FireEye Stories

Testing and Coaching for Resilient Incident Response

If a security control isn’t realistically tested, how do you know if it’s effective? If a security team fails silently, will you know? Security-conscious organizations understand the importance of proactively testing and developing their security team’s tactical capabilities, processes and technologies that equip them for effective detection, prevention and response to targeted cyber attacks.

The Importance of Proactive Assessments

With the cyber threat landscape becoming more sophisticated and personnel turnover leading to loss of institutional knowledge, organizations must position their security teams for continuous review and development that is aligned with their business objectives and industry-specific vertical threats.

The only truly effective way to improve cyber incident detection and response capabilities is to partner with a leading provider who possesses the latest threat intelligence. FireEye Mandiant consultants have the ability to deliver testing that encompasses real-world tactics, techniques, and procedures (TTPs) seen on the front lines, as well as provide coaching to improve your processes, technologies and people moving forward. By testing capabilities and training key personnel, organizations can reduce the frequency/impact and enhance response to harmful cyber incidents.

Introducing the Purple Team Assessment

The new FireEye Mandiant Purple Team Assessment (formerly known as a Red Team for Security Operations) takes organizations from all industries to the next level of incident detection and response.

This service evaluates an organization’s ability to prevent, detect, and respond to realistic attack scenarios that are relevant to their specific industry, including the assessment of existing security tools and staff capabilities. A purple team encompasses attacks executed by our red team (penetration testing) consultants in collaboration with our blue team (incident response) consultants, providing hands-on coaching of security teams on tactical methods to improve detection and response across the entire attack lifecycle.

We recently enhanced this service by utilizing the FireEye Verodin® Security Instrumentation Platform (SIP). Verodin SIP provides evidence of the effectiveness of customers’ cyber security controls, which in turn enables them to validate the protection of their business-critical assets. The Verodin SIP works by deploying its instrumentation software into an organization’s IT environment(s) to test the effectiveness of endpoint, email, cloud, and network controls. The Verodin SIP continuously executes tests and analyzes the results to proactively alert on drift from a known-good baseline, validates and optimizes security control configurations, and provides evidence demonstrating whether the controls purchased and deployed are delivering the desired business outcomes.

Verodin SIP dashboard

By observing malicious behaviors within the context of their production environment, SOC analysts empirically understand how their layered defenses are responding to threats across the entire lifecycle of an attack—from initial infection to lateral movement, persistence, and data exfiltration—and determine how to take the best course of remediation action based on their unique toolsets and configurations. For further validation (outside of normal scheduled testing), Verodin SIP performs “stealth” test exercises to verify that gaps have been hardened, analysts are well-practiced, and correct response procedures and processes are being followed. This unique ability to see into the future and change the outcome significantly reduces the financial and operational impact of an incident.

Effective incident response conditioning requires an ongoing feedback loop between offense and defense. While red team assessments are offensive and one-sided, the Purple Team Assessment helps organizations measure its ability to communicate gaps, validate modifications, and improve blue team response capabilities. By adding a rigorous level of automated testing to the assessment methodology, the Purple Team Assessment powered by Verodin SIP delivers faster, safer, and automated insights that directly translate into business value. 

The MITRE ATT&CK™ Dashboard—Verodin SIP automates testing against MITRE ATT&CK™ techniques

By leveraging Verodin SIP, we are able to transform our assessment capabilities from being attack-focused to controls-focused. The Verodin platform allows our Mandiant consultants to not only assess how the team performs, but to add insight into how the controls behaved during an attack and recommend adjustments for optimal performance. While we leverage our latest acquisition (Verodin) for Purple Team Assessments, it is also available to our customers as a stand-alone product.

Why a Purple Team Assessment?

Unlike adversarial penetration testing and red teaming designed to identify misconfigurations and vulnerable systems in a network, the Purple Team Assessment is a collaborative service focused on building protection, detection, and response capabilities. The final Purple Team engagement report will provide quantifiable evidence of security effectiveness.

Over time, this assessment will mature a security program across the following areas:

  1. Detection needs: Gain visibility into the evolving threat landscape backed by the latest intelligence, and also confirm necessary visibility across a specific environment.
  2. Automation advancements: Ensure people, processes and tools are synchronized to achieve effective prevention, detection, and response.
  3. Business objectives: Prove justification of security expenditures and Return-On-Investment (ROI) with quantifiable metrics, and determine how a business reacts against customized targeted attacks. Build confidence at the executive level in a security program by tuning and testing before a real-world attack.

Prerequisites for Assessment Optimization

We strongly recommend organizations meet the following requirements before engaging in a Purple Team Assessment:

  1. A SIEM to collect various logs, including server event logs (application, system and security), AV alert logs, web proxy logs, other endpoint detection logs, and IDS/IPS logs.
  2. An EDR product and/or AV solution.
  3. A response plan that takes an event to an incident.
  4. A method for collecting and maintaining mail/exchange logs (e.g., to track phishing emails).

If a team is not collecting some of the logs described in the aforementioned requirements, they should have access to various consoles and infrastructures to collect this information without having to contact another team or work through another process to access consoles and data.

Customer Success

A global media company who engaged in years of penetration testing by other vendors said their prior penetration testing engagements yielded very little value beyond compliance recommendations. This organization recently engaged in a Purple Team Assessment with FireEye Mandiant and appreciated the focus on testing and developing detections across each phase of the attack lifecycle. The Purple Team Assessment helped the organization build their security team’s capabilities and efficacy, instead of merely providing a report of vulnerability findings. Once the engagement ended, the company’s Director of Security stated, “This was the most useful security assessment we’ve received to date.”

Collaborative Focus on Detections

Adversarial exploitation engagements provide organizations a realistic assessment of their ability to protect critical assets. As FireEye CEO Kevin Mandia recently stated, FireEye Mandiant consultants are about 90 percent effective in penetrating and compromising corporate networks. By shifting from adversarial/offensive engagements that are almost always successful, collaborative engagements such as FireEye Mandiant Purple Team Assessments help organizations further improve and mature security operations, with quantifiable measures of improved prevention, detection and response to targeted attacks.

Learn more about FireEye Mandiant Purple Team Assessments and the FireEye Verodin Security Instrumentation Platform, and watch this Cyber Defense Summit 2019 presentation for additional information.