DavidJBianco published the blog “The Pyramid of Pain” in March of 2013 for incident responders that compared the “relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.” This pyramid has helped many professionals in the security field easily understand the different ways to value indicators during an incident or hunt. I have taken a similar approach to show the importance and merit of proactive services along with the level of investment required to truly benefit from an engagement.
The old expression, if it’s worth doing, it’s worth doing well, definitely applies to proactive services as these drive value with operational velocity. All proactive services should be a two-way engagement; some services will deliver more benefit if company teams are actively involved with the consultant delivery. The bottom of the pyramid should not be discredited or seen as less valuable than the top of the pyramid, as these are foundational to security and enable speed of transformation.
Starting at the bottom or the base there are Plans and Playbooks, which should be considered living documents that are maintained based on the culture and capabilities to combat threats. These engagements will typically start with a short meeting with consultants, followed by a second meeting to review the draft. There are many different features that should be considered when defining plans and playbooks, along with references to applicable and/or recognized industry standards (e.g., NIST, ISO, PCI DSS, etc.). The reality with Plans and Playbooks is the usefulness is not for when there is an actual security incident; the value is a means to be better prepared, and as a sanity checklist for actions that must be taken per business policy and/or obligations. The biggest mistake a company can make is to ask about a template for creating these operational aids as no two companies are truly the same in addressing security and threats. It is more effective to shift the mindset by talking about a checklist or outline for drafting plans and playbooks with consideration to the culture, technologies, risk tolerance, and operational capabilities of the company and people.
The next level from the base is Tabletop Exercises and/or Readiness Assessments. These services are not identical in effort or scope; however, they should help entities better understand where gaps might be in operations and technical capabilities. The internal level of effort will require blocking some time on various team members’ calendars whether to participate in the Tabletop Exercise or interviews for the Readiness Assessment. The consultants should be taking most of the lift in effort for these services based on internal input. For example, the consultants will create the Tabletop Exercise scenario based on a topic of internal focus (e.g., phishing, ransomware, internal threat, etc.) and internal inputs should be taken for the Readiness Assessment from alignment to industry standards to technical configuration scope. The output of these services will start the real work for the internal teams in areas of operational processes, documentation, or even possibly provisioning new security controls. The best use of Tabletop Exercises and/or Readiness Assessments is to take ownership of the engagement scope to maximize results in verifying the trust in operations and identifying means to disrupt the mundane as operations progresses to meet new challenges.
Placed still within the foundation of proactive services, Penetration Testing assessments are a common proactive service that tends to not involve a lot of operations within the engagement. There are many ways smart and motivated offensive security professionals can attempt to break a network, application, hardware, protocol, or even physical property. These engagements will typically have strong guidelines or a defined scope for the testing, which can result in an entity not knowing what they don’t know. Unfortunately, many companies do not take full advantage of Penetration Testing assessments by not involving developers and/or operations during the engagement to learn about responding in real time to adversary threats. The double edge for this service is many consultants will not be thinking from a blue side or defense perspective for mitigating the attack. For these reasons, Penetration Testing assessments will be most beneficial when the developers, operations, and leadership are involved with defining the type and scope of Penetration Testing assessment rather than operating in silo or secretive.
The middle of the pyramid starts with Threat Hunts and/or Compromise Assessments. These types of services require more operational involvement of security and/or IT administrators. The value comes from the concept of looking for active threats within the security controls while identifying gaps in coverage for enforcement and/or visibility. Typically, threat hunters will need to share suspicious activity from consoles or logs with operational teams to further investigate if observations are malicious. It can sometimes be challenging to determine what classifies a threat deserving actions and the level of enforcement. This service, even if done without full effort, should provide operational teams with a better understanding of triaging security events for an incident and preliminary investigation methods that can be leveraged in forensic analysis. Lastly, this type of engagement can help identify gaps in visibility or enforcement across the networked environment based on possible threats to the organization.
Cyber Range exercises will typically take the attendees’ time for the exercise but do not require a lot of set up or preparation. The Cyber Range term is loaded with meaning, capabilities, technologies, and marketing. Most Cyber Range services will focus on training individuals on forensic analysis techniques (e.g., Windows, network, memory, etc.) based on a controlled compromised environment (e.g., credential dumps, privilege escalation, web shells, etc.). These exercises typically take three to five days of time, on average, and can be helpful for individuals involved with forensic analysis, even if it’s not their full-time role. For this training to be truly beneficial to the team or individual, it is important to find ways to continuously use and expand this skillset whether investigating incidents and/or practicing forensic analysis in a lab. The techniques for forensics and adversary actions are constantly evolving and require continuous learning to ensure the ability to perform effective and efficient analysis.
Log Architecture assessments are in the top three as these engagements require time to consider threats, costs, capabilities, and investigation techniques across operations and technical components, which will probably result in more work after the assessment. A Log Architecture assessment should provide a technical review of audit trails, events, and logging capabilities of systems and appliances within the networked environment, while giving specific recommendations to verify and/or enable appropriate parameters. There are many ways to automate and/or script the collection of settings; it’s important to strike a balance between collection of events for investigating while staying within storage budget, capacity, resources, and other business considerations. This type of service can often extend scope into operationalizing aspects, which should be carefully considered to ensure the technical aspects don’t get less coverage for the sake of operations. An assessment for operations in monitoring of logged events should be considered as a separate assessment depending on the size and formality of a security operations center (SOC). It is critical to remember a log architecture assessment does not require a formal security team or formal SOC to provide huge benefits.
Sitting in second is Red Teaming, which is not to be confused with a penetration test. The Red Teaming service should/could be at the top of the pyramid in a perfect world as the service should be a “No Holds Barred”, all-out assault through all agreed means of offensive security. While the blue team, or defensive IT/security, attempts to make the offensive team’s work more difficult or at least observed through the customer’s controls; the reality is most offensive testing for red team is treated the same as penetration testing by the blue team where little attention is paid. A Red Team exercise truly tests the resilience of the networked environment, processes, and people against threats ranging from blind GitHub downloads to highly obfuscated payloads. Red team done right should be one of the most painful yet valuable proactive services, as it fully tests security resilience through adversary methods.
The top of the pyramid is the Purple Team service, which is gaining wider appeal across entities seeking advisory proactive services. A Purple Team exercise should have more of a focus on blue team aspects (e.g., IT, Security, Dev, SOC in this order) rather than red team aspects (e.g., penetration, offensive, etc.) for the engagement. In turn, the output of a Purple Team exercise will mainly be about helping the blue team members understand the cyber kill chain of an attack. This understanding should start with the actual techniques and procedures of the attack, followed by the alerts, events, and/or activity within security controls, and finishing with the verified security events within the appropriate source log file. While there can be varied interpretations, this service should help an organization better understand their resilience against cyber security threats and the capabilities available to investigate, as well as possibly contain and/or eradicate, a cyber security breach. There is no other proactive service commonly delivered that can provide such value, require more effort, and yet vary so drastically across the industry.
Security has always been best thought about as a (never ending) journey that requires flexibility to adapt as new threats emerge or existing threats come into focus. The path an organization takes with proactive services should be dependent on the questions and answers being sought regarding cybersecurity resilience against the known and unknown. The underlying challenge is to determine the proactive services that will provide the most benefit for the cost while seeking to find a trusted partner that will deliver their best by considering your needs for security. It is time for organizations to take a more active role during engagements to better understand the effort and value gained from these services.
Driving operational velocity requires a strong security mindset. Although the level of engagement and difficulty rise towards the top of pyramid, when delivered properly, this pyramid of proactive services will provide a formidable line of defense for any organization.