in what your team has built. When it comes to processes and tooling, it's hard to put a price tag on that type of stuff.”

When to Run Purple Team Exercise

On the point of frequency, Castaldo offered a measured recommendation, “In a startup, probably every couple years they need to do something like this. However, I’d say the caveat would be a big change. If you switch to a new EDR provider, introduce a new tool like Symmetry Systems, or do something significant in your security stack that would warrant this type of test.” In other words, our experts believe that purple team exercises should be both regularly scheduled and performed whenever a business is undergoing a significant change — especially alterations in the security architecture.   

In fact, our panel recommended that cyber security teams begin looking at purple team exercises as a replacement for their standard yearly pen test. As Castaldo explains, “If you tailor the scope of the engagement correctly, you could replace your annual pen test with this type of engagement. You just need to include the right things: whatever it is that your company builds or produces, whatever is in scope for your annual SOC 2, your compliance requirements, contractual requirements, etc. If you play it right, you could do a one for one swap there.”

How to Find Potential Vulnerabilities in Your Cloud Environment

When it comes to surfacing vulnerabilities, Ford strongly recommends adopting the practice of continuous scanning: “It's not periodic, and you need to make the period shorter and shorter because the time to attack is almost zero. If it's vulnerable, somebody will be on it before you know it. So I literally do mean continuous. I don't think you can be periodic.”

Ford continues, explaining why he is such an advocate for constant diligence:  “It’s very, very rare that we'll do an attack surface management engagement that a customer doesn't at some point say, ‘Oh, my God! My “blah” interface is open to the internet! What's that doing there?’ And we say, ‘Well, it's probably getting exploited.” 

According to Ford, this happens particularly often in cloud environments because of its ease of use. “One of the benefits of the cloud is that any developer can try anything at any time. One of the problems with the cloud is that any developer can try anything at any time. How many times have we seen somebody spin up a test system and forget that it's in the cluster and not properly secured? Then the attacker nails it within 20 minutes of it being up on the internet, and now they're in your cloud. It's something like 30% of your assets you don't know about.”

Click here to get on-demand access to the entire webinar with our expert panel right now.

How to Ensure Zero Trust in Your Cloud Environment

For our experts, everything starts with the data. Castaldo explains, “If you're charged with building out the cybersecurity program, where do you start? What's the advantage you have over the attacker? It's knowing where your data is. So start at the data store, where you know an attacker will go. What's valuable in your environment? Do you have health data, PCI data, etc.? Start there and work your way out. That’s why we're using Symmetry Systems.”

Tiwari, who ran the blue team, took precisely that approach during the purple team exercise: “The whole model was, let's figure out this graph of data objects and identities. There are many paths to it. Some are machine roles and paths, and some are just DBA database administrators logging in to fix performance issues. So we built a model of what the organization looks like at a permissions level, which is static visibility, and then when it actually runs the graph is running too.”

From there, Tiwari recommends building out a deep understanding of the trends across those flows to inform policy: “So you want to build firewall rules on top of this graph. Some parts of the system are well defined:  Things should always happen and there's a clear-cut data flow for all these service roles…. And then things you are watching to build a statistical envelope around. For example, data flows that should not spike like crazy or data flows that always happen just like backups that at some point stop happening. So we had built this portfolio of policies that we are already watching for and then a statistical envelope of behaviors on this graph.”

According to Ford, this approach is essential for organizations to achieve a secure cloud infrastructure: “If you combine managing your attack surface in real-time… and focusing on ‘where is your data?’ and ‘what is it doing?’ — I think you could have a fighting chance against the attackers.” 

Listen to the Full Webinar

While we covered some of the webinar’s highlights in this post, the full webinar contains a much more in-depth discussion of how purple team exercises can help security teams uncover hidden vulnerabilities and how they can use a data-centric approach to achieve Zero Trust in the cloud. To view the full video on-demand, click here.  

Also, if you want to hear more from our panel experts, check out Castaldo’s recent appearance on the Confident Defense podcast.

No Comments Yet

Let us know what you think