The security community is continuously changing,growing, and learning from each other to better position the world against cyber threats. In our new Voice of the Community blog series, Microsoft Product Marketing Manager Natalia Godyla talkswith Jake Williams, Founder of Rendition InfoSec. In part two of this blog, Jake shares his best practices on how to structure and evolve red and blue teaming within your organization.
Natalia: What are best practices for organizations maturing their blue team?
Jake: First and foremost, go in and look at the event logsand turn onall ofthe logging that you think will be useful. I work with blue teams today up and down the Fortune 500,and I ask, “Where is this in your event logs?”And they say, “I thinkmaybe my endpoint detection and response (EDR) platform may catch that.”Windowscatchesthat. Windowsdetectsthe thing we’re talking about if you have it configured.It’s more than 100 event logs,and a lot of them are empty and the ones thatarepopulated are not logging the best things you can log. A lot of the reason for that is logsgetbig.
The secondcybersecuritybest practice is touse Group Policy Object (GPO) and increase the size of your event logs dramatically. I think the security event log pegs at 20 megabytes.The way that I explain this to folks is I’ve never been an instant responder and worked the case where I walk in and think, “What am I going to do with all these logs?”
Third, actually walk through the audit policy. I want you to go look at it. If you’re a systems architect or a systems engineer, you have to know what’s even available. Not knowing what’s available from an audit standpoint is almost like going to a restaurant, never reading the menu and saying, “I heard you had a burger so I’m going to have that.” And you have no idea what else could be there that could be way better. Go read the menu. Find out what audit logs are available and increase the size of them dramatically.
We’ve had folks do one but not the other. There was this heartbreaking case a couple of years back wheretheycalled,and I ended up being on the flyaway team. When they called, we asked, “What auditing do you have available?”We told them toturn it on andincrease the size of the event log,and they did one of those two. And when I got onsite,and I got into that server, there were 18 seconds of security event logs. 18 seconds. It was awesome that they turned some stuff on, but at the same time, I needed the log in general, not 18 seconds of activity. It was just heartbreaking.
Natalia: What is your guidance to red teamers? What best practices should they consider?
Jake: Stop trying to be sexy. Every time there’s a major security conference like a Black Hat or a ShmooCon, I get some red teamers who come back and say, “I just saw this super cool, super awesome technique.” I ask, “Are attackers using that?” and they say, “I’m sure they will be.” When we have credible intelligence that they are, then we’re going to invest that time. Make sure you’re actually providing value back to the organization and understand what that means.
In late 2019, I was at a major insurance company and they have a red team that is about a thirdof thesize of their blue team, which is just wrong. I asked, “Can I see an example of a report?”And the red team leader says, “No.” I said, “You do know I have an NDA with you. We’re physically here at your headquarters.” He said that they only share these reports with management and that executives understand the risks. He said that if they tell the blue team how they’re doing everything, they’ll catch the red teamimmediately.
The biggest outcome of this exercise became how do we stop doing red team for red team’s sake, such as to be a bunch of cool hackers and go break stuff.How do we turn this around where the red team is providing value toblueteam?Securityis a service provider to the organization,andredteam ultimately should be driven byblueteam (their customer). The red team’s goal isn’t to go sneak around and remain undetected for the sake of their egos. The goal is to identify vulnerabilities, missing patches or misconfigurations, or find gaps in coverage for monitoring. The customer for that is blue team. I look at the blue team as tasking the red team and saying, “Here’s what we need from you.” Red team’s hacking, sexy, cool stuff is secondary.
Natalia: What kind of training would you recommend for red and blue teams?
Jake: If I’m a blue teamer, I’m going to be staying on the cutting edge of what’s the latest thing happening with system logs. I’m less about tools than I am about techniques. What do I have available from a detection standpoint? I’m not interested necessarily in my blue teamers going out and trying to figure out how to go through exploits, run exploits. That’s a red team kind of thing.
For a red team, send them to conferences. People don’t like to hear this,but the conferences are going to pay off better than any red team courses for anybody who has got more than a year of red team experience. The reason isthe networking. You network,and you start getting put in these private Slack groups or on email lists. Everybody knows everybody. You’re going to hear about thosenewertechniques. I’m less about formalized trainingthan I am aboutgetting them into networking opportunities.
Natalia: What do you think red and blue teams will continue to think about even after the pandemic? What changes are going to make long-lasting impacts on the security industry?
Jake: This applies to both red and blue teams,and it’sunderstandingthe attack surface. Something that we’ve seen more than any previous yearhas tobe software-as-a-service (SaaS). We shiftedto work fromhome,depending on which part of the country, either over a 24 or a 48-hour period all the way up to maybe a two-week period. By any measure, it’s insanely fast for a lot of folks to do, and so they made a lot of changes to get stuff done without really looking at the long-term security implications.
I’m already discussing with clients how to go back and memorialize whattheydid as we ran home. In late March, most CISOs I talked to didn’t believe we’d still be at home at the end of the year. They thought this was a one-month or two-month situation soriskswe were ready to accept for a month look a whole lot different thanriskswe’re going to live with in perpetuity.
For the folks rolling into holiday standdown time, now is the time to make some of those changes. On the red team side, another big one is:Know your scope, know your scope, know your scope. Just because I have data inSalesforcedoesn’t mean you can go hack Salesforce. Your red team needs to know what they legally can do and what they ethically should do and make sure everyone is aligned there. From a blue team side, you figure out how you want them to evaluate the security of your Salesforce tenant. I think that’s really it, knowing what architecture changes we made as we moved into that fully remote environment, and how many of those need to be revisited. And the answer is a lot of them. I think it’s no secret that alack of change controldrivesa lot of breaches.
Natalia: Any last words of wisdom to help red and blue teams strengthen cybersecurity?
Jake: Both red and blue should absolutely be using threat intelligence. That doesn’t mean every org needs a dedicated cyber threat intelligence (CTI)analyst. It doesn’t mean gobuyanotherthreatintelligence feed. What I’m looking at is what we need to prioritize not based on what could happen but on what we know is happening. Those are two very different things. When I look at the range of possible bad things that could happen to us, I think: What are weactually seeingin the wild, both in our organizations and in other organizations?
When you learn about a threat that’s targeting a different industry, like healthcare, shouldyou be paying attention to it? The answer is obviously yes, you should be. Just because it’s a big push in one industry doesn’t mean it’s not coming to you. All things equal, I’m going to prioritize more in my vertical,but Ihave tohave an ear to the grindstone for what’s happening in other verticals as well.
To learn more about Microsoft Security solutions visitour website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity or on LinkedIn for the latest news and updates on cybersecurity.
