Purple teaming

The benefits of collaboration

Piotr Marszalik and Michael Salihoglu
| 1/27/2021
Purple teaming: The benefits of collaboration

Purple teaming maximizes the effectiveness of security assessment by combining the strengths of both internal and external penetration testing teams.

Smart organizations are proactive about cybersecurity. One approach in that proactive toolbox is determining – before an attack – where weaknesses in the network exist so that they can be addressed. When information security teams collaborate with penetration testing teams, they can gain insights into attacker techniques and improve an organization’s overall security posture.

Blue team versus red team

The U.S. military and intelligence communities have long used “blue teams” and “red teams” to identify vulnerabilities within their organizations. The concept of blue versus red as a classification for teams is also well established in the field of cybersecurity. 

The typical blue team within an organization consists of the internal information technology security group. This team’s primary goal is to defend against threats from real-world attackers attempting to obtain unauthorized access to confidential data. 

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

Alternatively, the red team typically consists of external entities brought in to test the effectiveness of an organization’s security program. Red team-style engagements differ from standard penetration tests in that they incorporate the entirety of the organization’s infrastructure and security controls into the test. Due to the nature of these engagements, they generally are reserved for organizations with mature security postures. The goal-driven approach of a red team engagement allows for realistic incident response testing and for the closest real-world attack simulation possible.

Traditional approach

Within an agreed-upon time frame, the red team attempts to complete predefined objectives using various methods and tools while the blue team defends. Upon a successful breach or end of the engagement window, the blue and red teams debrief and draft a report. While this traditional red team approach reveals strengths and weaknesses related to an organization’s security posture, the lack of collaboration and visibility between the two teams can introduce gaps.

Both teams rely on different tactics and techniques that make them successful. Red teams typically take similar approaches to the initial exploitation of the environment, which allows blue teams to develop effective defenses against these common approaches. As an organization’s security matures, a red team will have to change tactics to bypass the defenses that the blue team deploys. 

Because the red team has no knowledge of the potential defenses and detective controls used by the blue team, the red team often spends a significant amount of time bypassing the blue team’s initial defenses. Having to do so decreases the number of activities performed by the red team after it obtains an initial foothold in the network and therefore limits the exploration of more in-depth weaknesses – including weaknesses and misconfigurations throughout the environment that could allow attackers to elevate their level of access or to obtain unauthorized data access.

This situation can be avoided by having the red team work with the blue team to understand what defenses have been deployed to the environment. With prior knowledge of these defenses, the red team can strike a balance between testing the controls that are already in place and bypassing these defenses to test the environment more thoroughly.

Purple teaming benefits

A purple team consists of blue and red team members working collaboratively across all stages of the engagement. This collaborative form of a hands-on tabletop exercise attempts to address the gaps seen in a traditional red team exercise. 

The open communication allows the organization to test the blue team’s responsiveness and the organization’s post-incident detective capabilities in real time. In addition, the visibility to tools and tactics between the two teams promotes the development of new strategies and maximizes each team’s effectiveness.

For example, an organization can benefit from a purple team engagement instead of a traditional red team engagement when simulating reconnaissance activities performed by attackers after they gain an initial foothold into the network. As the red team attempts to move laterally throughout the environment, it might run frequent queries to enumerate group memberships across the internal systems, a common technique attackers use when attempting to elevate access. 

This activity might not appear on the engagement report because it can be considered a normal network behavior. However, during a purple team engagement, the red team would discuss this tactic with the blue team. An open discussion would allow the blue team to better understand the methodology used by attackers and allow it to develop and tune the controls that are in place to detect this activity in the future.

Comprehensive testing 

A layered security model is a best practice for an organization’s cybersecurity program. While traditional penetration assessments and red team engagements are effective tools for testing an organization’s security posture, the collaborative approach of a purple team engagement can offer additional benefits. 

A well-executed exercise can provide an organization with a comprehensive test of the effectiveness at each layer of the organization’s digital infrastructure and improve the detective controls that are vital to offering visibility into suspicious activity.