More than one-third of security professionals’ defensive blue teams fail to catch offensive red teams.

Edward Gately, Senior News Editor

August 15, 2019

11 Min Read
Black hat with lariat
Shutterstock

Last week’s Black Hat USA 2019 conference in Las Vegas drew record attendance and highlighted the latest hot topics in the fight against cybercriminals.

Among the topics explored were the need for security teams to include software developers and others in their efforts to thwart malicious hacking, and how organizational structure and decision processes will directly impact whether organizations fall victim to cybercriminals.

In addition, attendees also learned the vast majority of organizations haven’t adopted multifactor authentication, as weak or stolen user credentials are hackers’ weapon of choice, used in 95% of all web application attacks.

And with thousands of cybersecurity professionals on hand, what better time for a survey? Exabeam polled 276 IT security professionals and found out that more than one-third of security professionals’ defensive blue teams fail to catch offensive red teams. Some 68% find red team exercises more effective than blue team testing, and more companies are practicing red over blue team testing.

Red teams consist of internal or hired external security professionals that emulate cybercriminals’ behaviors and tactics, and gauge the effectiveness of the company’s current security technologies. Blue teams consist of the organization’s internal security personnel, tasked with stopping the simulated attacks. In these test scenarios, the blue team must react without preparation, to give the company the most realistic picture of its defensive capabilities.

Moore-Stephen_Exabeam.jpg

Exabeam’s Stephen Moore

Stephen Moore, Exabeam’s chief security strategist, tells us with 74% of respondents stating that their companies have increased investment in security infrastructure because of red/blue team testing results, MSSPs and other cybersecurity providers should consider asking prospects if they have performed these exercises early in the requirements gathering process.

“For many organizations, the MSSP is the only defender, the blue team,” he said. “The MSSP should take the lead and drive a minimum of two exercises a year, one collaborative purple team exercise and one that’s red only. Failures in the collaborative activity must drive visibility, analytic, context and procedural changes.”

Learning where the gaps in their security programs lie can help the providers better customize their solution and services packages to their needs, Moore said.

“This will not only ensure better protection for the company but a better customer/vendor relationship,” he said. “Also, these providers should consider partnering with external red team organizations and offering their services as part of their portfolio.”

The study showed that 72% of respondent organizations conduct red team exercises, with 23% performing them monthly, 17% quarterly, 17% annually and 15% biannually. Sixty percent conduct blue team exercises, with 24% performing them monthly, 12% quarterly, 13% annually and 11% biannually. The fact that so many organizations practice these exercises monthly speaks volumes about their maturity and dedication to fortifying their security posture, according to Exabeam.

Not only do more organizations practice red team testing, but 35% of respondents claim that the blue team never or rarely catches the red team, while 62% say they are caught occasionally or often. Only 2% said they always stop the red team, emphasizing that organizations must constantly evaluate and adjust their security investments to keep up with today’s adversaries.

Promisingly, the study found that 74% of IT…

…security professionals have seen their companies increase security infrastructure investment as a result of red and blue team testing, with 18% calling the budget changes significant. Only 25% claimed that their company has never upped its security budget after performing these tests.

The survey also identified communication and teamwork (27%) as the top skill blue teams need to work on, followed by knowledge of the attacks and tactics (23%), threat detection (20%), incident response time (17%) and persistence (8%).

Deception Technology Hasn’t Yet Gone Big

Deception technology, aimed at preventing a cybercriminal that has managed to infiltrate a network from doing any significant damage, is steadily gaining ground. The technology works by generating traps or deception decoys that mimic legitimate technology assets throughout the infrastructure.

Marchand-Michelle_Illusive-Networks.jpg

Illusive Networks’ Michelle Marchand

So when is deception technology set to go big? We spoke with Michelle Marchand, Illusive Networks‘ director of channels for the East, at Black Hat to find out.

“I have been in deception technology now for about 14 months, and before that the endpoint and network side, so coming over here was new and exciting,” she said. “What I’ve seen in 14 months is a little bit better recognition of the market. It’s still a lot of evangelizing, to be honest, and within that you’re educating. It’s something that people consider a want right now versus a need.”

The early adopters are those that “get the sensitive data thing and they don’t want to be in the paper, so they really are proactive,” Marchand said. However, that doesn’t mean they have the right funding set aside, which puts deception technology second in line, she said.

And while early adopters are larger organizations, some smaller organizations have come forward with “just as much of a force in their belief in it,” she said.

“They don’t always have to be the big shops to realize that this technology is legit and it does what it says at the end of the day, true deception technology,” Marchand said. “We’ve added some new functionality and add-ons to the product, which are awesome, and that’s exciting because you get that true deception piece and you can piggyback off it. As long as the real product does what it says, it’s a wonderful add-on, wonderful gravy to offer.”

In the meantime, it’s all about education and “you have to get it into people’s environments,” she said.

“When those happen, that is usually an amazingly good sign because now we’re at the point where we just have to find the budget, which doesn’t always happen, but if they see that value behind it and what it really does protect, and how feasibly it is rolled out, it’s impressive,” she said.

MSPs are increasingly expressing interest in adding deception technology to their managed services offerings, Marchand said.

A new report conducted by Enterprise Management Associates (EMA) and commissioned by Attivo Networks, a deception…

Crandall-Carolyn_Attivo.jpg

Attivo’s Carolyn Crandall

…provider, gauges attitudes and views on deception technology in the enterprise. Among the key findings:

  • Users of deception technology reported a 12-times improvement in the average number of days it takes to detect attackers operating within an enterprise network.

  • 70% of users highly familiar with deception technology report a high confidence for detecting in-network threats.

  • 71%of respondents cited that they have achieved a significantly to somewhat higher value from the technology than initially expected. Some 84% said they planned to increase their spending in the future.

  • 67% of respondents evaluating or planning to look at deception technology cited the speed of detecting threats early in the attack lifecycle as the primary driver behind their interest.

“Quantifying the ROI of security controls can be extremely challenging and is often tied to overall breach metrics that can be heavily debated,” said Carolyn Crandall, Attivo’s chief deception officer and chief marketing officer. “This survey is particularly interesting in that it quantifies the specific value derived and the sentiment of deception technology users compared to non-users.”

Strolling Around the Dark Web

Shier-John_Sophos.jpg

Sophos’s John Shier

At Black Hat, Sophos released a new research report on Baldr, an up-and-coming password stealer with at least four major revisions over the past seven months. The Baldr story is connected to a “vast criminal underground enterprise of trading stolen goods,” said John Shier, senior security adviser.

“I am literally looking at some of these markets as we speak,” he said. “They come and go, but if there’s one thing that’s common to all of them it’s that they will never go away and they’re always striving to produce more content, and that content is generally illicit drugs … however, there’s always the digital goods section and that’s where you find your credit cards and card verification value numbers (CVVs), and your stolen gift cards, and then things like compromised credentials, compromised server access, etc. It’s this nice, tightly knit ecosystem that if you’re somebody with ill intent, you can one-stop shop on the dark web. If you have no knowledge, you become a cybercriminal just by spending time on the dark web. You can find tutorials, hire some services and buy some tools.”

Wisniewski-Chet_Sophos.png

Sophos’s Chet Wisniewski

Chet Wisniewski, Sophos’ principal research scientist, said the guys who write the malware aren’t social enough to know how to sell it, so they need distributors just like real software companies.

“And in this case it’s crimeware-as-a-service, so they’re not actually deploying it to victims directly, they’re selling it to wannabe criminals that don’t know how to write their own bad code,” he said. “So there’s a minimum of three tiers before you actually get to victims.”

With Baldr, when the information was flowing from the victim machine back to the customer who bought the software, it would pass through the original author’s servers and then they would take a copy, so your credentials are being stolen twice, doubling the opportunity for your credentials to end up dumped somewhere on the dark web, Shier said.

“That is a problem because it means that even though you may not get breached today, people do tend to reuse…

…passwords over many years and even a breach that’s five years old still gets you in trouble,” he said.

NormShield Building Partnerships

NormShield, which allows enterprises to assess, prioritize and address the third-party cyber risk of any company, anywhere within 60 seconds, is on the hunt for new partnerships with MSPs, VARs and OEMs, both in the United States and abroad.

Bolukbas-Candan_NormShields.jpg

NormShields’ Candan Bolukbas

At Black Hat, Candan Bolukbas, CTO and co-founder, gave a demonstration assessing the third-party risk of embattled Chinese telecom company Huawei, and the findings weren’t pretty. Needless to say, Huawei’s risk is off the charts.

“If you know where to look, you can find a lot about an organization, and this information is mostly coming from open source intelligence,” Bolukbas said. “We’re not asking anything but the name of the domain that you want us to assess. This capability is heavily used by lots of different entities. We have some very good, promising partnerships.”

NormShield is working with a Fortune 50 tech giant to expand their cybersecurity services, he said.

“Imagine you’re going to a customer and you’re saying you may have some problems, let us do an analysis and we’re going to fix those problems,” Bolukbas said. “In this case, it’s an eye opener because you’re specifically talking about the company itself and you are specifically talking about some problems that you’re going to address. It’s a very good conversation starter and we see that our partners are actually getting a lot of traction on that.”

Some of NormShield’s successful use cases involve MSSPs, he said. For example, a Minneapolis-based MSSP’s primary goal is accessing the customer with something in hand and to gain more business out of that conversation, he said.

“So they are generating the scorecard before the meeting, and of course talking to the customer about what they are going to do with this relationship, and after that work, they’re generating another scorecard and showing the difference, here you were in C-grade range and now you’re in B-grade, and the next phase we’re going to take you to A-grade range,” Bolukbas said. “That’s the strategy that they’re following and it’s working very good.”

And One Final Message from Splunk

Smaller security information and event management (SIEM) providers are aiming to steal market share from incumbents like Splunk and IBM. Exabeam in particular has said it wants to be the “Splunk killer.”

Merza-Monzy_Splunk.jpg

Splunk’s Monzy Merza

When asked about this at Black Hat, Monzy Merza, Splunk‘s vice president and head of security research, said in some ways “it’s kind of a proud moment.”

“We are doing something that others are aspiring to overtake, and I take that in a very positive way,” he said. “Competition’s what competition is, but when it comes to serving our customers and thinking they can do a better job than we can do, then that’s awesome because there’s no shortage of problems that customers are faced with and the challenges they’re faced with.”

Some of Splunk’s competitors are part of its Adaptive Response Framework, which provides a mechanism for running preconfigured actions within the Splunk platform or by integrating with external applications, Merza said.

“The world needs help so we can be of service, and if people think they can do better, that’s great, let’s do better,” he said.

Read more about:

MSPs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like