Purple Teaming: Between Red Team and Blue Team
Purple Teaming is a new approach to security testing that could be described as ‘collaborative Red Team testing’. Normal Red Team assessments are heavily biased toward reality: Typically, the Blue Team or corporate IT department (except for the team leader/manager) does not know about Red Teaming in order to preserve the reality of the attack simulation. In Purple Teaming, on the other hand, the attacked team knows it is under attack and works closely with the attackers. This is where the name of Purple Team Engagements comes from – the Red Team and the Blue Team working closely together. The Red Team represents the simulated attackers whereas the Blue Team represents the defenders. There can be a dedicated, permanent Blue Team in the company, the IT and administration department, an internal or external SOC, or the IT security department: Whoever is responsible for defense is the Blue Team.
Blue Team
– Defender –
- Monitoring & Detection
- Containment
- Response
- Threat Hunting
- Use Case Creation
- Create Rules
- Configuration
Purple Team
– Collaboration –
- Information exchange
- Exercise showing attack scenarios
- Joint improvement of security controls
- Maximization of covered attacker profiles and strengths
- Training
Red Team
– Attackers –
- Penetration Testing
- Social Engineering & Phishing
- Lateral Movement
- Persistence
- Looting
- Privilege Escalation
- Command & Control Channels
- In-house and custom tool and software development
Benefits of Purple Team Assessments
Red Teaming – sometimes casually referred to as ‘Red Team Penetration Testing’ – is primarily aimed at subjecting companies to an attack simulation that is as realistic as possible. This is used to answer specific questions and focus on issues: Can my most sensitive systems be attacked, and my most valuable data stolen? If so, how? Can my team detect attacks at all, or would we be ‘blind’ in an emergency? If we do detect attacks correctly, how quickly and how effectively do we respond? What security aspects have we not yet considered?
Purple Team Exercises, on the other hand, focus not on reality, but on improving all the skills and capabilities of the defense (i.e., the Blue Team) as quickly and as strongly as possible. During a Purple Team engagement, sometimes called Purple Team Training, the Red Team plays through the various phases of a hacking attack, gradually increasing the severity and skill level of the attacks.
This involves checking: which attacks were detected by the Blue Team which were blocked which were neither detected nor blocked.
For the latter, the Red Team helps the Blue Team determine why they were not detected or blocked, and to devise measures to prevent such attacks in the future. Hence, gradually, as the Red Team increases the difficulty of the attacks and the Blue Team readjusts its defenses, the company’s defenses are raised to a maximum against as many different attack techniques as possible.
When and for whom are Purple Team Assessments worthwile?
- Your own Blue Team should be trained interactively during an ongoing attack and be able to practice
- The company’s own security technologies such as SIEM, EDR, Endpoint Protection, Sysmon, IDS/IPS (Intrusion Detection System/Intrusion Prevention System) should be fine-tuned.
- Create new use cases, alerts and rules for as many attack techniques as possible (TTPs – Tactics, Techniques and Procedures, such as those covered by MITRE ATT&CK).
- The Blue Team should benefit from the experience of an external Red Team
- The skills and technical capabilities of the Blue Team should be improved to the highest possible level in the shortest time possible
- Gaps in the company’s own detection and blocking should be systematically detected and closed.
Comparison of Purple Teaming and Red Teaming Tests
As described at the beginning, there are some differences between Red Teaming and Purple Teaming. These are briefly compared in this table:
RED TEAM
Realism and Openness:
The Blue Team does not know about the attack. The Red Team acts covertly.
Knowledge exchange from Red to Blue Team:
Once at the end of the assessment.
Objectives:
Realistic testing of cyber resilience, posture and exposure.
Scope:
Strategic, tactical and holistic.
Results:
Report with recommendations to improve organizational, strategic and tactical holistic security situation.
PURPLE TEAMING
Realism and Openness:
The Blue Team knows about the attack and is involved in it.
Knowledge exchange from Red to Blue Team:
Continuous information exchange during actions is at the core of Purple Teaming.
Objectives:
Fastest and greatest possible strengthening of the Blue Team’s skills and technical capabilities.
Scope:
Technical and operational
Results:
Improved technical and operational measures of the Blue Team in detecting and preventing attacks and closing blind spots.
Commonalities of Red and Purple Teams:
Both forms of engagement, whether realistic, holistic and covert (Red Teaming), or overt and focused on immediate strengthening of individual defense technologies and capabilities (Purple Teaming), are designed to strengthen and improve corporate defenses by exposing them to attack by a professional Red Team. They strengthen different aspects, however, and produce insights from different points of view.