Advanced Purple Teaming
The what, why, when, where and how. Part one: the what.
Hi there, dear readers. You got the APT-joke in the title, right? Good!
In this small blog post series, I’ll take you through a virtual Purple Team Mission from early start to aftercare.
The way most people know about Purple Teaming is a form of table top exercise after a penetration test. You know, replaying parts of the attack to give the defenders a gist of how they would, should and could have been able to detect and mitigate a particular attack scenario.
Does that sound like a fair fight to you? (everyone: “Nooooooooooooo!”). So how about we take one of ol’e mr. Tsu’s principles and do things a little differently? (everyone: “Yeeeeeees!”).
Allllllrighty then, it is time for a Variation in Tactics!
“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”
Sun Tzu, The Art of War, Chapter 8, ss. 11
Let’s start with the what.
Advanced Purple Teaming is a combination of several things:
- adversary emulation;
- in-depth defense analysis; and
- consultancy.
All of you with cybersecurity backgrounds read “red teaming”, “blue teaming” and “that guy with the suit”. The focus of Advanced Purple Teaming lies heavily on the cooperation between the red and the blue teams and using this cooperation to enhance an organisations overall security posture. Purple is the resulting colour: for reference, check the Infosec Colour Wheel by HackerNoon.
Adversary emulation
The adversary emulation should focus on real-life attack scenario’s. Given the enormous rise in cybercrime actors and incidents, and the inevitable growth in maturity of their tactics, techniques and procedures, the red team cannot get away with running OpenVAS or run of the mill Kali-tooling. The team needs to have a skillset that matches common cybercrime modi operandi or, even better, nation-state ninja stealth level.
The rationale behind this is that as an attacker, it’s easy to scale down your efforts and make digital ‘noise’. It is more difficult to step up your game if the blue team keeps detecting you, which could leave an organisation with a false sense of security (“hahaha we catch hackers every time, we’re cybersafe!”).
For a basic assessment of a red team’s skill level, please refer to a quality label like the Dutch “Keurmerk Pentesten” which was developed in cooperation with Cyberveilig Nederland. This will give you a basic indication of a red team’s skillset, although street cred and reputation counts for a lot (and maybe even more). Bottom line: ask around. And choose the red team component that matches your wishes.
Defense analysis
Defense analysis is much more than looking at your EDR logs, blue team. It is also about “forensic readiness”: a term you no doubt have heard us say before. Forensic readiness comprises the whole set of people, processs and tech that enables your organisation to respond adequately to a cybercrisis, while keeping operational costs to a minimum. That is indeed quite a bit more than just looking at logs and it might sound a bit far-fetched for a Purple Team exercise, but it actually is not.
Just think of “where to go next” when the blue team encounters suspicious activity. Think of the digital evidence you want to collect given the scenario, or the chain-of-custody needed. The legal implications. Communication. Who needs to do what when and 24/7/365? Or office hours?
In an earlier blog, I showed you this picture:
…and every aspect of what an organisation needs to at least have thought about, is all there. We highly recommend this recent book by Jason Sachowski, from which we borrowed the graphic above and from which we will quote in the next paragraph.
Basically the organisation needs to make a cost/benefit assessment of its digital forensic readiness desired state. Think costs of governance (policies, guidelines, procedures, standards), education and awareness of staff directly involved with operational security, incident management, legal counsel and data security (for say your chain of custody). The benefits are in the compliance, minimization of costs, deterrent and control expansion area — but again, read the book for the ratio behind the theoretics.
We might write a longer blog post some day on the preparation for forensic readiness (the left most column of the picture above) and where we see it go wrong, but practical advanced purple teaming from the blue perspective will focus on the three other columns: the gathering, analysis and presentation of the collected data in relation to a (simulated) cybersecurity incident.
In short, advanced purple teaming, if done right, will stresstest the design, existence and functioning of your administrative, technical and sometimes even physical defense mechanisms. When starting with the scenario definitions, it’s easiest and most practical to assume breach and identify crown jewels that are to be attacked. We’ll get in to that more in-depth in a next blog.
This leaves the consultancy side of things as far as the what of advanced purple teaming is concerned.
Given the broad scope of APTs (whoops, I did it again!) and the focus on far more than the technical side of things, it should not be surprising that more departments than CISO and IT (security) staff should be involved.
Fact is, that the involvment of legal usually starts way ahead of an APT, by asking questions about our purple team waiver. But that is another story for another day ‘-). Since most of our Assignments raise questions about money spent on tech as opposed to people, team managers and CIO should be at least aware of the existence of the Assignment.
There is no need to involve C-level too much up front, but again, awareness of the nature of a Purple Team Assignment — beyond signing the offer — would be good. As in: this is kind of like a crisis simulation, albeit with cybersecurity as the main component.
Why so much involvement? Because the way we think a Purple Team Assignment should be done is all about cooperation and awareness within the organisation. This is very different from other approaches that do adversary emulation without any up front knowledge within the organisation (except CISO) and “replay” parts the results afterwards for IT and/or SOC.
We call that PINO.
Purple
In
Name
Only.
That level of involvement is actually an intentional heads-up for the consultancy at the end of the Assignment. In true Purple style, the results of the Assignment should be communicated clearly to operational, tactical and strategical level. As examples: on the operational level the defenders should enhance use cases. The tactical level should worry about attack surface coverage and interdepartmental communication: forensic readiness as it were. Strategic level should be able to better (re)direct funds and resources to the overall security posture of the organisation. This requires consultancy skillsets on all levels, and a pretty deep understanding of Red and Blue. But yes, I wear a suit.
Thanks for sticking with me so far. Now you have an understanding of our take on Advanced Purple Teaming. In the next blog in this series, I’ll write about the why, when and where. In the third part, which will no doubt be the most comprehensive: the how.
About the author: Pepijn has a MSc in criminology and over 22 years experience in cybersecurity. He has worked in commercial and nation-state environments, on both operational and strategic levels. In 2020 he co-founded Chapter8, which specializes in Advanced Purple Team cybersecurity. Besides being a family man and crossfit enthusiast, he is a cyber volunteer at the Dutch National Police.
