Purple Teaming
Purple teaming is a testing approach that provides superior value and security for an organization by maximizing the effectiveness of security testing. Like the sharing of intelligence among allies during wartime can win the battle, purple teaming can help keep your security posture strong.
This is achieved by combining the knowledge of both the offensive security testing team (AKA "red team") and of those responsible for protecting against attacks (AKA "blue team"). Superior testing results are achieved as compared to traditional testing by embracing an equal measure of mutual cooperation between the two.
PEN Consultants provides the unique opportunity to take a purple team approach on every engagement - from vulnerability scanning, to penetration testing, to red teaming - by furnishing access to every aspect of testing on every single engagement as seen here: https://penconsultants.com/realtimeTransparency
The only additional ingredient needed to make it purple is the same amount of knowledge and access provided from your end as seen here: https://penconsultants.com/whiteboxApproach
Red Teams vs Blue Teams
Red teams and blue teams share a common goal - improve the security posture of an organization's systems - but accomplish this through different approaches and with different perspectives:
- Blue Team - The defenders of an organization:
- maintains the security posture of the organization - ex. system and network admins
- detects, prevents, mitigates, and responds to cyber threats and attacks - ex. security team / SOC
- remains vigilant and reports suspicious activity - end users
- Red Team - Simulated attackers or adversaries:
- tests the effectiveness of an organization's defenses
- carries out real-world cyberattacks
- attempts to penetrate or bypass security measures
- utilizes various tools, techniques, and procedures
- identifies vulnerabilities and weaknesses
- find vulnerabilities before actual attackers do
- ex. offensive security testing, penetration testing, social engineering, ethical hacking, white hat hacker, etc.
The Traditional Approach
Traditionally, the approach is offense vs defense, and it can sometimes be a hostile relationship. There is little to no sharing between the two.
RED TEAM | BLUE TEAM |
conducts testing | may not even know testing will be occurring (Note: for SOC testing this may be fine, but not an efficient approach) |
enumerates the attack surface | keeps the details of the infrastructure confidential |
looks for potential weaknesses | attempts to keep known weaknesses confidential |
speculates what the target risk profile is, based on limited insider information | has full insider knowledge, but may have limited knowledge of attacker TTP |
plans and conducts various attacks | actively defends against attacks |
does not know whether attacks against suspected vulnerabilities are failing due to blue team defenses/response, their exploit needs to be tweaked, or not vulnerable | does not know if an attack is the red team or an actual attacker (Note: for IR training this is initially fine, but should be deemed "exercise" quickly as to deconflict with a real threat) |
When testing is complete, sends a report to the blue team, potentially containing invalid assumptions based on limited knowledge | attempts to interrupt findings and risks, sometimes ignores or downplays things not understood, works on remediation based on their understanding of the attack (which may not always be fully understood) |
Problems with this approach - that benefit no one:
- The feedback loop through testing is indirect and passive.
- With no knowledge of the potential defenses and detective controls, the red team spends a significant amount of time during recon and bypassing initial defenses, which drastically reduces the number of tests conducted, the time spent on more advanced attacks, and overall testing thoroughness.
- When an attack is successful, the red team feels like they've "won" and the blue team feels like they've "lost", or visa-versa.
- The indistinguishable difference between red team testing and an actual attacker often leads to one of two serious problems: blue team wasting valuable time standing up and performing unplanned incident response or ignoring certain activity because "it's just the testers" - which can have potentially disastrous consequences.
Collaboration is Always Better
While this traditional red team approach reveals strengths and weaknesses related to an organization’s security posture, the lack of collaboration and visibility between the two teams can introduce gaps. The goal is to improve security, not to "win" a competition.
Purple Teaming
Purple teaming provides a way to close the gap that exists in the traditional red vs blue approach, provides superior value, reduces testing time and costs, and allows the two "sides" an opportunity to learn from each other through a continuous feedback loop.
An increasing number of organizations are shifting away from the traditional red team versus blue team model and adopting a collaborative approach between the two. This isn't a new type of test but rather an approach applicable across all offensive security tests.
Just as an equal measure of red and blue mixed together make purple, purple teaming is able to enhance an organization's security through mutual collaboration.
Purple Teaming Benefits
In general, Purple Teaming:
- removes the adversarial component of testing
- accelerates testing performance while decreasing time and budget
- supports the sharing of tools and tactics
- builds and enhances security knowledge
- promotes the development of new strategies
- aligns the interests of both teams
- strengthens and maximizes each team's individual and collective impact and effectiveness
- red team is able to find more advanced attack vectors
- provides blue team insight into attacker techniques and a better understanding of sophisticated attack methods
- helps prioritize security improvements
- measures and improves the blue team's ability to prevent and detect attacks
- improves an organization's overall security posture
Purple Teaming Examples
Example scenarios that can benefit from the close collaboration of Purple teaming:
- Full white box vulnerability scans, assessments, and penetration tests - helps to quickly, efficiently, and thoroughly identify technical vulnerabilities, maximize knowledge transfer, and verify mitigations near real-time
- Social engineering - identifying and testing the most vulnerable people with the most likely-to-succeed approach, in order to help gauge risks, provide training to the users, and cross-train the blue team on effective social engineering assessment strategies
- Technique simulation - to verify, correct, and add detection capability near real-time
- Hands-on tabletop exercise - target training to the areas that need the most help
- Full adversarial simulation (an engagement that is designed to test incident response) - red team joining incident response (IR) status syncs and sharing knowledge to help speed up various long-running blue team IR tasks, allowing for maximum training opportunity for the IR process as a whole
Purple Teaming in Practice
Let's use the analogy of paint to show what an effective purple team approach looks like.
True, pure purple is equal amounts of red and blue. Any other ratio is not pure purple. Depending on how little of one color there is in the mix, eventually, you would just call it a shade of the majority color. For example, having three times as much red as blue in the mix, it would just be considered “a shade of red”.
Likewise, with testing, there is always some blend of “the red side” and “the blue side” putting in “paint”.
Traditionally, that mixture has been almost entirely red. In other words, the engagement was largely treated with a “black box” approach. As offensive security (red side) has matured, and likewise, the blue side has matured, much of the industry now recognizes the testing thoroughness and efficiency, reduction in testing time, and value of a true purple blend.
Here is what the “purple team” analogy specifically looks like in a testing engagement.
- Blue team would provide full knowledge, access, and collaboration. Examples: https://penconsultants.com/whiteboxApproach
- Red team would provide access to everything they have done, are doing, or plan to do; down to the tool, command level, and infrastructure level. Examples: https://penconsultants.com/realtimeTransparency
How to get started with Purple Teaming
By default, in all engagements, PEN Consultants provides access to everything, in real-time - https://penconsultants.com/realtimeTransparency. We are the only firm we know of that does this at the level that we do. We are fully committed to a “purple team” approach in every engagement. However, we are only one-half of that purple mixture. If you are willing and able to mix in an equal measure from your “blue” side, you will achieve maximum return on investment with testing.
Contact us today to get started!