Purple teaming results from the merging of the red (team) and the blue (team) and illustrates how the two teams work together to improve the cyber security of an organization. This is achieved through a cooperation between the two teams, where attack scenarios are discussed, carried out, and analyzed jointly by both teams.
This way, specific internal use-cases or test scenarios can be run with an efficient approach, combining both the knowledge of defensive capabilities and inner workings of the company, and the offensive knowledge of attack scenarios and tools.
Purple teaming is helpful for:
- Evaluating defensive capabilities through simulated attacks;
- Challenging internal use-cases or playbooks and identifying ways to circumvent them; and
- Reviewing the effectiveness of use-cases or defensive tools regarding specific attacks.
Table of contents
Red Teaming vs Blue Teaming
When talking about security teams, we often refer to them as either blue teams or red teams. The blue team is the defending side such as a Security Operation Center (SOC) or an internal security team, and the red team is the attacking side, such as penetration testers.
In most cyber security assessments, the teams work independently. Red teams provide the attackers’ perspective, test applications or environments, and document their findings and measures. These are then used by internal security teams (blue teams) to improve the organization’s environment.
Main Use-Cases for Purple Teaming
Purple teaming projects are a very useful tool to evaluate specific use-cases or attack scenarios and improve a company’s cyber resilience. The purple teaming approach can be used for the following points:
Select use-cases or playbooks
- Testing specific tools or parts of an attack path
- Identifying usefulness of specific use-cases
- Identifying shortcomings in blocking or alerting for the corresponding attacks
- Challenging the robustness of the selected cases and trying to circumvent detection
Select attack scenarios
- Creating an attack simulation based on known adversaries or well-known attack paths
- Identifying gaps in the detection of the entire attack chain
- Trying to find alternative paths to circumvent defensive capabilities
Re-tests after an incident or red teaming engagement
- Recreating the attack path as seen during the incident or red teaming engagement
- Identifying the progress compared to previous iterations
- Identifying potential for further improvement
Technical Explanation of Purple Teaming
The big advantage of purple teaming is the cooperation between the attacking and the defending sides. The roles stay the same, but the teams go through the attack scenarios together. Furthermore, information about alerts or exploits are actively shared and discussed to improve the tests or alerting rules.
This allows real-time troubleshooting when an attack is not caught, and re-running of the attack to check if adjustments and improvements to the defensive capabilities work as expected. Additionally, for cases where an attack was detected, it can be checked whether detection could have been circumvented. Based on this, additional security measures or rules can then be implemented.
Furthermore, the tests can be run more efficiently, as information about why a certain attack was blocked can be shared, allowing the red team to adjust the attack accordingly.
Organization of a Purple Teaming Exercise
Due to the cooperation and information exchange, purple teaming engagements need to be planned and require effort from both the red team and the blue team to prepare for.
While the actual effort and distribution thereof differs depending on the goal and scenario of the tests, there should at least be an overall plan regarding what scenario or adversary will be simulated.
If specific use-cases or parts of an attack path are to be tested, detailed information needs to be collected for preparation purposes. Furthermore, more detailed test cases can be discussed in more depth and potential problems can be identified and remediated more quickly.
In addition, during the preparation of the tests, at least one member of the defense team should be available for discussions and questions regarding the environment. The attack scenarios can be based on real-world threat actors, internal use-cases or previously conducted red teaming engagements as well as a mixture of all of these. During the execution phase, the defense team should actively be involved in the test and preferably, all participants should be in the same room to ensure easy communication and exchange of information. Furthermore, during the execution, the blue team member(s) should have time to evaluate the output and results of their defensive tools and, where possible, adjust rules or tools according to the results.
Lastly, contrary to red teaming engagements, the end goal of a purple teaming engagement is not to successfully compromise the environment. Instead, the goal is to evaluate the defensive capabilities for specific attack scenarios or use-cases regarding whether and how easily it would be possible to circumvent them.
Benefits of Purple Teaming
A key benefit of purple teaming is the efficiency for both the attacking and the defensive side. The provided information and feedback about detections or blocked commands and executables allow the red team to adjust their approach. Likewise, by knowing about what exactly is being executed and when, and by being in constant contact, the blue team can look at the alerts and information available with their defensive tools in real-time to identify any gaps.
Additionally, a purple teaming offers the possibility to simulate an attack, or at least parts of an attack, with actual exploitation, with a smaller effort than a full red teaming engagement, as the intelligence gathering phase is skipped and the prerequisites for the specific parts to be tested are provided.
Lastly, a purple teaming offers some flexibility to adjust the tests based on results. If, for example, nothing was detected during a first iteration and changes are not possible during the engagement, additional test days can be used to test out other use-cases or potential exploits. If, in contrast, all planned attacks were blocked, the remaining test days can be utilized to try and circumvent the defense mechanisms to provide a more thorough analysis of specific use-cases.
Conclusion
Purple teaming exercises are a useful tool to assess defensive capabilities through simulated attacks. They can range from a full attack path simulation to simply testing out single use-cases or parts of an attack path.
While it is not a replacement for red teaming engagements, as it only covers specified use-cases or attack paths, it can be a very useful addition, especially to test and challenge measures put in place after a successful red teaming engagement. It can be an efficient tool to test out specific attack scenarios without the need of a full-fledged attack simulation and offers a lot of flexibility and benefit for the internal defense team.
If you would like to know more about purple teaming and how it can help your company increase its cyber resilience, feel free to contact us. We are looking forward to hearing from you.