Security or Serendipity?
When Tenet finally rolled into theaters in September 2020, you probably didn’t expect it to contain a pretty poignant lesson about cybersecurity and red teams. In all likelihood, not even legendary writer/director Christopher Nolan knew it when he spent $200 million of Warner Bros. money to put the heady action-thriller together. But in any case, he fucking nailed it. So buckle up.
There is a fundamental disconnect between how red teams and blue teams look at the world. Tenet exemplifies this dynamic perfectly using a military operation in its pivotal scene that it dubs the temporal pincer movement. If you haven’t seen the movie, the premise (spoilers!!!) centers around a device called a turnstile that allows the user to reverse the flow of time. Using this device, two teams engage in the same military operation, but while the red team performs the operation in real time, the blue team operates in reverse time. The idea is that the operation will be most successful in completing its objective if the team moving in reverse time can meet the forward-moving team at the beginning of the event and explain to them exactly what will go wrong and what they need to fix.
Your Real-Life Pincer Move
Sound familiar? While red teams in cybersecurity are not yet capable of time travel (follow Randori on Twitter and LinkedIn to stay tuned when we release that feature), we are creating a second, earlier attack to ostensibly derive the same benefits. In the movie, the objective is saving the world by defusing a giant bomb. In reality, it is a perfectly secure system (which you’ll never achieve but the pursuit is noble.)
In the movie, as in real life, the red team puts together a killchain to achieve the objective. In the heat of battle, it’s not as linear as all that. It looks more like trying a lot of things and failing. Then, only with hindsight do you see it as a chain of events that leads to the objective. Blue teamers and defenders in general are operating in reverse. They start with an outcome and reverse engineer how that outcome occurred or might occur.
But unlike in Tenet, in reality, the system is flawed. Red and blue teams are tragically under connected. They are, for all intents and purposes, two separate and unrelated entities. But the red team only exists to improve the actions and results of the blue team. We are lacking the key moment when the red team and blue team break down the battle together, improving each others’ tactics at every turn. We in the cybersecurity industry could learn a thing or two from Nolan’s strategies.
How to Conquer Uncertainty
So what does a temporal pincer look like in real life? Purple teams are coming about. These can be useful, but ultimately they do not replace red or blue teams. Merging them isn’t an ideal security posture, because they are doing opposite jobs. The real solution is a sound communication mechanism which interfaces between the red team and the blue team.
This is what we’re building at Randori. Our goal is to combine the knowledge of the red team (visibility and target temptation) with the capabilities of the blue team (impact and status) in order to deliver a more holistic defense posture. The turnstyle the characters used to reverse the flow of time really looks like runbooks and action. These are how our platform documents attack activities in real time. This gives both teams the ability to see through the fog of war and facilitate communications to improve results. The platform goes forward and then the defender arrives at the end and gets to discover the attack using the knowledge from the automated red teaming platform.
The pincer move features teams moving from both directions in time simultaneously and converging. In the final battle, the pincer move must be performed several times, so that several blue teams and red teams are acting simultaneously to improve upon the results of the last iteration. This is the optimization process you must mimic with your blue team, only in advance of the battle. The more pincer moves you perform, the stronger the results of your operation will be on game day. After having seen the battle in real time, you will be able to predict what the threat actors are going to do in your environment.