An interview with Stephen Ridgway, CTO & Co-Founder of th4ts3cur1ty.company
[PenTest Magazine]: Hello Stephen! How are you doing? Could you introduce yourself briefly to those of our readers who don’t already know you?
[Stephen Ridgway]: Hi! I’m very well, thanks for asking, though a little tired having just got back from talking at BSides Bratislava.
For those that don’t know me, I’m a co-founder of th4ts3cur1ty.company, which I set up with Eliza May Austin to focus on Purple Team engagements and SOC development. Prior to that, I worked as Director of Security Operations for an MSSP. I’ve been in IT Security one way or another for 20 years, and I spent a good deal of time working for a globally critical financial services organisation. Useless fact of the day: I was, in a previous life, briefly the world’s leading expert on limpet evolution and worked at the Natural History Museum in London before moving in to technology.
[PT]: You mentioned that you have just got back from the BSides conference in Brativslava. Could you tell us something more about the topic of your presentation and the event iself?
Yes! Th4ts3cur1ty.company were the sponsors of the very first BSides Bratislava conference, which was organised by Alexander Nevski and Michaela Stranovska. The talks were great and included topics as diverse as hacking a satellite and reverse engineering firmware from a vulnerable web camera. Eliza and I gave a joint demo and talk about security (or rather the lack of it) in Docker installations and how to address some of the more common issues. Containerisation isn’t well understood by security professionals, in my experience, and developers don’t always think to configure the features needed to make Docker secure. There’s lots to look at in the arena of containerisation security, so we hope we’ve inspired the delegates at BSides to ask some questions of their own organisations’ implementations of Docker. There’s a whole load of things that might be interesting to Pentesters too.
[PT]: What frustrates you most about the security industry as it currently stands?
[SR]: Cyber security is a difficult industry for companies to navigate. There are over 2000 product and services on the market and it’s really hard to tell which ones are going to address your actual issues and which ones are perfectly decent but just not what you need. To add to that, there is too much ‘snake oil’ being sold - buy this and it will fix all your problems. It almost definitely won’t!
One area I’m particularly worried about at the moment is Red Teaming/Pentesting. A great deal of money is spent on these activities but it’s difficult to see if that has resulted in consistent improvements in the security of the organisations undertaking them. Undoubtedly, these activities find vulnerabilities and ways to compromise organisations, but are they focused on the right things? And many organisations struggle to implement the right fixes even if the reports give them good information to work with. The Red and Blue Teams aren’t joined up and working to the same agenda in many cases. Often the Red activities are commissioned by a completely different part of the organisation from the Blue Teams' and I’ve seen on many occasions how little benefit the defenders get from these activities.
[PT]: How can this be solved?
[SR]: One approach that is finally catching people’s attention is Purple Teaming. This method addresses some of the drawbacks of the traditional Pentest or Red Team engagements and is increasingly seen as a more efficient and productive way of working.
[PT]: You mentioned Purple Teaming exercises, what is that?
[SR]: Purple teaming at it’s core is bringing together the Red and Blue team members into Purple Team functions where both sides work together to understand the most likely, highest risk, weaknesses an organisation has, then develop realistic attack scenarios and execute them, checking at each step that the Blue team can detect, contain, eradicate and recover from the attacks.
[PT]: So basically collaboration is key to improving internal security posture?
[SR]: Yes, collaboration is the key, but it has to be done in a particular way. It’s no good to just sit some Red and Blue team members together and expect things to be fine. The two sides need to work together to gather threat intelligence, identify most likely adversaries, understand their TTPs, identify the most likely vectors for attack based on a good understanding of the company’s threat landscape and then develop and test realistic scenarios until the defenders are confident that they’ve got it covered.
[PT]: Is this something that can be automated?
[SR]: No, it’s a human process. Anyone that says otherwise is trying to sell you crap. Having access to good tooling makes the job easier, but we are still a very long way away from being able to deal with this as a technology problem. People are what make or break things.
[PT]: Would you agree with the statement that the role of Blue Team in cybersecurity sector is kind of underestimated, or neglected? Most of the focus seems to be targeted on offensive side.
[SR]: I think it’s fair to say that offensive security, Red Teaming or pentesting, is seen as rather glamourous and exciting while defensive security/Blue Teaming is wrongly assumed to be mundane and repetitive. The truth is that the defensive team members are the ones who actually detect, contain and eliminate real threats on a daily basis, which for me is the most exciting and satisfying aspect of Cyber Security. Blue Team members have to understand both the nature of the attacks and how to contain and eradicate them, which takes a great deal of skill and a lot of dedication. Sadly, it isn’t always recognised that there is so much more to defensive security that just watching alerts on a SIEM.
[PT]: If someone somewhere is reading this and don’t have a budget for Purple Teaming, what can they do for free to benefit from the same concept?
[SR]: It’s possible to start on a small scale and use the people you already have. The sec community is highly motivated, so you may well have people in your organisation that would jump at the chance to practice some focused, targeted scenarios. I would recommend that you avoid being over ambitious if you’re starting out down this path. Begin with scenarios based on well known methods of attack - phishing, XSS or SQL Injection. Keep the scenarios straight forward and focus on the Incident Response Lifecycle: detect, contain, eradicate and recover.
[PT]: How can someone get buy-in from internal stakeholders to run Purple Team exercises?
What this boils down to is the most efficient use of resources. Most security issues are caused by lapses in ‘basic hygiene’ - patching, managing authentication, collecting logs and alerts, user awareness training, threat intel etc. It’s estimated that around 80% of cybersecurity issues could be avoided by keeping on top of these things, so when tests are run, we are not ‘discovering’ the obvious. Secondly, we are humans, we therefore react to things in ways that have evolved over millions of years. Humans learn and perfect skills by training and repeating them. This works much better than just testing people without telling them what you’re testing them on. The issue we have in cyber isn’t that budget holders aren’t investing enough in security, it’s that their investment has poor returns. Bring the offensive and defensive sides of security together and you’ll get bigger improvements faster, which results in a more secure organisation and probably even a reduction in costs.
[PT]: How does the situation of Purple Team exercises look like at the moment? Is it evolving?
[SR]: There is a lot of interest in Purple Team exercises at the moment. Senior security leaders in organisations are beginning to understand that when the Blue and Red teams work closely together on realistic scenarios, it is possible to identify weaknesses in their defences, fix them and train their defensive teams in a rapid and cost-effective way.
At th4ts3cur1ty.company, we advocate the use of Intelligence-lead, Adversary Emulation Purple Teaming, which is a methodology we have developed to take Purple Teaming one step forward, so yes, I think we are entering a phase of rapid evolution in this space. It’s great to see that SANS now has a Purple Team course and I believe that it is very well subscribed. There’s lots of interest in this space at the moment.
[PT]: What are your predictions for the role of Purple Teaming in the cybersecurity landscape? Would you say that you are an optimist about it?
[SR]: I think that as Purple Teaming becomes better known and understood, the processes and procedures for executing engagements will continue to improve. I’m looking forward to a time when purple teaming is seen as the norm for security testing and I am genuinely optimistic that this approach will help make companies noticeably more secure.