Continuous Testing and Auditing – Purple Teaming Activity
BAS is a type of an advanced security testing method. It is designed to determine if an organisation’s existing security controls detects and respond to attack as they should in order to improve the security posture of the organisation.
Some of the BAS Platforms are:
The below diagram shows where an Attacker behaviour seen during Intelligence Analysis is executed in BAS Tool and response is observed by the operators for Security Gap Analysis.
Why do we need BAS Tools?
BAS tools assist with performing gap analysis by continually conducting full attack cycle simulation against the enterprise infrastructure mainly using MITRE Framework. This test is usually carried out by the purple team during the ‘threat-informed defense’ strategy which consist of 3 elements:
Cyber-Threat Intelligence Analysis
Defensive Engagement of the Threat
Focused Sharing and Collaboration
Purple team maximises defensive capabilities to protect the most critical assets by coordinating and coupling the activities of red and blue teams.
1. Identify Threats
Use MITRE ATT&CK website to identify threat groups that are likely to target your industry verticals
Use MITRE ATT&CK Navigator to map techniques and software known to be used by that threat groups.
2. Conduct Test
Create Test Statements (Combine your questions with a hypothesis to make a test statement). Check if your test statement align with any MITRE techniques and tactics.
Identify assets in your environment for gap analysis testing based on the test statements(OS, Security Controls, Users etc).
Deciding scenarios to run. This should be iterative. Scenarios = unit testing.
Schedule testing (consider local or remote asset testing, testing availability, impact on users?, how oftent to conduct testing? etc)
Liase with IT/Sec Ops
Use BAS tool detailed report
Determine whether or not the gap found can be covered by an existing policy or tool that just require tuning.
4. Report & Iterate
Re-run the assessment and review the result
Use BAS tools differential reports
Continue to add new assets & scenarios
Using Agent – utilises individual assets in your environment to execute the test against and results is then sent to BAS server. Its also easier to deploy
Using Virtual – BAS tool agents is used within a virtual lab environment using lab components designed to simulate the production network ; Agentless deployment is also an option where packets are replayed to observe how an environment responds
Using Services – This requires no deployment. The external cloud services simulates or replay attack or behaviour against a target or range of targets. It usually focuses on exploiting vulnerabilities.
Behavior Emulation – a production safe approach which recreates attacker behaviour (pre-exploitation & post-exploitation activities) as unit tests instead of payloads.
Behavior Replay – production non-safe approach which replays attacker behavior, usually from packet captures.
Malware Detonation – a production non-safe approach. Similar to sandboxing, but with a focus on how well your security controls respond instead of understanding how does the malware operates. A malware sample is run against a virtual test lab environment to understand how well your security controls responds to the attack.
Service based Testing – uses a combination of many approaches and may include human components; Its vital to understand the in-scope/out-scope and how often the testing can be done.
Two well-known uses cases are:
Continuous Security Validation Use case
This use case is used to validate your organisation existing security control policy to ensure it was deployed properly. The process includes selecting an existing individual security controls for your asset, creating or using existing BAS unit tests templates to run against the target controls, execute those test and analyse the result.
Quality Assurance Testing Use case
To validate: security controls, operating system policy and other native controls. QA testing for gap analysis can be applied to:
The Golden Image Testing
Deploying new Server
Below is an example AttackIQ result of the purple team exercise using BAS tool + MITRE Framework. AttackIQ is a security optimisation platform that provides automated security control validation.