Introducing Purple Teaming
Author Jorge Orchilles
Wait, wait, wait, are you introducing us to another color in information security?
Yes we are, but hear us out.
We are not introducing a new job role where you have to hire more people or have to spend more money. See, a purple team is a virtual, functional team that fosters collaboration and efficiency in testing, measuring, and improving your current cyber security people, process, and technology (security controls).
Purple Teaming is a collaborative effort between the following teams. Your organization may not have some of these, and that is perfectly alright:
Cyber Threat Intelligence - team of analysts that research and understand a target organization and the adversaries that have the capability, intent, and opportunity to attack them.
Red Team - the offensive team, often coming over from Penetration Testing or other offensive security assessments and are in charge of emulating adversaries
Blue Team - the defenders. Security Operations Center (SOC) analysts, Detection Engineers, Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Providers (MSSP)
A Purple Team Exercise is a full-knowledge engagement where the attack activity is exposed and explained as it occurs. Purple Team Exercises are "hands-on keyboard". Red and Blue teams work together with an open discussion about each attack technique and defense expectation to improve people, process, and technology in real-time. Purple Team Exercises are Cyber Threat Intelligence led, emulating Tactics, Techniques, and Procedures (TTPs) leveraged by known malicious actors actively targeting the organization. This identifies and remediates gaps in the organization’s security posture.
In comparison, a Red Team Engagement is a zero-knowledge assessment where the defenders are unaware of what is happening. To be clear, the target company’s senior management, and other “trusted agents” or “white cells” are aware of the engagement, but the analysts do not know. A Purple Team Exercise is full-knowledge. The Red Team is not trying to be stealthy. Instead, they are mimicking and sharing the attacks that the adversaries are performing against other organizations.
Sounds easy right? At a high level, these teams work together and viola! But what do they actually do? SCYTHE has released the Purple Team Exercise Framework to guide you through the entire process. This includes the Cyber Threat Intelligence, Preparation, Exercise Execution, and Lessons Learned:
At a high level, a Purple Team Exercise is executed with the following flow:
1. An Exercise Coordinator introduces an adversary, behaviors (TTPs), and technical details
2. Attendees have a table-top discussion of security controls and expectations for TTPs
3. Red Team emulates the TTPs
4. Blue Team (SOC, Hunt team, and DFIR) analysts follow process to detect and respond to
5. Share screen if TTPs were identified, received alert, logs, or any forensic artifacts
6. Document results - what worked and what did not
7. Perform any adjustments or tuning to security controls to increase visibility
8. Repeat TTP
9. Document any feedback and/or additional Action Items for Lessons Learned
10. Repeat from step 1 for next TTP
An internal Red Team may have access to various tools that allow the emulation of adversary behaviors and TTPs. Our team at SCYTHE created a free and open source project called the C2 Matrix where we attempt to document all Command and Control (C2) frameworks available for free and commercially. This is a great start, however we: highly recommend using an enterprise-grade platform that has the ability to automate adversary behaviors consistently and reliably in your live, production environment.
Purple Team operations allow for the collaboration, measurement, and improvement of current people, process, and technology. We believe this is a relatively new concept that will bring significant value to your organization! We hope you have found this post helpful and educational. If you are ready to begin performing Purple Team Exercises, check out the Purple Team Exercise Framework and contact us for help.
About the author: Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project and author of the Purple Team Exercise Framework. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. When he’s not hacking, teaching, or writing, you’ll find him watching and playing soccer.