• CSNP

Why You Should Embrace Purple Team Today

Introducing Purple Teaming


Purple arrows connected in a circle with white text

Author Jorge Orchilles


Wait, wait, wait, are you introducing us to another color in information security?


Yes we are, but hear us out.


We are not introducing a new job role where you have to hire more people or have to spend more money. See, a purple team is a virtual, functional team that fosters collaboration and efficiency in testing, measuring, and improving your current cyber security people, process, and technology (security controls).


People


Purple Teaming is a collaborative effort between the following teams. Your organization may not have some of these, and that is perfectly alright:

  • Cyber Threat Intelligence - team of analysts that research and understand a target organization and the adversaries that have the capability, intent, and opportunity to attack them.

  • Red Team - the offensive team, often coming over from Penetration Testing or other offensive security assessments and are in charge of emulating adversaries

  • Blue Team - the defenders. Security Operations Center (SOC) analysts, Detection Engineers, Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Providers (MSSP)

A Purple Team Exercise is a full-knowledge engagement where the attack activity is exposed and explained as it occurs. Purple Team Exercises are "hands-on keyboard". Red and Blue teams work together with an open discussion about each attack technique and defense expectation to improve people, process, and technology in real-time. Purple Team Exercises are Cyber Threat Intelligence led, emulating Tactics, Techniques, and Procedures (TTPs) leveraged by known malicious actors actively targeting the organization. This identifies and remediates gaps in the organization’s security posture.


In comparison, a Red Team Engagement is a zero-knowledge assessment where the defenders are unaware of what is happening. To be clear, the target company’s senior management, and other “trusted agents” or “white cells” are aware of the engagement, but the analysts do not know. A Purple Team Exercise is full-knowledge. The Red Team is not trying to be stealthy. Instead, they are mimicking and sharing the attacks that the adversaries are performing against other organizations.


Process


Sounds easy right? At a high level, these teams work together and viola! But what do they actually do? SCYTHE has released the Purple Team Exercise Framework to guide you through the entire process. This includes the Cyber Threat Intelligence, Preparation, Exercise Execution, and Lessons Learned:




At a high level, a Purple Team Exercise is executed with the following flow: