<< All Posts

The Purple Team - Organization or Exercise

February 15, 2019

The Purple Team - Organization or Exercise

As the cybersecurity industry continues to evolve, the use of certain terminology is changing and becoming more prevalent; such as the increased mention of Red Teams and Blue Teams inside boardrooms and IT departments. With the use of these terms, it is also means their definitions can be broad or confusing, sometimes becoming interchangeable with other terms which may or may not be applicable. For example, a staff member may use the term “Red Team” however this could refer to either an internal team within that organization or an external Penetration Testing Firm.

One such term that has been gaining popularity is “Purple Team”. Though the term can reference a formal organization of staff within a company, it is far more commonly referencing a type of cyber security exercise.

Exercise

The most common use of the term “Purple Team” is in to reference a specific exercise in which an offensive engagement transforms into a defensive learning opportunity. In this way the Red Team and Blue Team are distinct entities, and the flow of information is as follows:

  1. Red Team
  2. Plans out the Campaign’s exercise, including which exploits, payloads, command and control, and other tools to utilize.
  3. Confirms plan with management, and when applicable, notifies Human Resources in the event a non-Red-Team employee will be used as an actor in the Campaign.
  4. Executes the Campaign, without informing Blue Team of engagement.
  5. Documents the Campaign in its entirety, creating a comprehensive list of every method, command, and endpoint utilized during the exercise.
  6. Hands off report to Blue Team…
  7. Blue Team
  8. Reviews the Red Team report.
  9. Analyzes all applicable logs and records that may correlate with Campaign.
  10. Creates, then executes, a remediation plan.
  11. Notifies Red Team of remediation steps allow for …
  12. Red Team
  13. Attempt to perform the same Campaign, under that same conditions, but repeating the process again.

Although the above is a fairly standard means of performing a Purple Team exercise, it relies on on numerous rounds of back and forth between disparate teams, and in the event of remediation failure, more rounds must be completed and documented, which can lead to delays in defensive implementations.

A More Efficient Purple Team

The SCYTHE team has found that there are ways to receive the benefits of a Purple Team engagement, without having to wait for numerous teams to perform operations; nor by having to combine offensive and defensive staffs under the same team. With the SCYTHE platform, we’ve found that Red Team Automation and Defense Validation are two sides of the same coin, and the offensive Campaigns are best remediated when network defenders can execute these Campaigns themselves in a controlled environment.

With the SCYTHE platform a Red Team can:

  • Create a Campaign
  • Define and automate all adversarial actions
  • Save the Campaign as a Threat template
  • Generate a globally unique implant
  • Detonate an adversarial implant on an endpoint
  • Generate a report
  • Provide report and access to SCYTHE to the Blue Team

… allowing the Blue Team to:

  • Use the pre-defined Threat Template to create an identical Campaign
  • Generate a new implant with a unique file signature
  • Detonate the implant in a controlled and monitored environment
  • Validate detections and remediation
  • And repeat until the Threat is satisfactorily addressed

This saves both teams time, allows for fast remediation, and makes threat emulation an easily repeated action without requiring massive cross-team coordination for all iterations of a threat.

STAY UP TO DATE WITH OUR POSTS!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form

More posts from this author

May 6, 2019

SCYTHE Goes Atomic

The SCYTHE team is excited to announce that our latest release gives you the power of Atomic Red Team with all the automation and ease of use of the SCYTHE platform. Plus, you can now create and share your own SCYTHE threats allowing the ecosystem of adversary simulation to expand via the community!

Read Now

January 18, 2019

SCYTHE: Starting 2019 with Linux and ATT&CK™

The SCYTHE team has been hard at work on our new release and we are proud to present the next major evolution of the SCYTHE Continuous Red Team Automation platform.What’s New

Read Now

January 16, 2019

Fileless Malware and the Threat of Convenience

Many of the conveniences brought via modern tools, operating systems, and applications also bring means for an adversary to execute actions while under the guise of a valid service. This is seen distinctly in the increased use of Fileless Malware.

Read Now