Purple team: Bridge between Red Teams and Blue Teams

Although offensive and defensive controls work towards the same goal, how do you ensure red and blue teamwork follows a collaborative approach? The answer is this article – purple teaming for dummies.  There is a gap between the red and blue teams capabilities in multiple ways, i.e. approach, methodology, tool-sets and timelines. Both teams must work collaboratively and constantly to maximise their company’s investment towards ongoing defensive improvements.   We have encountered this scenario several times where blue teams overlooked critical events that would have broken the attack chain within moments. Companies do not get compromised with poor staff or skills, or it’s not always 0 days. Most of the time, it is due to a lack of knowledge around techniques that went undetected due to small tweaks or tuning in the technology or processes. This is where the purple team fills the gap. 

Red team vs Blue team vs purple team

What is a Red Team?

Red teaming is a real-time cyber-attack simulation on an organisation to test its defensive controls. These controls are composed of people, processes and technology (application, systems, networks, devices) in use.  No prior information is supplied to the offensive security team (or security consultants) carrying out red teaming operations. After agreeing on the objectives, the only authorisation provided by the customer requesting red team is authorisation forms approving legal terms (Computer Misuse Act).  All the findings with timelines and relevant data are shared with the customer to fully understand strengths and weaknesses in the infrastructure, processes, and staff.  By thinking like an attacker, or one of your competitors, the red team pen test is driven to gain access and is not restricted by assumptions or preconceptions. Also Read: Red Teaming Vs Pentesting

What is a Blue team?

The Blue team comprises security professionals responsible for identifying and implementing defensive capabilities that help in threat prevention, detection, response, and recovery phases. It is generally a cyber security operations centre (CSOC) in-house or managed by an MSSP. The blue team’s major responsibility is to defend the organisation against all the attacks all the time. An attacker needs to be successful once to cause the damage. The odds of this situation is why internal processes and relevant controls need to be efficient. Blue team pen testing helps to evaluate an organisation’s security environments while defending from red team activities. Both share the common objective of improving security controls of the organisation in question.  Access to IT and security equipment, compatibility of data, network traffic, analysis of events, threat intelligence, and alerts are significant elements that identify suspicious events.

Challenges

It isn’t that smooth to deploy internal resources and implement all defensive controls to prevent, detect and respond to security events. Red team assessments may lead to finding similar ways or even exploiting short-cut fixes in certain scenarios.

Visibility of red team TTP

Red team reports often lack detail because of the extra stress on detailing the compromise or objectives agreed before the engagement. Although this is a good element of the report, the blue team cannot interpret results without critical details such as timelines, notes around TTP used by the red team and any debriefing sessions with internal security teams. This leads to assumptions and misunderstandings in defensive controls improvements. 

Shortcuts 

Too often, teams have unintentionally missed planning around holistic approach based controls, and such deployments led to new opportunities for threat actors. Acting on the control based on one property that was noticed or popular with attacks in the wild would only work for a limited time. For instance, the secure hardening approach must be enforced on all the assets under the same category, not just a few. Situations like these are a downside of the blue team and do not emulate red team activity. A similar concept goes for defensive controls against social engineering techniques through continuing education and online awareness courses.

Skill-set

Blue teams often find it challenging not to assess the security controls the same way as a red team. This is due to a lack of red team characteristics such as skill-set, approach and adversarial mindset. 

Bridging red and blue teams – A joint approach

An organisation’s goal is to keep improving defensive controls on an ongoing basis. This is based on the input from teams working on the outside and the inside of the organisation. The offensive approach involves activities ranging from vulnerability assessments, penetration testing to full-scale red teaming. The blue team handles all the work inside the organisation, varying from improving the detection processes to handling regular incidents.  Red teaming is mostly done by external third-party consultants, a separate team with an adversarial mindset. Its activities are used to find gaps in the security controls such as configuration, patch management, information storage, permissions, authorisation, authentication, encryption, logging and incident response processes.  The blue team is unaware of all the Tactics, Techniques and Procedures (TTP) in use by the red team. This gap between the two teams remains large due to the lack of resources on an ongoing basis. These resources could be anything from attack techniques, tool-set to approach towards attacking the organisation.  Purple teaming  Purple teaming is a process that combines existing red and blue teams to ensure a collaborative effort to improve prevent, detect and response measures. It doesn’t represent specific teams; mostly, it’s an approach to ensure the blue team understands the red team’s capabilities.  As red teams mimic threat actors Tactics, Techniques and Procedures (TTP), a blue team’s job is to ensure they have understanding and capabilities to detect and respond to the underlying techniques. Building this capability for detection and response requires input from the offensive side to understand how these attacks unfold. This equips the blue team to ensure security controls and processes are in place to capture the relevant events.   Therefore, continuous debriefs and clear communication are the key pillars of the successful purple teaming process.  Purple teaming examples:

• A threat actor targeting the support team of a business with targeted email attacks. The threat is not so obvious because the email contains just a link, and all the payloads are hosted on the internet and used on the fly for decryption and execution from memory. A blue team’s responsibility is to capture traffic alerts only if relevant controls (such as specific event logging, traffic size, URL reputation, etc. settings) on web and email traffic are in place. 
• Data exfiltration exercises performed by the red team must educate the blue team on gaining an initial foothold. Further privilege escalation was used to gain full control of the affected endpoint.

The above are amongst the most popular scenarios. However, the red and blue teams must coordinate to create more scenarios to work together and regularly conduct simulation exercises to improve their purple team approach. This must be a continuous process to work together, learn and improve the organisations’ security.

Purple teaming framework

MITRE ATT&CK is a knowledge base consisting of adversary tactics and techniques based on real-world observations. It is a useful resource for purple teams to assist during assessments that simulate and improve detection and response capabilities. For every business, purple teams tools and scenarios may change based on certain factors. Therefore, you should look into tactics that are relevant to you based on sophistication. It provides four use cases that are:

1. Threat intelligence
2. Detection and Analytics
3. Adversary Emulation and Red Teaming
4. Assessments and Engineering

This would ensure the purple team is producing the greatest ROI when tailored, and real-world scenarios in their organisation drive the defensive strategy. 

How Cyphere can help 

Cyphere have real-world expertise across multiple sectors delivering red teaming, penetration testing and security validation exercises for more than 10 years. By utilising our sector-specific expertise and offensive security skill-set, we help organisations continually assess and mitigate their risks across the estate. Tailored scenarios such as purple teamservices aree a testament to how security providers (where required) should have the flexibility to work as team players than ‘report and run’ consultancy.  Whether it be a big or small business, a security strategy should balance risk remediation and usability. To eliminate threats, actionable insights into your weaknesses and ongoing improvements towards current controls are two strengths of our team that help businesses improve their cyberattacks preparedness.  Get in touch to discuss your concern,s and one of our consultants will be in touch with you.