Request the Purple Team Exercise Framework 2.0 (PTEF) for free, today!
SCYTHE created a Purple Team Exercise Framework (PTEF) to facilitate the creation of a formal Purple Team Program by performing adversary emulations as Purple Team Exercises and/or Continuous Purple Teaming Operations.
A Purple Team is a virtual team where the following groups work together:
- Cyber Threat Intelligence - team to research and provide threat TTPs
- Red Team - offensive team in charge of emulating adversaries
- Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP)
A Purple Team Exercise is an open engagement where the attack activity is exposed and explained to the Blue Team as it occurs. Purple Team Exercises are "hands-on keyboard" exercises where Red and Blue teams work together with an open discussion about each attack technique and defense expectation to improve people, process, and technology in real-time. Purple Team Exercises are Cyber Threat Intelligence led, emulating Tactics, Techniques, and Procedures (TTPs) leveraged by known malicious actors actively targeting the organization to identify and remediate gaps in the organization’s security posture.
- Executive Summary
- Goals
- Methodology
- Roles and Responsibilities
- Cyber Threat Intelligence
- Preparation
- Exercise Execution
- Lessons Learned
At a high level, a Purple Team Exercise is executed with the following flow:
- Cyber Threat Intelligence, Exercise Coordinator, or Red Team presents the adversary, TTPs, and technical details
- Attendees have a table-top discussion of security controls and expectations for TTP
- Red Team emulates the TTP
- Blue Team (SOC, Hunt team, and DFIR) analysts follow process to detect and respond to TTP
- Share screen if TTP was identified, received alert, logs, or any forensic artifacts
- Document results - what worked and what did not
- Perform any adjustments or tuning to security controls to increase visibility
- Repeat TTP
- Document any feedback and/or additional Action Items for Lessons Learned
- Repeat from step 1 for next TTP
