Cybersecurity - Homefield Advantage
No one should beat your security team on the homefield!
For several years I have been using the term Homefield Advantage in the context of running a security program, especially in regards to certain aspects of red teaming. Homefield Advantage describes well what a mature security program has to realize and leverage.
Wikipedia describes “home advantage” in team sports and highlights some of the benefits:
“This benefit has been attributed to psychological effects supporting fans have on the competitors or referees; to psychological or physiological advantages of playing near home in familiar situations; to the disadvantages away teams suffer from changing time zones or climates, or from the rigors of travel; and, in some sports, to specific rules that favor the home team directly or indirectly.” (Wikipedia, 2019)
Homefield Advantage and Security
The concept of Homefield Advantage in the cybersecurity world is very much related to the concepts we see in sports. An inhouse security team can build strong defenses and practice in order to better understand their own turf.
Leveraging a red team for instance can help to highlight paths and attacks an adversary might perform. The idea of Homefield Advantage is to leverage intellegence from multiple sources to form the best possible understanding of the organizations homefield. Equipped with that information it is possible to be a step ahead of real adversaries when it comes to defending the organization.
Traditionally many pentest teams operate in a silo and lenghty reports are being used to communicate findings and results. This is especially true when outsourcing pentesting to a vendor where a final report is thrown “over the fence”.
Although it will check a couple of compliance boxes, this become quite inefficient and expose your organization to risks longer then necessary.
Purple Teaming and the Homefield Advantage
Purple Teaming is one of the strategies that can help better understand and leverage the homefield advantage. Pen testers, defenders and engineers work in a very tight feedback loop to apply mitigations and reduce risk quickly. I have led purple team operation with 30+ participants and those obviously were exciting projects. Focused, fast paced, and with an immense amount of learnings and mitigations or detections being built right away. At times repeating certain attacks until detections and mitigations were in correctly in place.
After such a training session all stakeholders have a better understanding of what they homefield actually looks like. This is where the red teaming part is important. The red team is there to help push the boundaries and help see the homefield in a different light. Explore the unknown. A report here is more of a high level summary or presentation highlighting objectives, findings and mitigations put in place (or lacking) - all the findings and mitigations are tracked live via Jira or whatever bug or incident tracking tool your organization uses.
Don’t get beat on your home turf!
Purple teaming is a great way to practice on the homefield, there are other aspects to fully realizing Homefield Advantage as a corporate security strategy. Homefield Advantage goes way beyond operational red teaming and pen testing.
Performing Active Defense, as well as compiling Threat Intelligence, Asset and Resource Management, Risks & Vulnerabilities in a system that can be queried (by red, blue and engineering teams) is what can provide that advantage in day to day situations, and obviously during the time of crisis and incidents.
No one should beat your security team on the homefield! :)
Johann Rehberger
References: