Purple teaming is a glossy phrase given to the action of getting your blue (Cyber defence) and red team (offence/pen-test) to work together. They are, after all, working toward the same goal, securing the same infrastructure.
A Red team's purpose is to feed information back to the company upon completion of testing, so the company can implement mitigation. I am yet to see this information exchange done efficiently enough to provide any measurable improvements.The cyber defence capability (usually a SOC) often isn't made aware of testing in advance, and doesn't have the opportunity to report back on what they could and could not defend against. Simply alerting on a SIEM is a fire alarm with no extinguisher. On the occasion the defensive team is made aware, they often have to continue with the “normal” amount of work, plus known internal testing, so the testing becomes deprioritised to the SOC in favour of BAU.
Reasons why alerts may not be seen in the monitoring tool sets are often not investigated. Besides pushing out patches and AV signature updates, you’ll find little is done as a reaction to the lack of visibility by the SOC, and the successes of the offensive team. Little consideration is given to the placement of the attack, the stages where the offensive team was successful or at which points the defensive team was successful. This really matters. We need to know what we're doing well and where we're doing a shoddy job so that we can improve.
Most companies of scale have undertaken penetration testing and/or red team testing at some point. Commonly these tests are not run with an identified adversary in mind. Well funded and strong adversaries attack against specific systems, with the aim of uncovering attack vectors that connect to, or exist on, business-critical services or infrastructure to carry out specific actions and objectives.
It’s important to mimic known likely attackers rather than simply define a scope. There really is no point preparing the Navy to fight solely at sea if the enemy enter by air. As Sun Tzu pointed out in The Art of War, knowing your enemy is half the job. The lowest hanging fruit should be defended through automation and periodical testing to give your team the resources to really get themselves in to a combat ready state.
You want to be purple teaming if you feel that you aren’t getting the most out of your security teams. It’s literally the act of collaboration and peer to peer training.
Considering it's often hard to get buy-in from stakeholders for potentially expensive contracts, an excellent place to start is with purple team meetings using existing employees. Bringing red and blues together to analyse the week’s successes of the offensive activities, and the failings of the defence capability.
A purple team approach works equally well with internal or external red and blue teams. If you normally use external pen-testers or if your SOC is managed by an MSSP, the approach will still yield the best results, but do make sure that you have covered your requirements for purple team activities in the contracts with your service providers.
Working in gamified environments is fun, believe me I’ve done it. But bashing each other over the head with the proverbial club isn’t the best way to incentivise your security teams performance. A few years ago it came to light that the red team during a particular war gaming exercise was not disclosing vulnerabilities to the blue team. The reason for this was that they were saving points to cash in later, all the while leaving vulnerabilities exposed.
So to give you a feel for how this works in practice.
Here's one I made earlier:
Maybe you like the idea of running purple team operations but you don’t know how much they benefit the organisation or improve security. I would suggest first try running purple team meetings via creating a purple team process. Remember you aren't creating a new team, rather defining a new way of working. Implementing this needn't be as difficult as you’d expect, purple may be a mixture of red and blue, but purple teaming should be black and white.
- Identify your most likely attackers, research (Google, Yeti, MITRE ATT&CK, misp, cisp...) to find the TTPs used by these threat actors. Make your red team experts in using these techniques. Your blue team should be able to calmly react to a real advanced attack if they have practiced through purple teaming.
- Purple teaming will solidify the feedback loop in BAU.
- Purple teaming will enable a new mindset in your organisation. Understand that success is not offensive exploit, or defensive findings, but measurable improvements made on both sides.
- Purple teaming will provide a greater understanding of the infrastructure on both sides.
- Offensive teams have the chance to see how the defence works so they can better manipulate their tactics. Furthermore the defence have a chance to see how offence works in order to improve mitigation and hunting.
- Understand if your security tooling is working. If your SIEM didn't alert it's more likely it's poorly tuned, or lacks visibility, rather than it being perfect and your infrastructure lacks adversaries.
How to measure success in purple teaming?
Keep track of your progression, below is a very simple way of doing so easily. This should lead to an improvement in Security KPIs and hopefully even close off some things on the company Risk Register (although if done well, you may find some risks you weren't aware of before...).
Th4ts3cur1ty.company implements purple-teaming operations through a bespoke threat and infrastructure analysis program, but we appreciate that not everyone is in a position to hire external experts. Hopefully this article and check list will give some insight on how to run these operations for free and in turn improve the security culture of your organisation.
Let me know how you get on.