Feb 24, 2023

Learning Red, Blue, and Purple Team With Paul Dyer

Host: Hi everyone. Thanks for joining me in today’s episode of Scale to Zero. I’m Purusottam, CO-Founder, and CTO of Cloudanix. Today’s episode is focused on threat hunting, red teaming, blue teaming, and purple teaming. So there are all these areas of threat hunting and dealing with threats. And to discuss more like to discuss on this topic, we have Paul Dyer with us.

Paul has been in It industry for over 20 years and he started his career in service delivery. But then he moved to infrastructure management and in the last eight years he has been focusing on security as a stock analyst. His expertise lies in purple teeming, threat hunting, and application security, and he uses that knowledge to help organizations improve their cyber defense and mitigation strategies. Paul, it’s wonderful to have you in the show. For our viewers who may not know you, do you want to briefly share about your journey?

Paul: Sure. Thank you for having me. It’s a pleasure to be here. I started in It, as you mentioned, about 20 years ago, and I started on the service delivery side on the phone with customers, helping out customers based on whatever their needs were. After doing that, I moved into infrastructure part of things I was a system administrator, land administrator, did mostly server management as well as storage management. And after that, after doing that for a few years, saw kind of the trend in where security was going and had a great interest in that just based on the constant changes and challenges that security presents and decided to move into that lane. And I’ve been doing security, like you mentioned for about the past eight years.

Host: Lovely. Yeah, it’s wonderful to have you here. So the way we do the show is we have two sections. First one focused on the security questions and the second one, which is the fun one, is the rapid fire.

So let’s start with the security questions, right?

Paul: Well, fundamentally this nomenclature was actually kind of absorbed from the military and its fundamental differences between the various teams are kind of similar to what it is in the military. Red Teams basically are groups of professionals, groups of security professionals whose main goal is to simulate real world attacks on the target systems, the target networks that they are protecting. They simulate things that are gleaned from the study of adversaries in the real world so that they can, in a safe manner at their organizations, basically see how their organization would defend against those attacks. So their real goal is to kind of really think creatively, act as an adversary and exploit any weaknesses in their organizations, infrastructure and networks.

Blue Teams, on the other hand, are kind of like the other side of the coin for our Red Team. The Blue Team would be the defenders, so to speak. The folks who are more responsible for the tooling and the protection of those systems. They have the main objective of basically defending against any of those threats and attacks that the Red Team folks are implementing in their environment. So they’re the defensive folks. A Purple Team can actually be an actual separate team depending on your organization. Purple teams, however, can sometimes be just a subset of folks from both the red and blue teams, with their collaboration looking at security from a holistic point of view and using the knowledge gleaned in red team activities and blue Team activities to try to make the overall security posture of an environment better by basically using knowledge gained from all the activities of the two prior teams to kind of make the overall structure of an organization more secure, more risk averse and implement the various types of mitigations that are needed based on Blue Team and Red Team activities.

Host: Okay, that makes a lot of sense if I try to understand right. Red Team and Blue Team are sort of like in opposite teams. But Purple team is where they have sort of strengths from both sides.

So now I’m curious,

What unique strength do Purple teams bring into an organization security program?

Because we understand that if you have a red team and blue team, is that enough or do you still need a purple team to use that unique strength?

Paul: It really depends on the organization. Depending on the maturity level of an organization security program, the need may be there for a defined Purple team or you may be getting enough information from just your Blue and red teams to actually provide the kind of information and mitigation that you would need.

However, if your security program, if you’re in an organization that has a mature security program that has these teams defined, the Purple Team, I think provides that additional strength to the organization because they are, as I mentioned, combining those two different mindsets, I should say. Because to be honest with you, a lot of times you get tunnel vision.

Whether you’re on the blue or the purple side, you get tunnel vision in terms of tools and techniques that you use to perform your job. And that tunnel vision can sometimes be detrimental because people don’t think outside of the box natively. Whereas assigning a team or a person or a subset of each team to purposefully think outside the box, I think will give an organization that added almost 3000 foot view of what we’re doing right, what we’re doing wrong, what we can improve on. It basically provides a more comprehensive view of the security posture. And having that comprehensive view is something that’s really useful, especially to the C suite in organizations because you can kind of give that broad overview to executives who sometimes really don’t have a lot of time to get into the weeds.

Host: Yeah. When you were highlighting the Purple Team strength, right, one thing that was coming to my mind was when it comes to engineers, right, they are not very good at testing.

And then there is a testing team and both of them have different focus areas. But for the last ten years or so there has been a lot of use of TDD, right or test driven development where developers also get into writing tests so that they also understand the pain that maybe the testing goes through when you are writing the code itself. So, yeah, it makes a lot of sense.

I want to go into a little bit philosophical level. Right.

So most organizations, what they do is when they are growing, they look at security as a roadblock because security most of the time seen as they are trying to enforce some policies or they are trying to enforce something. Right? And always business growth wins because at the end of the day, you are running a business to grow.

So now I’m curious, what unique strength do Purple teams bring into an organization security program? Because we understand that if you have a red team and blue team, is that enough or do you still need a purple team to use that unique strength?

Host: Yeah. When you were highlighting the Purple Team strength, right, one thing that was coming to my mind was when it comes to engineers, right, they are not very good at testing.

I want to go into a little bit philosophical level. Right.

So for organizations, let’s say, who want to focus on security or who are getting ready, or you are focusing on security right now. What’s the right time to invest in, let’s say, threat hunting, like hiring for these teams or even thinking about building these teams, right?

Paul: Yeah, that’s a really good question and it so much has to do with that organization individually. But in general terms, what I would say is it would depend a lot on, first of all, the maturity of the security program because it really doesn’t make a lot of sense to have a program that’s immature in some of the other aspects of a complete rounded security program.

It doesn’t make sense to go adding red blue teams when endpoint protection or risk management might not be up to par. So the maturity of the security program I think is one big thing that organizations have to really kind of think about in regards to when to do that hiring. They also should consider, in my opinion, the threat landscape that they’re in.

If your exposure to technology is not as immense as say, another organization that say it’s just strictly ecommerce outfit, all of what they’re doing is online, et cetera. Whereas you might have another organization where their needs around their security program might be more risk analysis and more on the governance side, they might not immediately need that. So you should definitely know your threat landscape as well. Like, are you currently in a situation where you’re under that much threat that you need this level in your current security program? Another thing to consider as a variable here would also be budget and resources. And this kind of goes back to even threat landscape, but budget and resources, as we all know, in a lot of environments, security tends to be a little bit down there sometimes in regards to the budget and those resources can sometimes be used more efficiently, especially if your program isn’t very mature as yet. Those resources can be used more efficiently in kind of setting up tooling, setting up incident response, setting up the things that you need in the early stages of your program and also kind of along that same line of budget, your detection capabilities. Because if you are in an environment where say, your tooling doesn’t give you because for threat hunting and the like, you really need as much information from your environment as you possibly can.

And that takes significant tooling, it takes having logs coming into the appropriate places, running scenes, running edrs, et cetera. And if your organization isn’t at the place yet where they’re getting a full picture of their environment, then resources might be better spent on making that happen first before you go defining specific teams for red, purple, blue hunting because it just might not serve you at that point in your maturity of your program.

Host: So I think those are some things that we can probably take into consideration when making that decision as an organization that makes a lot of sense because it’s like hiring the team, but not giving them the right tool so that they can function, then it defeats the purpose of hiring them. You do not get the right value from them. Right. And I think I wanted to ask about how to track the maturity and all you have already addressed that, so yeah, absolutely. That makes a lot of sense.

So I want to sort of talk about now a little bit about practices that organizations follow.

So most organizations, if they have SOC certifications or different types of certifications, they do annual penetration testing, annual or semiannual penetration, internal or external penetration testing. Right. And also they go for security certifications for SOC2 , HIPAA, isos, pcis and stuff like that to assess and also to improve their security posture. Based on your experience, is that enough from a security posture perspective?

Paul: That’s a good one.

I won’t say names here, but I’ve seen scenarios where all of those certifications are in place, but there are still holes in an environment, overall security posture that allow for attackers to get in. So it can be useful. It can definitely be useful to get SOC2, HIPAA, pci, et cetera. And some of these certifications are required to actually perform business in certain scenarios, but them as independent things, just standalone things. Okay, I got my sock. Two, I got my hipaa. So now I’m great. I’m all set. That doesn’t really effectively defend against threats, especially in an environment where threats are constantly evolving, because those certifications give you kind of like a snapshot, they give you an annual look at your network at the time you’re looking at it, but if there’s no follow up, no actual additional resources being placed around that, that can’t be the full thing. You have to have various other structures in place, incident response, user training, and all the other things that make up like a comprehensive security program. Because having just one snapshot in time saying everything’s great right now is fine, but everything might not be great in three months time.

It’s very important that with those certifications come additional ongoing threat hunting, incident response activities, policy reviews, et cetera, the need for folks to assess their vendors that they’re dealing with, et cetera. So you kind of have to have a rounded program in addition to all those things. Some of those certifications, the great thing about it is they require that those things are in place prior to the certification. So it allows you to kind of have to walk down that road to get the certifications, but certifications by themselves without supporting the supporting programming and mechanisms around a properly flushed out security program won’t protect you in this day and age at all.

Host: Yeah, it makes a lot of sense, right, because the threat landscape sort of changes every day. And if you say that I did an evaluation in January, that may not be like, few things may not be valid anymore. Right. By end of January. Absolutely. Certification is not always the answer for everything. That’s a good baseline. But you have to have other programs as you highlighted, right? incidental forms, threat hunting and vendor evaluation, stuff like that. Exactly, yeah, makes a lot of sense.

I want to touch on like when it comes to any cloud or infrastructure, at the end of the day, we are trying to run a business, right, and we are trying to deploy some code or deploy some workloads and in that nowadays there has been use of open source software quite a bit. It has been growing a lot and especially with that there are supply chain attacks that we hear right, like what happened with Solar Winds or Twilio or even with PyiPyi, the packages. And in one of the recent studies by Anchor they highlighted that there are around 85% to 97% of the enterprise code base uses open source and 62% of the organizations have been impacted by supply chain attacks which is like three out of five companies. Right.

And we received this question from a first time security leader. They’re curious like how does, let’s say red teaming or Purple teaming or Blue teaming, how does that help in this case?

Paul: I think that would be a help in a scenario like that because you would have professionals who would be able to kind of guide organizations to implement some of the things that could help mitigate against supply chain attacks. One of the first things that comes to mind for me would be implementing software bill of materials which helps basically organizations kind of keep track of all the various open source components within their code base. This information is very useful as it can be used to help identify potential security vulnerabilities prior to anything actually occurring, prior to an attacker finding it before you do so that’s one of the first kind of steps I would suggest. Having software bill of materials would be like a great first step and fortunately nowadays there’s some functionality being kind of built into tooling that will do this from an automated perspective.

In addition, regular security assessments are also very useful. In a scenario such as this you want to be able to even more than penetration testing which is usually done by most organizations on a year to year basis. You want to be kind of more proactive, especially when it has to do with agile development, rapid software development which is very much used nowadays. You really want to be on top of what’s going on and one of the better ways to do this is through automating your tooling, et cetera. Of course, vulnerability awareness is an important step there because if you don’t know what’s going on in the landscape, if you don’t know what your components, which one of your components need updating, you could easily miss something. So being aware of vulnerabilities is a great step. And one thing that I see and I feel is a huge help over the past several years are the way software development has moved from kind of one person sitting at their computer doing code, uploading code to a repo, but more in the cicd pipeline scenario. That, I think, is a huge step forward for mitigating things on the fly. Because things like cicd pipelines, you can build those checks, build security checks, build software vulnerability checks within your pipeline. And I think this helps not only security professionals, but developers to be able to know.

Okay, well, at least there’s some baseline things here that I know are taken care of, because we have a CI cd pipeline. We have tooling within our pipeline that’s looking for code errors, looking for things that are outside of specs, looking for vulnerabilities, et cetera. So I think that’s also a point to be taken there in terms of one of the things that you can do to kind of help mitigate that. And last but not least, look at alternate sources. Sometimes there can be things and again, this might be something unique to the environment. There can be things that are open source, sure, open source, the price is right, it’s free. But if you are a mature environment, if you are a mature organization, and if you have the resources to do this, there can be some of those things that you could go for a licensed software for just your peace of mind versus an open source piece of software. If there’s parity in terms of what each thing does from a resource point of view, obviously will be licensing and the additional cost there. But if you’re a large enough organization, it may lower your risk level to an extent where it’s better for you in the long term. That licensing fee that you’re going to pay this year might save you from an attack next year. So it really depends. It really depends. But I think those things would be a good starting point for anyone trying to tackle this as a first time leader in any organization.

Host: Yeah. So I like you highlighted a few things, right? First thing is, nowadays, even like programming languages, they also offer software bill of material information like Golangai recently has started doing that docker has a way where you can just run and you find out all the spams in it. And the second one was CI/CD. And you’re absolutely right that as a developer or as a team, you cannot manually do all the checks. That whether you have vulnerabilities in the open source code, CI cd gives you that flexibility where you can move fast and you can just run a pipeline to do the automated checks. Automated, right. So that saves a lot of time and a lot of headache as well. And last thing that you highlighted, which is very unique, is look at alternate sources, right? Sometimes what happens is, let’s say you are using an open source and that is not maintained or that has vulnerabilities, but there is a similar package somewhere else which doesn’t have vulnerabilities. Maybe it’s time to switch, right, if it is not getting maintained and stuff like that. So, yeah, those are some very good points.

So the last question that I have is,

Let’s say I understand the value of threat hunting, these different types of teaming, and I want to start my career in It. Where should I start from?

Paul: Wow, that’s a good one. One of the things that attracted me to be in the It industry in the first place was the various entry points that you can really enter this industry from. My personal story, I entered from a really nonstandard way, but once I was in It, I knew it was something that I wanted to be in my career.

I had a love for this, for the industry as a whole. So I kind of dove right headlong into it. My suggestion there for people really wanted to start out is gain that strong foundation.

Something that helps me on a daily basis is having an understanding of how things work from the PC all the way to the network, having that understanding of how even if it’s minutiae in regards to how something would work, but really dive into the base. Gain that strong fundamental understanding of operating systems, protocols, technologies, et cetera. And I think that puts you on as a great first step. Secondly, I would suggest to people is to acquire certifications. Look at certifications that are out there. ceh, which is the certified Ethical hacker certification. Pen testing certifications. oscp, which is Offensive security certified Professional certification. That can also help because certifications demonstrate to potential employers that you know what you’re talking about. You can demonstrate your skill in this thing.

Another thing which I myself do is I read and I am constantly learning. If you are looking for a profession where you’re going to do the things, you’re going to take the test you’re going to pass, and then you’re going to fold your arms back and go, all right, I’m here. This isn’t the one for you. Because information technology development, almost any part of what people know as It nowadays requires constant and ongoing learning. It’s just the nature of the beast. And people who thrive on that do well in these organizations, do well in this career, I should say, and participate in your community, being a part of your community, whatever lane you decide to get into in cyber security. And cyber securityecurity is such an immense field now. There’s so many different parts of cybersecurity, the governance side, the red teaming defensive side.

There are so many different areas that people can go into now. And once you find that area that you are enamored by, reach out to your community. There’s so much great information out there coming from community members, so much great information online that you can source just by yourself. That I would say definitely continuous learning would definitely be a big part of it.

One thing that sometimes people forget also is soft skills. Soft skills, as counterintuitive as sometimes people might think this is, soft skills are really important because you as a security professional are one day going to find yourself in a scenario where you’ll be needing to explain something to either a user, cso, some other executive, or just basically your user base on a whole. And having those soft skills, to be able to communicate with folks, to be able to collaborate, because security requires a lot of collaboration with other teams in your environment, having those soft skills are a plus for sure. So I’d definitely recommend that that should also be a point of study for people. Because as we all know, a lot of people in information security are introverts by nature.

So getting some practice there is great like communication and being able to communicate why you’re saying to someone, okay, don’t do it this way because it’s insecure. Here’s another way to do something. And I found being able to communicate with my customers, internal, external customers, as to why we’re not allowing something is a huge help in terms of just making it a lot easier for people to understand, to comprehend, to not get aggravated about. Because like you mentioned before, security a lot of times is seen as the blocker, the people trying to block the stuff. But I think, and I’ve seen in many examples where once you communicate to someone, this is why we don’t want you to do X, Y or Z. It’s a lot easier for them to go, oh, okay, I can see that. How should I do this? What’s a safer way to do this? What’s a safer way to code this thing? Or what’s a safer way to implement this system, etc. And I think that’s not spoken about enough sometimes. Communication.

Host: Yeah. So when you said about the soft skills, right, and security folks being introverts, that applies to engineers quite a bit. Like as engineers, engineers are not very good at communicating to other stakeholders, be it the management or be it like vps or anybody, right. Or users, even like end users. We are not good at that.

So that is a good one. The other thing that you highlighted, which is very key, is the continuous learning. And I think that applies to every job. If you want to grow, you have to continuously learn. Otherwise you are not growing at all, right. If you don’t learn. So, yeah, those are some amazing points and that’s a great way to end the security section.

Summary:

Here are a few points which stood out for me.

For organizations before investing in threat hunting or Red teaming, blue teaming or Purple teaming, understand your threat landscape, your security maturity, and have threat detection capabilities via different tooling.
Certifications like soc. Two hipaa, et cetera are a good foundation, but invest in continuous security risk assessment.
For open source usage and security of it. Invest in understanding software, bill of materials like the spawns, and perform regular security assessment and look for alternate solutions wherever necessary, wherever there are better security options available.

Host: So let’s go to the rapid fire section.

Rapid Fire:

Host: So the first question is, if you were a superhero of cybersecurity, which power would you choose to have with you?

Paul: The power of communication. Absolutely, because it allows, I think, security professionals to be able to move forward in what they’re trying to do in terms of protecting a network a lot easier when your stakeholders understand clearly what it is you’re trying to do. So that would be my superpower. My definitely superpower would be the power of communication.

Host: Makes a lot of sense. The next one is what advice would you give to your 25 year old self starting in security and why?

Paul: I think the advice I would give would be learn as much as you can, as fast as you can.

In my earlier days, simply because the rapid change of everything in security is a constant. You wake up every day and there’s some other breach happening almost daily now, learning and reading and staying up to date with all of that allows you to kind of see, almost look in the future and see where things are headed. And I’ve always tried to do that. No matter what role I was in information technology, I’ve always tried to do that to stay ahead of the learning curve. So look at what’s happening now and go, okay, what could this breach or what is this trend leading to? And then read up on that future trend because a lot of times being ahead allows you to when eventually the trend becomes an overwhelming tsunami of things, you can be ahead of the game and say, oh yeah, you know my vp well, yes, we’ve looked at this, we’ve thought about this. This is what we think the mitigation for this scenario should be. So it allows you to just kind of be one step ahead. And I think management and anyone in an enterprise, they feel a lot safer and more confident in security professionals who are forward thinking. So that would be kind of my advice to my 25 year old self, to just kind of stay ahead.

Host: Makes a lot of sense. It goes back to learning, right? So the last question is, what are the three blogs or books or websites that you go to to stay up to date? Because as you said, it’s changing rapidly. So how do you do it?

Paul: I built a while back a nice rss feed that I’ve, over time, curated to my personal go to blog almost. So I get a lot of things from a lot of places curated in an. RSS feed. I would recommend that to anyone because there’s a lot of stuff out there. There’s a lot of information out there and parsing it to focus in on your lane and security is helpful. But some of my individual go to blogs and resources online are SANS. I love the SANS Institute, which is the security learning organization that provides gsec certifications and a bunch of other certifications. They have a great podcast that I listen to every day. That’s a really good one because it’s comprehensive and it gives you kind of a weekly, daily change on what’s going on in cybersecurity. There’s also a gentleman that I found a few years ago during the pandemic called Daniel Measler. I hope I’m pronouncing his last name correctly, but he has a great blog to security as well as kind of some related topics are covered on that blog. Okay.

But he’s a really deep thinker and he’s kind of one of these forward looking gentlemen too. So I like his blog and honestly, in terms of books, there’s so many books out there, I would just say there just read and stay current with whatever it is that you’ve decided your specific focus in cyber security is going to be.

Something that comes to mind, is I’ve been reading a book on cryptology recently and crypto analysis is not something that I do in my day to day job, but this is one of the things that I think helps security professionals is having like a rounded view of everything. Having specific focus, yes, but also knowing the 3000 foot view of how it all works, how it all fits together. And I think having individual times where you kind of step outside of your lane and read things that are whether it might be on cryptology or I’ll read things around governance, sometimes governance, I’m not involved in governance, but I want yeah, something unrelated also. No, exactly. I want to know how all those spokes fit in the complete wheel. And I think that’s an important thing for a rounded security professional, because it allows you to speak across different types of subject areas and it allows you to think for Red teamers, Blue teamers. It allows you to think outside of the box when you’re trying to pop that server or defend that server for Blue teamers, because with that kind of broad understanding of exactly how everything is fitting together, it allows you for creative thinking in those scenarios.

Host: So in a way it avoids that tunnel vision that you were highlighting earlier as well. Right? That happens with the teams. So, yeah, what we’ll do is we’ll make sure to tag these when we publish the video so that our viewers can also go to those resources.

So that’s a great way to end the conversation. So thank you so much, Paul. At least for me, I learned these threat hunting models and different teams, what are their responsibilities and what’s the right time to invest in them and stuff like that. Thank you so much for coming to the show and sharing your knowledge with us.

Paul: You’re very welcome and have a great day.

Host: Yeah. Thank you so much.

And to our viewers, thanks for watching. Hope you have learned something new. If you have any questions around security, air those at scale to zero. We’ll get those answered by an expert in the space. See you in the next episode. Thank you.

For folks who may not know, like me, who may not know or are not that familiar with the terms, can you share what a Red Team is or a Blue Team is a Purple Team?