The second quarter of 2021 saw record-high volumes of global ransomware attacks. Ransomware volume reached 188.9 million in quarter two, an increase of more than 60 percent compared to the first quarter figure of 115.8 million. Also, a 151 percent year-on-year rise has been recorded for the combined number of attacks during the first half of the year. With these numbers alone (not counting the attacks during the second half), 2021 already shapes up to be the worst year for ransomware attacks.
This has led the FBI to conduct investigations on 100 variants of ransomware regarded as tools used for terrorism. “The scale of this problem is one that I think the country has to come to terms with,” says FBI Director Christopher Wray, who also notes the importance of focusing on disruption and prevention. The ransomware problem has aggravated to unprecedented levels that the FBI is calling for shared responsibility between government agencies and the private sector.
To address the rising threats, organizations need to be more prepared. One of the best ways to achieve this greater level of preparedness is to invest in a purple team simulation module.
Purple teaming
Purple teaming has been getting quite the attention recently. Back in June Microsoft Product Marketing Manager Natalia Godyla featured Hacker House CEO Matthew Hickey in a Voice of the Community blog series post to discuss how purple teams help organizations embrace hacker culture to boost their security posture.
Here are some key points from the discussion:
- Purple teaming bridges red (attack) and blue (defense) teams by enabling collaboration and eliminating the drawbacks brought about by the siloing that happens when the red and blue teams work separately, oblivious to each others’ actions. “It can remove a lot of competitiveness from security testing processes,” Hickey says.
- Bringing the red and blue teams together to some extent of collaboration results in various advantages including speedier processes and cost reduction. The red and blue teams do not necessarily become a single team, but they collaborate to share insights that help each other in improving their strategies. A certain level of beneficial transparency between the teams is achieved, which allows both teams to learn from each other.
- “Purple teams are used to provide a level of assurance that what you’ve built is resilient enough to withstand modern network threats by increasing the visibility and insights shared among typically siloed teams,” Hickey explains.
- Moreover, Hickey says that “once you understand the workflow of what your attacker is doing, you get better at knowing which systems will need host intrusion, enhanced monitoring, and the reasons why.” Having a good grasp of the hacker culture is a boon to cybersecurity. Hackers, after all, are the ones who have a more profound understanding of the cyber risks an organization faces. Hence, they can provide useful insights into the problems organizations need to focus on.
- Hickey acknowledges that it can be challenging to ensure that employees have the right training and the right tooling for the job. It helps to use special tools like the purple team simulation module in cybersecurity platforms.
Purple teaming is generally about the collaboration or sharing of insights between the red and blue teams. However, in recent years, security firms have come up with new tools that can automate the process of simulating cyber attacks. Purple team modules are provided especially in continuous security validation platforms to persistently examine the efficacy of security controls and make sure that attacks, including zero-days, are kept at bay.
Purple power vs ransomware
A video presentation hosted by CREST offers a good explanation of the impact of purple teaming in defending against ransomware. CREST is an internationally recognized accrediting and certifying body for organizations and professionals that provide cyber incident response, penetration testing, security operations centers (SOCs), and cyber threat intelligence services.
The presentation expounds on the idea of using purple teaming to prepare organizations against ransomware threats. Notably, the presentation lauds MITRE ATT&CK for being a useful tool in security assessment, but this globally accessible free framework alone is not enough to achieve the best outcomes.
According to the presentation, MITRE ATT&CK does not capture all techniques. The techniques it presents are not all applicable to the specific environments of different organizations. Also, some techniques may only be applicable to specific organizations. As such, it is advisable to consider other solutions—and this is where purple teaming comes into play.
Purple teaming helps identify broad but relevant tests. Subsequently, these relevant tests can be translated to different scenarios. It enables the mapping of common TTPs into actionable testing.
After identifying relevant testing, purple teaming also has processes for validation detections. It facilitates or guides the running of common attack scenarios, the better comprehension of logging configurations, and insights on what has been detected and what is detectable.
Moreover, purple teaming is designed to enable a robust system for recording findings for more systematic analysis. The outcomes arrived at by the red and blue teams can be viewed side by side to have a better glimpse of what else can be done to improve an organization’s security posture based on what the red team managed to penetrate and the gaps the blue team needs to plug.
Purple teaming, particularly the purple teaming modules in cybersecurity testing platforms, also usually features a comprehensive monitoring system that helps cybersecurity professionals in getting continuously updated about the threats they need to watch out for. This tracking system is essential in detecting and preventing the different ways ransomware manages to enter devices, systems, or networks. It reveals the different techniques, tactics, phases, and responses of existing security controls.
Ultimately, purple teaming leads to the “uplifting” of detection and prevention capabilities. With all the data gathered, organizations are able to come up with better means to identify sophisticated ransomware attacks and implement the appropriate strategies to stop malicious malware on their tracks or make sure they do not aggravate into worse problems.
The presentation goes on to summarize how purple teaming enables a thorough security gap analysis by emphasizing the following points:
- Understanding of not only the weaknesses but also the strengths
- Highlighting of requirements for resource allocation considerations
- (For the purple teaming modules in cybersecurity testing platforms) Providing a visually impactful way of presenting ransomware threats to stakeholders and decision-makers
In summary
The idea of purple teaming is relatively new, but many organizations are already integrating it into their security posture. The benefits are undeniable, especially when used with other security solutions designed to ascertain the efficacy of security controls. It enables better-informed responses to threats and a system that is more capable of detecting ransomware attacks and cushioning their impact.
Purple teaming provides a massive boost for security preparations against ransomware as well as other forms of cyber threats. It does not only ensure that the security controls an organization has are effective; it also helps in fixing or improving existing cyber defenses in line with the severity and criminal ingenuity of present-day attacks.