Figure by Snowded (Own work, CC BY-SA 3.0)
I believe that the main proactive aspect of a CISO’s job is to lower complexity by moving many events as possible to the obvious domain (it was originally called the “known” domain) with a recognized best practice implemented through appropriate tools and automation. This maps nicely to the “knowns-knowns” that I mentioned in a previous post. An example of automating something in the obvious domain is vulnerability assessment.
The reason is proactive cyber tools focus on handling the obvious domain (or the known knowns) and attempt to codify (aka and hopefully) a best practice for that domain. Many tools claim to do much more – some even claim to prevent chaotic events (i.e. zero-days), but they really don’t…
So, from a proactive CISO’s needs to do three things:
- Define event types that are currently the most risky to the organization
- Move as many events as possible from the complicated and complex domains to the obvious domain.
- Automated the obvious domain as much as possible.
The purple team is the CISOs “right hand” in making this happen.
Let’s take for example Solarwinds SUNBURST. For most organizations it falls somewhere between a complicated and complex event. This is why so many companies fell prey to it.
The attackers pulled together known exploits and techniques in novel ways to achieve their goal. For example, the attack used a vulnerability that was known for a while but which have never before seen in the wild (i.e. the “Golden SAML” attack first reported by CyberArk in 2017 which is similar to a golden ticket attack which has been known since 2014).
The only realistic way to turn complicated and complex events into obvious ones is through purple team risk-based threat modeling. A purple team cannot prevent an attack, but it can minimize or even prevent damage.
To achieve that goal a purple team must have access to the current organizational architecture, existing threats (not just exploits) and business processes, and the knowledge to turn those into an attack model. It then applies this model to find the riskiest components and attack paths. Using this map the purple team assumes that somehow an adversary will make the leap and operationalize those attack paths (whether or not the exact exploit used is known at the time) and ranks them by risk. This then becomes the roadmap for the purple team to generate defense scenarios to block those attack vectors.
This is why purple teams are so important. As adversaries become more sophisticated, and multi vector attack more prevalent, purple teams are the only way to give the organization a roadmap on how to prevent or minimize attack damage.
PS. Another interesting aspect of the Cynefin framework is the little hook on the bottom between obvious and chaos. This is to depict the dangers of misclassification (and complete automation). If a complex (or even complicated) event is misclassified as obvious – there is a very real chance of falling into chaos…