Wait, wait, wait, are you introducing us to another color in information security?
Yes we are, but hear us out.
We are not introducing a new job role where you have to hire more people or have to spend more money. See, a purple team is a virtual, functional team that fosters collaboration and efficiency in testing, measuring, and improving your current cyber security people, process, and technology (security controls).
Purple Teaming is a collaborative effort between the following teams. Your organization may not have some of these, and that is perfectly alright:
- Cyber Threat Intelligence - team of analysts that research and understand a target organization and the adversaries that have the capability, intent, and opportunity to attack them.
- Red Team - the offensive team, often coming over from Penetration Testing or other offensive security assessments and are in charge of emulating adversaries
- Blue Team - the defenders. Security Operations Center (SOC) analysts, Detection Engineers, Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Providers (MSSP)
A Purple Team Exercise is a full-knowledge engagement where the attack activity is exposed and explained as it occurs. Purple Team Exercises are "hands-on keyboard". Red and Blue teams work together with an open discussion about each attack technique and defense expectation to improve people, process, and technology in real-time. Purple Team Exercises are Cyber Threat Intelligence led, emulating Tactics, Techniques, and Procedures (TTPs) leveraged by known malicious actors actively targeting the organization. This identifies and remediates gaps in the organization’s security posture.
In comparison, a Red Team Engagement is a zero-knowledge assessment where the defenders are unaware of what is happening. To be clear, the target company’s senior management, and other “trusted agents” or “white cells” are aware of the engagement, but the analysts do not know. A Purple Team Exercise is full-knowledge. The Red Team is not trying to be stealthy.
Instead, they are mimicking and sharing the attacks that the adversaries are performing against other organizations.
Sounds easy right? At a high level, these teams work together and viola! But what do they actually do? SCYTHE has released the Purple Team Exercise Framework to guide you through the entire process. This includes the Cyber Threat Intelligence, Preparation, Exercise Execution, and Lessons Learned:
At a high level, a Purple Team Exercise is executed with the following flow:
- An Exercise Coordinator introduces an adversary, behaviors (TTPs), and technical details
- Attendees have a table-top discussion of security controls and expectations for TTPs
- Red Team emulates the TTPs
- Blue Team (SOC, Hunt team, and DFIR) analysts follow process to detect and respond to TTP
- Share screen if TTPs were identified, received alert, logs, or any forensic artifacts
- Document results - what worked and what did not
- Perform any adjustments or tuning to security controls to increase visibility
- Repeat TTP
- Document any feedback and/or additional Action Items for Lessons Learned
- Repeat from step 1 for next TTP
An internal Red Team may have access to various tools that allow the emulation of adversary behaviors and TTPs. Our team at SCYTHE created a free and open source project called the C2 Matrix where we attempt to document all Command and Control (C2) frameworks available for free and commercially. This is a great start, however we: highly recommend using an enterprise-grade platform that has the ability to automate adversary behaviors consistently and reliably in your live, production environment.
Purple Team operations allow for the collaboration, measurement, and improvement of current people, process, and technology. We believe this is a relatively new concept that will bring significant value to your organization! We hope you have found this post helpful and educational. If you are ready to begin performing Purple Team Exercises, check out the Purple Team Exercise Framework and contact us for help.
For future Purple Team workshops check out the latest schedule here
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.