Cybersecurity

Make a plan, get a purple team: Expert goes over industrial threat surface

“I go see these incidents every single week…That’s what I do for a living,” Dragos technical director says.
article cover

Qi Yang/Getty Images

less than 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

For threats to the industrial sector—still rather weak on cybersecurity—it’s best to find creative ways to address the issue.

Lesley Carhart, technical director for industrial incident response at Dragos, told IT Brew at the RSA Conference in early May that she recommends an approach that encompasses gaming out the problem and purple teaming.

“You have to start thinking about, what will you do if you have to do incident response, because it can happen to anyone,” Carhart said.

Your move. To begin with, she explained, it’s best to make a plan. Organizations can start with tabletop exercises, where teams can examine what the problem is and how to manage it. Hypothesizing attack possibilities in a contained environment is also a good way to work on team cohesion.

“That’s easy, that’s cheap, that’s low pressure,” she said. “It’s a good relationship builder. But at some point, you have to move on beyond that.”

Harold’s crayon. That’s when it’s time to bring in purple teaming. Rather than requiring the level of technical expertise of a large scale pen test, purple teaming allows for attack simulation that results in a report showing strengths and weaknesses within systems. Exposing those flaws offers teams the opportunity to find out where they might be lacking—and it’s a strategy Carhart would like to see more organizations embrace.

“Sometimes your tools don’t work right, sometimes they’re not configured right,” Carhart said. “And this seems like really common sense stuff, but nobody’s doing it.”

Unfortunately, most organizations don’t take that to heart. Carhart told IT Brew that she sees the real world results in her day to day. Often the victims of attacks had a plan but hadn’t tested them out.

“I go see these incidents every single week,” she said. “That’s what I do for a living. And usually people are in tears, or they’re screaming at me, because it is their worst day ever. It is a catastrophe. And there’s always something going wrong. They had a plan; it's all wrong. They've never tested their backups; they've never tested containment. The time to do that is now, when nothing is really bad.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.