The concept of red teaming has been around since the 1960s. Red teams use tactics, techniques and procedures to emulate a real-world threat and measure the effectiveness of your defenses. “Red teaming is narrative-driven,” said Jared Atkinson of SpectorOps. It looks at a specific attack chain and doesn’t take into account the “numerous variations” in how a threat can enter your environment.
Red teaming is not effective for evaluating the efficacy of preventative or detective security controls, Atkinson said, but purple teaming is. He defined purple teaming as “the evaluation of security control efficacy through atomic testing, using deliberately selected test cases.” Atomic testing allows teams to control variables and evaluate a specific part of an attack chain.
In this episode of CyberEd.io‘s podcast series “Cybersecurity Insights,” Atkinson discussed:
- The value in building defenses around lateral movement, credential access and privilege escalation;
- How SpecterOps’ BloodHound Enterprise product helps you get rid of routes along an attack path and achieve least privilege;
- Why defenders should focus less on detection and more on “shepherding that detection through remediation.”
Atkinson is a security researcher who specializes in digital forensics and incident response. He is an expert in PowerShell and the open-source community and the lead developer of PowerForensics and Uproot. He also maintains a DFIR-focused blog. Recently, Atkinson built and led private sector hunt operations capabilities. Prior to that, he led incident response missions for the U.S. Air Force Hunt Team.