Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Red, blue, and purple teams
Ethical hacking can be an effective way of identifying potential security flaws before a threat actor can take advantage of them. The teams involved in these exercises are usually referred to as red, blue, and purple teams. The teams do not fix any vulnerabilities found (though that is obviously the ultimate goal of the exercise!); they focus on thorough testing and documentation of their activities.
“Red team” testing involves the attempted compromise of a system by specialists trained in ethical hacking. Their efforts are similar to those seen in a penetration test, but go further with the testers using the same tools and techniques as real-world hackers. These attacks may or may not be conducted with the knowledge of internal teams. A “Blue team,” meanwhile, is responsible for monitoring and defending internal resources against attackers in a simulation. “Purple team” exercises involve coordination and knowledge sharing between the red and blue teams.
Can you see the benefits of red, blue, and purple team exercises at your organization?
Mandiant releases 14th annual M-Trends report
Mandiant has released its annual cybersecurity report entitled M-Trends 2023. This year’s report features a chronology and the latest findings on Russian-based attacks since the invasion of Ukraine, a focus on two North Korean threat actor groups UNC3661 and UNC3944, extensive details on the MITRE ATT&CK techniques being used by hackers, and a summary of key 2022 threat campaigns and global events.
The report also presents a “red team” case study, providing valuable insights for organizations looking to test their preparedness. “Preparation is vital, but performing red team engagements isn’t the only way to be ready. Organizations should consider tabletop exercises, training exercises, and other techniques. Sound fundamentals, such as vulnerability and exposure management, least privilege, and hardening also play a role in building strong defenses. Cloud considerations are also important. Our red team case study demonstrates just how challenging security can be in hybrid networks connected to the cloud,” according to the report.
Some of the key statistics in the report include:
- Global median dwell time was 16 days in 2022, down from 21 days in 2021; however, intrusions involving ransomware had a median dwell time of 9 days in 2022, compared to 5 days in 2021.
- Organizations were notified of breaches by external entities in 63% of incidents in 2022, compared to 47% in 2021 – the highest percentage since 2014.
- The top five sectors affected by cyber incidents reported to Mandiant were:
- Government 25%
- Business / Professional Services 14%
- Financial 12%
- Healthcare 9%
- High Tech 9%
Annual NATO cybersecurity exercise tests resilience of critical national infrastructure
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)’s annual “live-fire” cyber exercise – known as “Locked Shields” – wrapped up for another year on April 21. Locked Shields involves simulated cyber attacks between two fictional island nations, with “Crimsonia” launching campaigns against “Berylia”. The simulation tests the strategies and responses of teams defending critical infrastructure including finance, energy, telecommunications and shipping. The exercise demands that the participants defend their technology as well as report incidents, execute strategic decisions, and solve forensic, legal, and media challenges along the way. The exercise plan was designed by over 400 organizers, with more than 5,500 virtual systems established for the simulation.
24 teams representing 3,000 participants from 38 nations participated in this year’s event, with the Sweden-Iceland Joint Team being judged as the most effective in the competition.
“No other cyber defense exercise can offer as specialized and detailed of an experience as Locked Shields can. 24 Blue Teams from around the world must keep critical infrastructure and IT systems up and running. Teams can demonstrate how well they can keep systems running under real-life situations and high pressure,” said Dr. Mart Noorma, NATO CCDCOE director.
In addition to the technical aspects, strategy and cooperation play an equally important role in Locked Shields. “Technical specialists cannot solve a cyber crisis alone. Usually, decision-makers and experts from different governmental bodies and walks of life are those who try to repel the attacks,” explains Noorma. “This is why, in addition to cyber defense, we focus on strategy games, legal issues, and crisis communication at Locked Shields. Cooperation must [be] swift, because a large cyber attack can quickly escalate into a large-scale security crisis, and these kinds of exercises allow us to be better prepared.”
“Exercises like Locked Shields strengthen the resilience of the global financial sector and encourage collaboration and coordination across all critical infrastructure and public sectors,” added Steven Silberstein, CEO at FS-ISAC.
Five Eyes releases smart city guidance
The CSE’s Canadian Centre for Cyber Security has joined its partners in the “Five Eyes” alliance (Canada, the U.K., Australia, New Zealand, and the United States) in issuing a joint publication documenting best practices to keep the infrastructure and information resources associated with “smart cities” as secure as possible.
“Integrating public services into a connected environment can increase the efficiency and resilience of the infrastructure that supports day-to-day life in our communities. However, communities considering becoming smart cities should thoroughly assess and mitigate the cybersecurity risk that comes with this integration,” according to the announcement of the guidance on April 19.
The report warned that successful cyber attacks against smart cities could lead to:
- disruption of infrastructure services
- significant financial losses
- exposure of citizens’ private data
- erosion of citizens’ trust in the smart systems themselves
- physical impacts to infrastructure that could cause physical harm or loss of life
The report “provides an overview of risks to smart cities including expanded and interconnected attack surfaces; information and communications technologies (ICT) supply chain risks; and increasing automation of infrastructure operations. To protect against these risks, the government partners offer three recommendations to help communities strengthen their cyber posture: secure planning and design, proactive supply chain risk management, and operational resilience.”
Ransomware attack forces casino chain offline
In a statement on April 17, Gateway Casinos and Entertainment revealed that they had suffered a cyber security incident that caused them to close all operations in Ontario. Gateway operates casinos in Alberta and B.C., but it is only the 14 casino locations in Ontario that have been affected by the attack.
“At this point, we do not have any information indicating that this incident involves any compromise of personal data. However, we are in the process of notifying the relevant privacy officials and gaming regulator of the incident,” according to the statement.
In addition to gaming closures, special events like concerts have been postponed. However, in their April 21 update, the chain hinted at progress in resolving the situation, saying they do not expect changes to any concerts scheduled beyond April 22.