It may sound like a children’s birthday party, but it’s making Siemens more secure. What we mean? Two cybersecurity teams closely joining forces.
“Gotcha! You’re under arrest!” Does that bring back childhood memories of running around the woods playing cops and robbers with your friends? Did you prefer being the good guy or the bad guy? At Siemens, too, we sometimes play cops and robbers. It’s more than just a game for us, though: it’s our security that’s at stake. Instead of good guys and bad guys, we have a red team and a blue team. I asked two cybersecurity colleagues what this has to do with hacking and why purple represents a collaborative approach.
Wolfgang and Michael, your two departments are effectively the forward duo when it comes to cybersecurity at Siemens. What do your jobs involve?
Wolfgang Frankenberger (WF): Our Detection Services department offers various internal services: penetration testing for customers within Siemens to verify the security of web applications, for example; scanning applications for identifying vulnerabilities in Siemens’ systems; security-related process assessment; and free hacking in the red team – of which I’m a member. We scan the intranet for vulnerabilities and take advantage of these to gain access to the system, just as a real cyber attacker would do. We then inform those responsible about these vulnerabilities so that they can redesign the application and close the gap. We’ve already exposed several critical security deficits in this way, providing demonstrable protection for Siemens’ business.
Michael Pascher (MP): I work in the Cybersecurity Defense Center within the Defense Services department, the so-called blue team. We’re responsible for detecting attackers in the system and rendering them harmless as quickly as possible. We do this using endpoint detection and response (EDR) tools, for example, which work in a similar way to virus scanners. They transmit warnings as soon as they identify any suspicious activity in the system. We check these warnings and, if a genuine attack is indicated, we open a security incident in conjunction with the Siemens CERT security engineers. This triggers a company-wide process coordinated with all units; the relevant stakeholders are informed and necessary action is initiated. Depending on the severity of the cyber attack, we can cut off network connections, block user accounts or even remove a system entirely from the network. Sometimes, though, it’s enough for a user to change his or her password.
The two colors of cybersecurity are therefore red – for identifying vulnerabilities and making the system as secure as possible – and blue – for detecting and suppressing attacks. So how does purple fit into the picture?
WF: “Purple teaming” is all about close collaboration between the red and blue teams – because if you mix red with blue, you get purple. We conducted this security exercise for the first time in December as a one-week event. In the red team, we simulated a wide variety of attack routes and techniques, and our colleagues in the blue team attempted to foil us using the EDR tools. We launched a classic phishing attack, for example, which tricks users into opening an e-mail attachment. Once we’ve gained control over the computer in this way, we can get our hands on the passwords and infiltrate the system via the network. If the server there contains important data that we can download, we’ve hit the jackpot. While all this was going on, the blue team was doing its best to track us down and kick us out of the system before we could do any real damage. It’s a bit like the games of cops and robbers we used to play as kids, except with a serious purpose. At the end of each round, we put our heads together to analyze which attacks had been detected, which had slipped through the net, and how we could optimize the detection tools. Our aim in doing this is to keep improving the detection of cyber attacks and blocking attackers before they can damage Siemens or our customers.
Weren’t your blue team defenders frustrated when they failed to detect your attacks?
MP: No, we saw it as a shared opportunity to hone our skills and learn from one another. Nobody felt it made them look bad or tried to explain things away. On the contrary: we all had a lot of fun and kept spurring each other on in a playful spirit of competition. That’s exactly what purple teaming is all about, not pointing the finger of blame. Of course, the fact that the red and blue teams already knew each other from their day jobs made it easier for them to work together openly. By the end of the week, we’d achieved a result that both teams were proud of.
That sounds like fun. Were there also challenges?
WF: Coronavirus made things particularly difficult for us. The original plan was for us all to travel to Portugal, where most of the blue team members are based. But of course the pandemic put a stop to that. Instead, we conducted the purple teaming exercise entirely virtually from our home offices: we messaged back and forth, spoke to one another, and shared our screens so that everyone was able to participate as fully as possible. It worked really well, but we still felt that the community spirit essential to purple teaming wasn’t quite the same as if we’d been working side by side.
MP: Normally for these events, we’d all get together in one place, book a large conference room equipped with all kinds of technology, and order in some pizza (laughs) – just as we would do for a real hackathon. Hopefully we’ll manage that next time. However, it’s also important to set a specific goal for events like these, something to work toward. Otherwise you lose focus. And ultimately the results need to be clear and reproducible. In other words: if an attack fails, you need to be able to say with certainty that this wasn’t by chance, for example because the system developed a problem or happened to be offline at the time. So you need to take a meticulous approach for follow-up and documentation.
Was this a one-off or will you soon be holding another purple teaming event – hopefully involving pizza?
WF: We’d definitely like to repeat the experience. But because the blue team first has to implement the findings and evaluate opportunities for improvement, it would make sense to wait a while before organizing the next purple teaming event. We in the red team also need time to come up with new attack tactics. And of course nobody knows when the coronavirus situation will allow people to travel and meet up in person again.
MP: Our long-term goal is for this kind of security exercise to become a routine, permanent feature of our work, not just in the form of purple teaming projects. This will enable us to continuously apply the knowledge of both teams.
How does Siemens compare to other companies in this regard?
MP: Purple teaming events are an established procedure in cybersecurity for improving the detection of hacker attacks. Siemens is on a par with other industrial companies in this regard. But if we can succeed in automating simulated attacks as in purple teaming and use them for continuous improvement, we’ll be one step ahead.
How did you get into cybersecurity, and what are the most fun aspects of your job?
WF: Like many colleagues, I studied informatics and had the opportunity to dabble in different areas at university. Cybersecurity was and still is a very exciting topic for me, with rapid technological development constantly throwing up new challenges. That’s why I continue to find my work so fascinating. What’s more, we have a key part to play in the company: with our work, we’re protecting Siemens against cyber crimes that in the worst case can wreak immense financial damage and destroy our good reputation.
MP: I completed one of the first degree programs in cybersecurity. Even then, it was clear that this would become an important topic. After all, our work is decisive in improving not only Siemens’ security but also the security of our customers. That’s a major challenge: the attack methods are constantly changing, making cyber attacks more and more difficult to detect. At the same time, that’s exactly what makes our work so exciting.