Purple Teaming – a Cybersecurity Assessment

Piotr Marszalik
| 1/19/2017
PurpleTeaming 1

Blue Team vs. Red Team

The U.S. military and intelligence communities have long used “blue teams” and “red teams” to identify vulnerabilities within their organizations. The concept of blue versus red as a classification for teams also has been well-established in the field of cybersecurity. The typical blue team within an organization consists of the internal information technology security group. This team’s primary goal is to defend against threats from real-world attackers attempting to obtain unauthorized access to confidential data. Alternatively, the red team consists of external entities brought in to test the effectiveness of an organization’s security program. Red-team-style engagements differ from standard penetration tests in that they incorporate the entirety of the organization’s infrastructure and security controls into the test. Due to the nature of these engagements, typically they are reserved only for organizations with mature security postures. The goal-driven approach of a red team engagement allows for realistic incident response testing and for the closest real-world attack simulation possible.

Traditional Approach

Within an agreed-upon time frame, the red team attempts to complete predefined objectives using various methods and tools while the blue team defends. Upon a successful breach or end of the engagement window, the blue and red teams debrief and draft a report. While this traditional red team approach will reveal strengths and weaknesses related to an organization’s security posture, the lack of collaboration and visibility between the two teams can introduce gaps.

Both teams rely on different tactics and techniques that make them successful. Red teams typically take similar approaches to the initial exploitation of the environment. This allows blue teams to develop effective defenses against these common approaches. As an organization’s security matures, a red team will have to change tactics to bypass the defenses that the blue team deploys. Because the red team has no knowledge of the potential defenses and detective controls used by the blue team, the red team can spend a significant amount of time bypassing the blue team’s initial defenses. This decreases the number of activities performed by the red team after it obtains an initial foothold in the network and therefore limits the exploration of more in-depth weaknesses – including weaknesses and misconfigurations throughout the environment that could allow attackers to elevate their level of access or to obtain unauthorized data access.

This issue can be avoided by having the red team work with the blue team to understand what defenses have been deployed to the environment. With prior knowledge of these defenses, the red team can strike a balance between testing the controls that are already in place and bypassing these defenses to test the environment more thoroughly.

Purple Teaming Benefits

A purple team consists of blue and red team members working collaboratively across all stages of the engagement. This collaborative form of a hands-on tabletop exercise attempts to address the gaps seen in a traditional red team exercise. The open communication allows the organization to test the blue team’s responsiveness and the post-incident detective capabilities in real time. In addition, the visibility to tools and tactics between the two teams promotes the development of new strategies and maximizes the effectiveness of each team.

For example, an organization can benefit from a purple team engagement instead of a traditional red team engagement when simulating reconnaissance activities performed by attackers after they gain an initial foothold into the network. As the red team attempts to move laterally throughout the environment, it may run frequent queries to enumerate group memberships across the internal systems, a common technique attackers use when attempting to elevate access. This activity may not appear on the engagement report because it can be considered a normal network behavior. However, during a purple team engagement, the red team would discuss this tactic with the blue team. An open discussion would allow the blue team to better understand the methodology used by attackers and allow it to develop and tune the controls that are in place to detect this activity in the future.

Comprehensive Testing Is Best

A layered security model is a best practice for an organization’s cybersecurity program. While traditional penetration assessments and red team engagements are effective tools for testing an organization’s security posture, the collaborative approach of a purple team engagement can offer additional benefits. A well-executed exercise can provide an organization with a comprehensive test of the effectiveness at each layer of the organization’s digital infrastructure and improve the detective controls that are vital to offering visibility into suspicious activity.