- What is Purple Teaming?
- What is a Purple Team Mission?
- What does a Mission look like?
1 — What is Purple Teaming?
Traditionally, cyber security tests were carried out from the perspective of the attacker, or the Red Team. The Blue Team, or defender perspective, was only added as an afterthought.
This one-sided thinking only produced partial results. It didn’t leave you as secure as you could be, because it didn’t address your organization’s structural security posture.
Now, if you combine the skills and perspectives of both Red and Blue Teams, the result — a Purple Team — is worth more than the sum of its parts. This team will bring about the real change of mindset needed to improve your security over time by engaging Red and Blue together in a real-life cyber security Mission.
2 — What is a Purple Team Mission?
A Purple Team Mission really is the next generation of cyber security testing. Instead of starting with a penetration test and handing the blue team a report with to-dos when done, a Purple Team Mission brings Red and Blue together to create a powerful team.
By continuously communicating the steps taken and the decisions made that led to (countering) a successful penetration, both Red and Blue team become smarter and better attuned to each other what results in being able to almost instantly respond to the other’s actions.
A Purple Team Mission typically consists of four phases; intake, reconnaissance, assessment, and reporting which are set out below.
3 — What does a Mission look like?
Phase 1 — Intake
Every Mission starts with an intake on-site with the client. It is mandatory to not only have responsible infrastructure and network security employees attending the meeting, but also C-level employees.
Together with the client, the most valuable assets in the entire network are identified next to the current level of intrusion detection, the endpoint protection, whether there are regularly scheduled penetration tests, and if a network overview is available.
Phase 2 — Reconnaissance
Phase 2 starts with Blue team going over the security measures already in place and matching the network overview to the devices and services actually online in the network. Meanwhile, Red team starts ‘peeling the onion’ from the outside of the network.
This really is a data gathering phase. Mapping out network segments, servers and services, the email solution used, interesting personal devices (if any), domain names in use, and so on. It’s necessary to know the online footprint of the organization, because even with proper OSINT a hacker is often able to find small pieces of information that lead to a quick but sophisticated hack.
Phase 3 — Assessment
Phase 3 is by far the most exciting of all. It’s when Red team and Blue team engage in a real-life CTF (Capture The Flag) which means that Red team tries to reach the client’s crown jewels without Blue team noticing or even blocking the attack.
A huge difference when it comes to a Purple Team Mission in relation to popular CTF’s amongst the hacking community is the communication between Red team and Blue team during the assessment.
Do you see me now?
Next to finding weaknesses in the client’s network, the objective is to provide the client with tools, skills and awareness and leave them smarter and more secure than they were before the Mission. That’s why Red team and Blue team notify each other of everything they find and every decision they make along the way.
What about now?
This helps to not only increase the understanding of each team’s tactics which makes a stronger Purple Team with every Mission, but it also enables the Blue team to quickly pinpoint weaknesses that would not have shown up by only using automated security monitoring.
Phase 4 — Reporting
A Purple Team Mission report typically consists of the steps taken by Red team that led up to a successful penetration, the decisions and actions of Blue team to counter or monitor an attack, and recommendations to patch a vulnerability (if any).
On an operational level, if any weaknesses have been found, the client has to know what software to patch, what ports to close for external access and what default admin passwords to change.
On a strategic level, the state of security is translated from the technical domain to the leadership domain, in order to base future decisions on these results.
More information
To learn more about Purple Teaming, visit this website.
