Creating an Effective Assessment Plan
The effectiveness of a cybersecurity assessment is dependent upon several factors. Important considerations include the type of assessment and its operational goals.
Choosing the Correct Assessment Type
Cybersecurity assessments are not “one-size fits all”; there are several types from which organizations can choose.
- Red Team: In a red team assessment, the assessment team is focused on the offensive side of the exercise. Red team members will use the same tools, techniques, and procedures as a real-world attacker to identify potential gaps in the organization’s security.
- Blue Team: Members of a blue team join an organization’s existing security team in defending against an attack. Whether part of an exercise or during everyday operations, they help to develop plans that address cyber threats, configure security solutions, and teach the team how to identify different types of attacks.
- Purple Team: A purple team assessment incorporates both red and blue team members. The red team attacks the organization’s network while the blue team defends it. At intervals, the red and blue team meet to compare notes, enabling them to take advantage of both perspectives.
Any cybersecurity assessment—red, blue, or purple—brings benefits to the organization; however, each has its own unique strengths.
- Red Team: A red team assessment determines the ability of an organization’s current security to cope with a real attack.
- Blue Team: Having blue team members partnering with the security team enables them to maximize the effectiveness of their security solutions and provide targeted training to team members.
- Purple Team: A purple team provides the best assessment of the organization’s security since it can be guided by the experiences of both the red and blue teams.
Designing an Assessment To Minimize Risk
Performing a security assessment on every component of an organization’s infrastructure is unfeasible; corporate networks are complex and there are numerous cyber threats that could jeopardize their security.
A cybersecurity assessment plan should be based upon an organization’s risk management strategy. The operational objectives of the assessment should provide the maximum impact to the organization. Ideally, the assessment would enable a company to identify and correct the most dangerous holes in its security.
The MITRE ATT&CK framework is an invaluable tool for planning an assessment and mapping it to an organization’s risk management strategy. The ATT&CK framework breaks the cyberattack lifecycle into its component steps and details the strategies that an attacker can take to perform each step.
Using this as a guide, a company can develop a testing strategy that provides a clear picture of its vulnerability to a particular threat. For example, an in-depth assessment testing vulnerability to the Credential Access Tactic within MITRE ATT&CK provides insight into the effectiveness of the organization’s IAM security. A tightly-scoped, targeted assessment provides actionable feedback and a measurable impact on an organization’s security posture.