Regardless of the size and the industry of an organization, one of the most effective ways to discover infrastructure vulnerabilities and thwart possible cyber threats is to rely on the expertise of both red teams and blue teams.
A red team conducts pen tests and vulnerability assessments, and a blue team responds to incidents while building and maintaining the organization's defenses. As the red team has a responsibility to challenge the blue team's defenses, it's no wonder there's a bridge between the two, some might even say a lighthearted dislike. But there is a way to close that gap, and that's where purple teams come in.
While purple teams aren't as widely employed and haven't been around as long as red and blue teams, more and more organizations are stepping away from old-fashioned "red team vs blue team" methodology and embracing mutual cooperation between the two. And just as red and blue mixed together make purple, purple teams are there to help the two work symbiotically, with the end goal of enhancing an organization's security.
We've written extensively about red teams and blue teams before, but now let's get familiar with the concept of purple teams—what they are, what benefits they bring to your organization's security infrastructure, system and apps, and some best practices to follow when operating your own purple team.
- What is a purple team?
- How can my organization benefit from a purple team?
- Purple team best practices
What is a purple team?
Before we jump into defining the purple team, let's review what red and blue teams do.
Red and blue teams share a common goal, which is to improve the security of an organization's infrastructure and system. The red team is considered the "offense" and the blue team, the "defense."
Red teams need to think like the attacker. It's their position to test the organization's defenses, use methodologies and tactics to try and break into a system, uncover weaknesses and vulnerabilities in the security of the infrastructure, launch exploits, test for the probability of human error, and share their findings. They're often an external group of offensive security professionals, white hats, who are hired by an organization for their adversary-like approach toward continuously challenging the organization's security procedures, policies and systems.
Some common red team tasks:
- Penetration testing
- Vulnerability assessment
- Social engineering
Blue teams, on the other hand, are designed to develop defensive measures to counter the activities of the red team, and ultimately, the work of real adversaries. They also need to be knowledgeable about potential threats and attack methods, to continue developing stronger defense mechanisms and improving incident response.
Common blue team tasks are:
- Risk intelligence data analysis
- Incident response
- Security monitoring
- Reverse engineering
As red teams try to break defenses put in place by blue teams, and their success is measured by the number of vulnerabilities they uncover, they rarely have a motive to help the blue team. This happens despite their common goal of improving organizational security, and the full potential of their combined tests and assessments.
Such lack of collaboration is common in organizations with an integral blue team and an external red team, but it's not rare to find this type of disconnect even in organizations with both teams in-house.
In one common scenario, the red team will finish their tests, then send out a vulnerability report that will go to the blue team, who in turn work on remediation. This feedback loop is indirect and passive, and can take a while to complete.
That's where a purple team comes in. The purple team is designed as a feedback bridge between the red and blue teams, modifying their approach to be more proactive, direct and in the end, more effective in terms of an organization's overall security posture. This doesn't have to be a new, separate or "third" group of experts; it's more of a methodology. Think of it as a security practise which allows for sharing intelligence data between the two, supporting real-time feedback and communicating their insights with one another.
Here's one example of how purple teaming works: Instead of conducting one annual pen test, the red team sends the report, the blue team responds with remediation, and they collaborate. The red team advises on how to prioritize vulnerability management and patching critical flaws while the blue team monitors the red team, and shares insights on the red team's activities and testing, in an effort to uncover deeper weaknesses in the system.
This approach will strengthen both sides. The blue team becomes more informed about how to prioritize, measure and improve their ability to detect threats and attacks, and the red team learns more about technologies and mechanisms used in defense. This can lead to finding more advanced attack vectors and understanding more sophisticated attack methods.
How can my organization benefit from a purple team?
Now that we've seen what purple team is, let's see how your organization can benefit from adopting this particular security methodology.
More effective vulnerability detection
Sometimes a breach can take place with the attacker bypassing all defenses, and the blue team doesn't even notice it happening. This doesn't necessarily indicate a lack of skill or technology on the blue team's part, but rather the complexity of the attacker's techniques or the sophistication of their attack vectors.
The purple team exists to eliminate this possibility. Red and blue teams working together means engaging in constant knowledge transfer and simulating real-life attack scenarios. This way, the red team will enhance the organization's vulnerability management process while the blue team gets into the attackers' mindset, to develop better incident response programs and vulnerability detection processes.
Healthier cybersecurity culture
As we've said before, the goal for both red and blue teams is to improve an organization's security defenses, just as it's the organization's goal to foster a healthy company cybersecurity culture. With purple teaming, the first incentive is strong, regular communication between offense and defense, a constant flow of information and symbiotic work.
Again, a purple team doesn't have to be a newly assembled team, it can function as an exercise between the two existing teams. What's important is encouraging communication and collaboration between team members, to promote constant improvement of the organization's cybersecurity culture.
Finally, a better security posture
The final and most important benefit is a better security posture for your organization. Without purple teams' constant communication, regular security audits, new defense techniques, threat hunting, vulnerability management and development of improved security infrastructure and policies, organizations wouldn't stand a chance against malicious actors. After all, every team, whatever their color, is there to help you better prepare for any cyber threat that comes your way.
Purple team best practices
If you're looking into improving your current red team and blue team practices by implementing purple teams, here are a few things to keep in mind.
Make sure everyone is in the right role
Collaboration and communication are key, and while it's important for both teams to share their findings and help each other, you should never expect red teamers to engage in the full vulnerability management process nor to hold the blue team responsible as expert hackers.
Establishing clear roles and expectations for each team, while keeping communication open goes far in ensuring successful purple team methodology.
Never skip planning
Always plan ahead before you dive into purple teaming. To get the most benefit from the exercise, start by defining goals. Are you working on improving security alerts, or on security policies and processes? Are you verifying how well your employees can protect themselves against social engineering?
Also, it's important to know why you're even concerned with purple teaming: has anything happened during a pen test, security audit or vulnerability assessment that you want to correct or revise?
The plan doesn't have to be fixed. Always allow for flexibility as teams might detect weakness in an area you never considered, or devise a threat-hunting model that wasn't at all planned. But do set objectives and goals for both teams that can be measured at the end of the exercise, so their effectiveness can be easily assessed.
Track and revise the process
Before you implement these security remediations, revise and verify. Better yet, track each and every step of the way, assess every task before moving on to the next, and always follow up.
Going over every mitigation and fix repeatedly will allow each side to learn more from each other, help close any gaps, and allow for prioritized remediation guidelines. This will concern the red team with fewer repetitive weaknesses and guide the blue team toward hunting for more complicated threats.
As we've learned today, the purple team is less about a new "group" that differs from traditional red and blue teams than it is about establishing healthy communication between the two, in an effort to share knowledge and be better prepared for threats.
With attackers getting sneakier every day, developing new techniques and presenting more serious security challenges to all organizations, it's important that all parties work together to ensure an organization's security.
SecurityTrails product lineup helps companies security teams with their daily tasks, continuos security monitoring and asset discovery.