Traditionally cybersecurity is broken into two distinct teams, reactive Digital Forensics and Incident Response (Blue) and proactive penetration testing, threat hunting, and vulnerability scanning (Red).  However, to achieve complete all-round security of your environment these teams must merge to make one PURPLE team.  Not only must the teams merge but the skills must also cross over.

In a series of posts, I will be looking at the advantages of merging DFIR and Penetration testing and the benefits that can bring to both those employed in those fields and the client in receipt of their services.  In this post, I will look at combining these two services to achieve the complete testing package.

Testing (Automated vulnerability scans or penetration testing) is something that is either overlooked by many organisations or completed only as means to satisfy an auditing or compliance program with little thought given as to the type of testing or the results found.  Many of 3B Data Security’s clients have no formal process for remediating vulnerabilities based on their risk level and retesting, and no approach to identifying and addressing the common, often well-publicised attack trends.

Digital Forensics and Incident Response (DFIR) on the other hand, is something most only considered once an incident has occurred.  Whilst many may have a plan to respond to an incident, little of that plan is dedicated to DFIR and the capability to identify when an incident took place, how and why, the impact of the incident, and the potential data loss?  In essence, the evidence of the information security incident.

Now is the time to adopt a new approach to security.  Dispense with the separate approaches of Blue and Red, and to combine the skills into a Purple defensive strategy.  Modern attacks often leave little in the way of IOCs either through the use of fileless malware, or by exploiting services legitimately used within a network, and therefore hide in plain sight.  As such many victims of cybercrimes do not know their environment is under attack or that data has been compromised.  Many of the clients who contact 3B Data Security have the luxury of third-party monitoring for a compromise that the Payment Card Industry delivers by identifying the source of card data breaches.  Those who operate outside of this are not so lucky, with a breach of customer or employee personal data potentially going undetected for months, years, or never identified.  This lack of intrusion detection leaves a DFIR analyst with very little to go when trying to provide answers and assist to contain the data loss.  In this scenario, adopting an outside-in approach to the investigation, identifying the vulnerabilities and attack surfaces potentially exploited could save hours of analysis time searching through the logs for that “Needle in a haystack” that may or may not even be present.  Not only expediting containment but closing off any other potential avenues of attack in a vulnerable environment.

But this joined-up approach is not just limited to reacting to a breach.  In many DFIR cases, traces of the attacker were not recorded as the environment was not maintaining the correct logs, the logs were configured incorrectly to provide useful information, or logging was completely absent.  Errors that are too late to fix after the event, but critical elements of security that could have been identified if considered during the security testing of an environment.  If you are one of the few who regularly security tests your environment, ask yourself “Did we capture that testing in our logs?”  If you are not seeing evidence of a vulnerability scan or penetration test there is no hope of ever being able to identify, track, and remediate an attack when it happens.

The next time you run a vulnerability scan or penetration test consider asking a DFIR professional to search for traces of the test.  Can you see when the scan or test took place, from where it originated, what they were attacking, and any successful exploit or data lost?  Testing is not just about providing that clean bill of health or detecting vulnerabilities to remediate.  It provides a useful opportunity to test your environments ability to identify and record an intrusion.

The techniques used by vulnerability scans and penetration tests are the same as those used by attackers.  If you can’t see your own scans, you are blind to an attack.

"To successfully combat cybercrime, Blue and Red teams must join forces."

If you would like any advice on achieving complete security for your environment or have any other information security requirements, please contact 3B Data Security.