If a newly appointed CISO asked us, “What's the best way to test this organisation's security in a broad sense?” we would start talking about purple teaming.
But purple teaming can be a confusing topic.
We’ve heard security leaders ask if purple teaming is something that happens as part of red teaming, a separate process altogether, a buzzword, or just a way to make one person do two jobs.
To clear up the confusion surrounding purple teaming and explain why a purple teaming exercise might be the best way to start improving a security program, we asked SECFORCE’s offensive security expert Thanos Polychronis to give his point of view for this blog post.
If you're looking for a quick definition of purple teaming, it’s right here:
Purple teaming is a cybersecurity exercise where offensive (red) and defensive (blue) teams collaborate during planned security tests (“attacks”), working openly and sharing real-time insights to improve defences against real-world attacks.
The rest of this blog post goes deeper into what purple teaming is (and is not), why a CISO might want to do purple teaming as one of their first actions on the job, and how purple teaming compares to red teaming.
What Is Purple Teaming?
Purple teaming is when attackers and defenders are in direct contact during a series of pre-planned security tests or “attacks.”
The most universal language for describing cyber attacks comes from the MITRE ATT&CK framework, a globally accessible database containing documented tactics, techniques, and procedures (TTPs)—in other words, attacks performed by real attackers.
During purple teaming, there is no stealth. No one is trying not to get caught. Instead, attackers and defenders work together to learn and improve resilience against real-world attackers.
In a purple teaming exercise:
- The red team (attackers), often from a consultancy like SECFORCE, emulates the pre-agreed tactics, techniques and procedures (TTPs), explains the TTPs as they happen, and reports on the exercise.
- The blue team (defenders) monitors and triages the attacks across their SOC. The blue team identifies strengths and gaps in detection and should leverage the red team’s expertise to improve existing controls.
- A threat intelligence (TI) provider isolates attack profiles relevant to the organisation and compiles a list of the TTPs that should be emulated.
A purple team engagement typically takes between two to four weeks.
The objective of purple teaming is to test an organisation's defences against a broad range of likely attacks.
During a live purple team exercise, attackers screen share with defenders to show them exactly what they are doing in real time. Defenders see what TTPs are being tried and when they are being executed.
Attacks are executed realistically during a purple team exercise, i.e., using TTPs gathered during threat intelligence. The goal, however, is always to test an organisation’s defences and not try to compromise the organisation.
For example, a red team might work with defenders (the blue team) to see how a workstation responds to an attempted malware execution.
The attackers will run through the execution event to see if it is:
a) Logged;
b) Detected;
c) Blocked.
When an organisation works with SECFORCE during a purple teaming exercise, they also get support from the red team to develop new threat-hunting rules to stop malware at the point that it was missed. The red team then runs through the TTPs again to see if there’s improvement.
Purple Teaming Is Not Red Teaming
There is a red team involved in purple teaming, but purple teaming is not a variant or part of red teaming.
Sometimes, people might confuse a red teaming exercise that transitions into a blue teaming learning exercise (when attackers are detected), with purple teaming.
Or they might think that red teaming that ends with a replay session is purple teaming. These are not variants of purple teaming because they start with stealth, i.e., attackers trying to remain undetected.
Everything the red team does during purple teaming is always 100% visible to the blue team. There are no surprises (except maybe the test results).
Red teaming vs purple teaming
Unlike purple teaming, red teaming is a black-box exercise.
During red teaming, attackers try a range of different attack vectors that (within the scope of the exercise) defenders don’t know about. Attackers then follow the attack that works to see how far they can go.
Like the cybercriminals they are emulating, attackers try to avoid being detected by blue teams. If discovered, they might work with the blue team from the point of discovery onward, but the point where that happens is not predetermined.
Purple teaming is not like this.
In contrast to red teaming, in a purple teaming exercise, attackers are not trying to avoid detection. They work with and in full view of the blue team before, during, and after every stage of every attack.
Basically:
- In a purple team context, the red team will explain the attack as it happens and share recommendations on how to improve their defences.
- In a red team engagement, the attackers will try to evade detection for as long as possible.
But why would you want to do purple teaming instead of red teaming? Well, both have different use cases.
Red teaming is how an organisation can learn whether an advanced threat would be able to compromise a payment system, gain access to and exfiltrate sensitive information, or hold your business to ransom whilst avoiding detection.
This can be great for visualising attack pathways, demonstrating weaknesses, assessing the defensive teams’ performance and response capabilities under real circumstances, and other use cases.
Purple Teaming Advantages
Purple teaming tests security controls against a broad list of TTPs across different parts of an organisation's IT environment.
This makes purple teaming one of the best learning scenarios a blue team could possibly have and one of the only ways for a CISO to see what their security controls are really capable of.
At SECFORCE, we think purple teaming is a great offensive security assessment for a wider range of organisations than almost any other offensive security exercise. Even organisations not ready for red teaming can typically benefit from purple teaming.
We like to bucket purple teaming benefits into two categories:
- Wide coverage of TTPs
Purple teaming compares an organisation’s security controls to a long list of potential attacks (based on threat intelligence) and, over the course of an engagement, can provide a comprehensive assessment of an organisation’s security posture.
Defenders don’t just see the attack path that works in one instance. They get to see the logs created by their response to a whole range of different malware variants and attack vectors.
This means they can really understand their controls and answer questions like, “How many types of malware will my EDR really detect?”
- Gap analysis based on technical information
Boiled down into one sentence, purple teaming is the process of conducting a wide range of attacks across all phases of the cyber kill chain to assess the organisation’s security posture and detection capabilities.
If you want a realistic appraisal of a company’s security functions, such as its SIEM, there is no better way to do so than purple teaming.
Purple teaming allows defenders to see how their security ecosystem logs, detects, reports and/or prevents attacks.
It also allows for determining the exact detection thresholds that an organisation’s controls can support, thus removing a lot of the guesswork from their security architecture and forward planning.
This is a perfect opportunity to learn and improve the efficiency of the SIEM and the SOC team. It is also one of the very few ways to do gap analysis based on real technical data.
If done correctly and followed up with changes, a purple teaming exercise is guaranteed to positively impact an organisation's cybersecurity.
If You Are Considering Purple Teaming…
Talk to the offensive security experts at SECFORCE.
We have vast experience in running purple team exercises.
Contact us today to learn more.
