Organizations constantly work to ensure optimal threat detection and prevention across their systems. One question gets asked repeatedly: “Can we detect the threats we’re supposed to be able to detect?”
Red team assessment, penetration testing, and even purple team assessments (in their current form) are all designed to answer these questions. Unfortunately, as attacks get more complex, these assessments struggle to provide comprehensive answers. Why is that?
The answer is: variation. These assessment services typically test defenses against ten to twenty attack techniques, and only use one (or in some rare cases, a few) variations of each technique. But each technique can have thousands or millions of variants (as a matter of fact, one technique I examined had 39,000 variations, and another had 2.4 million).
It’s hard to understand if an organization is truly protected or was just prepared for the specific technique variant the red team used. Will an attacker use the same one? With thousands of options at their disposal, it isn’t likely.
As a result, many organizations have begun to embrace purple teaming, where red and blue teams work together to take a more comprehensive and collaborative approach to security assessments. But how can teams defend against the huge cloud of possible variations of each attack technique when they don’t account for (or understand) all those variations? This is why I believe purple team assessments must evolve.
Cataloguing attack variants
In my mind, a more comprehensive way to evaluate defenses is to test them against a representative sample of attack technique variants.
Obviously testing each variant of an attack technique – like that one where I fo ..
Support the originator by clicking the read the rest link below.
