The Vulnerability Research team has been utilising the expertise and experience of the ethical hacking community to identify and test MODs systems. This has given us access to some of the best security researchers in the world and we will continue to engage with and learn from them. But who are these ethical hackers helping to keep the Ministry of Defence secure and what do they do?
(Although these hackers are fictitious, they are based on real-life people that have taken part in our Bug Bounty challenges; many of these roles are also expertly performed by MOD personnel)
A Vulnerability Assessment is a process of identifying, classifying, and prioritising vulnerabilities in an asset. It evaluates whether a system is exposed to known vulnerabilities, assigns severity levels to identified vulnerabilities, and recommends remediation or mitigation steps where required. Automated tools are used to scan for common vulnerabilities. A Vulnerability Assessment is a great initial tool to find the ‘easier to spot’ vulnerabilities and should be one of the first security tests conducted before utilising a more advanced tool.
A penetration test is designed to evaluate the security of a system, identifying weaknesses, as well as strengths. Pen-Tests will typically use the same tools and techniques as a malicious hacker to achieve a predetermined goal, therefore the testing can be more focused within certain area/s of a system. At the end of the engagement, a report and full risk assessment will be completed. The penetration test should be conducted after an asset has been initially secured and to check if security improvements are working correctly.
A Bug Bounty challenge utilises the unique perspective of crowdsourced hacking, inviting a group of ethical hackers to hack a specific system over a set timeframe. The hackers are remunerated for each vulnerability they find. The Common Vulnerability Scoring System (CVSS) is used to determine the severity of a vulnerability, the greater the severity the higher the reward. Bug Bounties encourage hackers to look for vulnerabilities that are more complex, and to develop more sophisticated attack strategies. A bug bounty is a powerful addition to MODs security testing tools and most beneficial for more mature assets.
Red, Blue & Purple Teams
Red, Blue and Purple Team exercises test an assets defence by mimicking an active cyber-attack. The Red team (Attackers) are tasked with penetrating a target. Their focus is not on identifying vulnerabilities, but rather ‘breaking in’ however they can. This can include physical access and human factors such as phishing, it's often viewed as a ‘capture the flag’ activity. The Blue team (Defence) which is made up of the asset’s security team is tasked with actively defending the asset. They are not always informed of the exercise prior to the engagement.
A Purple Team is not a team as such, but more of a process by which the red team works with the blue team to support them in their defence, sharing knowledge and skills during and after the exercise.
A Red, Blue, and Purple team exercise allows asset owners to have a real-life experience of how to react to a real attack. At the end of the test the lessons learned will significantly increase an assets security posture. They are most effective for mature assets with monitoring and security teams already in place.