The concept of red teaming has been around since the 1960s. Red teams use tactics, techniques, and procedures to emulate real-world threats and measure the effectiveness of defenses. “Red teaming is narrative-driven,” says Jared Atkinson of SpectorOps. They focus on a specific attack chain and don’t consider the “myriad variations” that a threat can take in an environment.
Atkinson said red teaming isn’t effective at assessing the effectiveness of preventative or detective security controls, but purple teaming is, which he defines as “assessing the effectiveness of security controls through atomic testing using purposefully selected test cases.” Atomic testing allows the team to control variables and evaluate specific parts of the attack chain.
In this episode Cyber EdSpeaking on the Cybersecurity Insights podcast series, Atkinson argued:
- The value of building defenses around lateral movement, credential access, and privilege escalation.
- How SpecterOps’ BloodHound Enterprise product eliminates routes along the attack path and enables least privilege.
- Why defenders should focus on “managing detection through remediation” rather than detection.
Atkinson is a security researcher specializing in digital forensics and incident response. He is an expert in the PowerShell and open source community, and is the lead developer of PowerForensics and Uproot. He also maintains a DFIR-focused blog. Recently, Atkinson built and led the private sector hunt operations capability, and previously led incident response missions for the US Air Force Hunt Team.