How Our CTU™ Countermeasure Team is Working Hard to Defend Our CustomersPurple team testing helps us strengthen our countermeasures to keep customers safe. By: Chris Hartley, Senior Systems Engineer
- Sparring against highly skilled opponents is a highly effective training technique.
- Implementing what you learn from practice can make the difference.
- Learn how you directly, and indirectly benefit from the work of our experts.
Would Batman have been able to keep up with a growing criminal undercurrent in Gotham City, if he didn’t have an evenly matched adversary like the Joker constantly pushing him to up his game? Would he have been able to continually develop his tools and hone his skills at the same intensity if someone were not forcing his hand to do so?
What if your adversary was not a sworn enemy but more of a sparring partner or friendly rivalry with a highly skilled opponent? There are many stories of athletes who will push each other so that both benefits, the Williams sisters in tennis come to mind. One example I have personally observed concerns my son and his skateboarder friends. When one of them lands a trick for the first time in front of the others, the rest of them will work extra hard to be the next to land it and if possible, take it to the next level. Of course they still practice on their own, in their respective driveways or watching YouTube and working on their own tricks, but when someone is there to show them something new and then push them, they will often progress much faster than when they are practicing alone.
The countermeasure research team, part of the Secureworks Counter Threat Unit™ (CTU), has the mission critical task of turning the knowledge we have of the threat into Taegis™ XDR countermeasures to defend our customers. Much of our threat knowledge comes from direct observations. The countermeasure team uses this knowledge to write high fidelity countermeasures which we scale out to our customers on the Taegis XDR platform. On occasions when the team is working with limited information, the countermeasure research team must create a countermeasure based on what they know about how the attacker is behaving, measured against what the team knows about that behavior in the context of global threat activity. This is a highly effective method of working with incomplete information, which uses the expertise of researchers who are accustomed to modeling and detecting threat behavior in customer environments. Still, it would be nice sometimes to ask your foe, “Why did you do that specific action? Or “How did you get to this step without having first taken that action?” In the real world of cybersecurity, there is little chance you’ll be able to ask the adversary these questions, let alone get a helpful answer. In a friendly competition though, one where both parties are highly skilled and looking to up their game, you might just get that opportunity.
The Secureworks Adversary Group and CTU Special Operations have joined forces and created a purpose-built team of Red and Blue teamers with one goal; get better at catching actual adversaries. The Secureworks Adversary Group is a skilled offensive oriented team within our consulting practice that adopts the mindset of adversaries to help our customers improve their cyber resilience. In this environment, the offensive team gets a chance to try out new combinations of techniques and tooling without the risk of being able to break anything in the test environment, while the CTU countermeasures team observes the aftermath and starts putting together the story. In the process the countermeasures team identifies any gaps in what they know about the offensive activity, and any areas where they are unsure about the logic of the offensive team’s behavior. Here, the defenders can then ask the offensive team why they took certain actions. Sometimes the answer is that it was an unsuccessful attempt at trying something new, in which case the activity is catalogued and stored for future consideration by both teams. Other times the activity might have aided the attacker in their objective, but was a blind spot to the defenders.
Often when the countermeasure research team identifies unknown activity, they can write and deploy new Taegis countermeasures rapidly. This purple teaming program has helped uncover gaps, but one recent story really demonstrates how effective it can be. Within a week of the countermeasure research team writing and deploying defensive measures for novel techniques that the offensive team had used to get a web shell onto a host, they were put to the test during a Self-Service Demo Trial. The trial-taker had put Taegis through its paces by mounting a progressively sophisticated attack while still largely using standard tools and techniques. After some time, this SSDT user began to use more advanced techniques, including the same technique that had recently been used by our team in the purple team engagement. Thanks to the work of the offensive team and the countermeasure research team, Taegis was ready for everything the user was able to throw at it.
Perhaps the takeaway here is that we as individuals, organizations and communities are not alone in our quest for improvement and that sometimes assistance or validation can come from an unlikely source. At Secureworks we believe in the ‘iron sharpens iron’ philosophy and strive to create an environment where we all improve in our individual and collective quest to defend our customers. The CTU countermeasure research team is at the tip of the spear, but the entirety of Secureworks is committed to the cause.
Finding the right sparring partner is not easy. They need to be able to push you so that you can learn and grow, while not bullying or demoralizing you. Building this capability internally may be beyond the reach of some, but organizations can benefit from this highly effective training technique by engaging with partners who specialize in red and purple teaming, especially those that can codify their expertise into security software products and services that can be easily integrated into your existing security operations.
Find out more about Secureworks Adversarial Security Testing.