Fighting cyber threats in finance: 4 principles for effective Purple teaming

Cyber attacks continue to plague financial teams, and there’s no sign of them slowing down. In fact, "destructive attacks" on financial organizations increased by 17% in 2022, according to VMWare's Modern Bank Heists report. So what can security teams in the finance sector do to fight back? 

We invited Allen Cavedine, Director of Vulnerability Management at Mastercard, and Mike Oppenheim, Associate Director of Threat Detection & Response at Gemini, to weigh in on this topic as part of our “Cyber Threats in Finance and Banking” webinar. 

Continue reading for a summary of the lessons they shared on how finance cybersecurity teams can proactively mitigate risks.

Lesson 1: Ensure you have a playbook for dealing with third-party and vendor compromises

“Recently at Gemini we’ve seen that SaaS and other third-party providers are being compromised,” said Oppenheim. “It’s particularly challenging because you’re putting a lot of trust in third parties, being able to ensure that their controls and security align with your security values is key.”

As the demand for online financial services increases and remote work grows in popularity, so too does the need to rely on outside resources and service providers to keep pace. In turn, this has expanded the cyber attack surface exponentially, making teams and businesses involved with finance in any capacity prime candidates for threat actors.

This point is further emphasized in the Varonis 2021 Data Risk Report, which found that financial services employees at medium-sized organizations have an average of 11 million files available to them, while employees at larger financial institutions often have access to more than 20 million files.

Source: Varonis 2021 Data Risk Report

“This leads to additional credential harvesting and other activities to try and find legitimate credentials and get legitimate access to the potential or actual target that the threat actor would want.” 

With this information in mind, as well as the knowledge that it’s not a matter of if, but when a cyber incident will occur, Oppenheim adds “it’s more important than ever to have a playbook and response mechanism in place to protect your company’s data as well as the data of your customers.”

Lesson 2: Buy-in for Red team operations (and security in general) is critical

You can’t complete a puzzle without all the pieces, and the same concept is true for your security practices. Until you have all of your pieces together (Red, Blue, and Purple team experts), your data will never be as secure as possible. But while having all of these components is essential when reinforcing your cybersecurity posture, it can be a challenge to get the right people on board to make this happen.

“Whether you’re launching company-wide awareness training or making the case for a Red or Purple team, having leadership onboard is critical,” Cavedine noted. He continued to emphasize the importance of this support by stating that without it, there would be no authorization for the resources needed to create and attack realistic environments in addition to lacking reinforcements to back up a team if something goes wrong.

If your company is struggling to get support for Red team activities or new hires, Cavedine suggests partnering with Blue teams to help shift those mindsets. “Come up with detection and alerting roles for methodologies that aren’t common or aren't being pushed by a vendor, and then share patches and mitigations faster than the vendor.”

This was something he learned from personal experience after encountering a mail server vulnerability that allowed someone to give exchange servers domain-level privileges. After modeling the vulnerability and working with the client organization’s Blue team to build their own version, his team helped create a custom definition for detection before the vendor could even respond.

“That was a big win. We were able to say that because of the pentesting and Red teaming, we were able to test and mitigate risk before vendors provided patches.” 

Related read: What we learned from testing 657 cybersec teams. 

Lesson 3: Purple teaming allows Red and Blue teams to run their own playbook

Once you have leadership buy-in for fully operational Red and Blue teams, what’s next? Cavedine shares that it’s essential to encourage both teams to work together and participate in Purple team exercises on a routine basis:

“When you start pentesting and Red Teaming, you’re not waiting for something to happen, something real is happening, and you’re giving your team a chance to respond and run their playbooks,” he said. “Blue teams want to know how you did it, and they want to stop that from happening ever again.”

One method he has found beneficial to his Purple team efforts is participating in comprehensive hands-on exercises designed to mimic the most common vulnerabilities facing cybersecurity teams. “Using the MITRE ATT&CK framework running through all the possible attack vectors is a good start and gives you blanket coverage on a lot of things.” 

And by fully preparing your team for known security threats, you can better mitigate the newly developed risks your team might be less familiar with. “It’s when new, unconventional scenarios are created by new methodologies and ideas being combined to create unique attack patterns that challenge your security posture in a realistic way.”

On the topic of Blue and Red teams: A study conducted by CyberRisk Alliance found that 88% of Purple teamers believed their cybersecurity defenses had improved after conducting adversarial attack simulations and emulations. In comparison, 52% of cybersecurity professionals using only Red team exercises believed their defenses had improved.

Lesson 4: Security is a shared mission

“Going beyond the tactical elements like controls and system-level changes, there’s a strategic level of company involvement,” Oppenheim said. “Any time you’re dealing with an active incident that’s a higher priority, you’re dealing with other departments. It’s not just to help a TDR or SecOps mission. It’s testing as a company if you’re ready or prepared.”

At the end of the day, organizational security isn’t just the responsibility of Red and Blue teams—it’s a joint effort by every employee at every level. A single cyber attack can not only compromise sensitive financial information; it can also paralyze an organization's critical operations and permanently alter brand reputation. That's why everyone from senior leadership to new hires must be aware of cybersecurity threats and take the necessary precautions to prevent them.

Whether you're a top executive or a front-line employee, you have a role to play in protecting your organization's data and infrastructure. From participating in Red and Blue team exercises to identifying phishing emails or reporting suspicious activity, every employee needs to be vigilant, aware, and prepared to defend against cyber threats.

Watch the full webinar 

Learn about reducing cybersecurity risks, getting leadership buy-in for Red teams, and how both Blue and Red teams can improve their defense with lower budgets. 

Watch on-demand