Strengthen attack surface defenses with stronger information sharing between red and blue teams.
Explore Surface CommandA purple team is a group of cybersecurity professionals that function both as a combination of red team and blue team functions as well as a communication and practice facilitator between those two teams. In an IT network penetration testing scenario, this means offensive "attacks" carried out by red teams and defensive "protecting" carried out by blue teams.
According to Forrester, purple team exercises can take the form of “collaborative efforts between offensive security teams (who act as intruders) and defenders. Defenders can validate defenses, identify control gaps, find weaknesses, and learn how adversaries adapt moment to moment.”
Purple teams essentially aid in optimizing and maximizing learnings for both red and blue teams, ensuring those teams either deliver the best insights for the client that hired them or leverage those insights for use in their security operations center (SOC).
The purple team mitigation cycle essentially breaks into technical segments the more generalized function of purple teaming. Critical to the description of the cycle is that it is continuous and should repeat.
The ultimate team goal should be to constantly ensure red and blue teams are improving upon previous solutions to exploitable vectors or attempting to find and mitigate new ones. At the very least, this process should include phases such as:
Since the idea of blue and red teams are generally more defined and clear to industry practitioners, it can be difficult to pin down exactly what purple teamers do on a daily basis.
Above, we discussed the macro-level mitigation cycle and objectives that are the “long game” of an effective purple team, but let’s now dive into some concrete examples of purple team exercises.
It’s critical to remember that the purpose of a purple team is to help foster collaboration between red and blue teams. In this way, a purple team isn’t necessarily conducting exercises in the way red and blue teams will, rather is there to ultimately ensure the other teams take insights and learnings away from the “attack” and “defend” portions of penetration testing exercises, which will include:
The Atomic Purple Team framework is one that presents a specific lifecycle designed around unique business goals of each organization that might be looking to leverage it. It is typically employed to build, deploy, and justify "attack-detect-defend" attack surface analysis exercises. This lifecycle includes:
Another key purple team example is that of the Purple Team exercise framework, which was created to help organizations understand the basics of purple teaming and help them implement a framework in one of the following ways: ad-hoc, operationalized-as-new-threats-emerge, or dedicated/continuous.
The benefits of purple teaming are, in a sense, the ultimate conduit of insights when conducting red and blue team exercises. If the purple team is absent, best practice discovery and reporting can still happen, sure. However, the purple team – as we’ve stated many times on this page – is there to ensure ultimate collaboration between red and blue team tactics.
The purple team is there to help the two teams share information, correlate findings, and leverage subsequent insights in such a way as to maximize hardening of attack surface defenses and network integrity. Let’s go into more detail to discuss some of the granular benefits of purple teaming.
With the presence of a purple team to extract the most value from red and blue team exercises, SOC leaders can leverage the insights gained to strengthen monitoring and alerting capabilities and supercharge refinement of incident detection and response programs.
That's not just a phrase CEOs use to try and get workers to return to the office. In an attack surface analysis/penetration testing scenario, red and blue teams – while both are technically “good guys” – are on opposite sides of an exercise. As such, this could result in resentment and losing sight of the ultimate goal.
With an effective purple team in place, potential friction can be kept to a minimum and collaboration can be kept at the fore as the purple teamers encourage the red and blue teams – when appropriate – to share as much data as possible to help their client or internal organization.
Purple teaming can be of great benefit when it comes to reporting. Not only does this mean information sharing between red and blue teams, but also succinctly validating to leadership the effectiveness of security systems currently in place – or not.
Even if the feedback is that current systems are ineffective, the purple team can collaborate with its red and blue counterparts to present concrete recommendations to leadership on ways to improve upon current processes and ultimately increase ROI over time.
The purple team mitigation cycle we looked at above lays out the ideal format in which a purple team would facilitate results coming out of red and blue team exercises.
Let’s now discuss some of the best practices by which a purple team can achieve an effective mitigation cycle and consistently generate the insights to ensure a strong organizational security posture.
For best results, a red team should replicate an attack as fully as possible. A purple team should ensure that the blue team – if testing the incident response (IR) plan during a penetration test with an outside firm – doesn’t tip off that firm once it detects them on the network.
It's critical to ensure the blue team is able to follow a red team's movements and identify:
While a security organization's first impulse upon identifying an incident may be to get compromised machines off the network ASAP, it should consider the opposite: Keep the machines running. It might very well be critical to preserve important evidence – such as system memory – related to digital forensics and incident response (DFIR).
Similarly, purple team documentation and reporting also helps the organization being penetration tested get to the bottom of exactly how an attack unfolded. Paper trails and electronic evidence are vital to managing the response to the aftermath of a red team “attack.”
For those reasons and more, purple teams must document which blue teamers in the security organization did what, when, and why, so the reliability of evidence can be ensured. From these findings, a purple team might put together the following list of questions:
Proper documentation over the course of an incident will be the foundation to answering these questions.
Lastly, have an after-action review. This will help a security organization learn exactly what works – and what doesn’t – when it comes to responding to an incident. These lessons can then be leveraged to better guard against future attacks.
Successful review requires security practitioners to identify true risks as well as to be honest about how they address or accept them. A solid plan is a moving target, and it must evolve to meet new attack vectors in an ever-changing environment.
The following are examples of goals a SOC should aspire to when crafting an IR plan coming out of red/blue/purple team exercises: