Purple teaming: Bridge between Red Teams and Blue Teams

Share on facebook
Share on twitter
Share on linkedin
Share on email
purple teaming

Stay up to date

Stay up to date with the latest threat reports, articles & mistakes to avoid.

Simple, yet important content.
No salesy pitches and all that, promise!

Although offensive and defensive controls work towards the same goal, how do you ensure red and blue teamwork follow a collaborative approach? The answer is purple teaming. 

There is a gap between the red team and blue team capabilities in multiple ways i.e. approach, methodology, tool-sets and timelines. Both teams must work collaboratively and constantly to maximise their company’s investment towards ongoing defensive improvements. Our purple teaming service provides stronger assurance to deliver security strategy based on realistic concerns. 

We have encountered this scenario several times where blue teams failed to notice critical events that would have led to breaking the attack chain within moments. Companies do not get compromised with poor staff or lack of skills or it’s not always 0 days, majority of the times it is due to lack of knowledge around techniques that went undetected due to small tweaks or tuning in the technology or processes. This is where the purple team fills the gap. 

Red team vs Blue team 

What is a Red team?

Red teaming is a real-time cyber attack simulation on an organisation to test its defensive controls. These controls are composed of people, processes and technology (application, systems, networks, devices) in use. 

There is no prior information supplied to offensive security consultants carrying out red teaming operations. After agreeing on the objectives, the only authorisation provided by the customer requesting red team is authorisation forms approving legal terms (Computer Misuse Act). 

All the findings with timelines and relevant data are shared with the customer to ensure a full understanding of strengths and weaknesses in the infrastructure, processes and staff. 

By thinking like an attacker, or one of your competitors, the Red Team exercise is driven to gain access and is not restricted by assumptions or preconceptions.

What is a Blue team?

Blue team is composed of security resources responsible for identifying and implementing defensive capabilities that help in threat prevention, detection, response and recovery phases. It is generally a cyber security operations centre (CSOC) in-house or managed by an MSSP.

Blue team’s major responsibility is to defend the organisation against all the attacks all the time. An attacker needs to be successful once to cause the damage. The odds of this situation is why internal processes and relevant controls need to be efficient.

Access to IT and security equipment, compatibility of data, network traffic, analysis of events, threat intelligence and alerts are some of the significant elements that work towards identify suspicious events.

Challenges

It isn’t all that smooth to deploy internal resources and implement all defensive controls to prevent, detect and respond to security events. Red team assessments may lead to finding similar ways or even exploiting short-cut fixes in certain scenarios.

Visibility of red team TTP

Red team reports often lack the detail because of the extra-stress on detailing the compromise or objectives agreed before the engagement. Although this is a good element of the report, blue team cannot interpret results without critical details such as timelines, notes around TTP used by red team and any debriefing sessions with internal security teams. This leads to assumptions and misunderstandings in defensive controls improvements. 

Shortcuts 

Too often, teams have unintentionally missed planning around holistic approach based controls and such deployments led to the opening of new opportunities for threat actors. Acting on the control based on one property that was noticed or popular with attacks in the wild would only work for a limited time. For instance, secure hardening approach must be enforced on all the assets under the same category, not just a few. Situations like these are a downside of the blue team and do not emulate red team activity. 

Skill-set

Blue teams often find it challenging not to assess the security controls the same way as a red team. This is due to a lack of red team characteristics such as skill-set, approach and adversarial mindset. 

Discuss your concerns today


Bridging red team and blue team – A joint approach

An organisation’s goal is to keep improving defensive controls on an ongoing basis. This is based on the input from teams working on the outside and the inside of the organisation. The offensive approach involves activities ranging from vulnerability assessments, penetration testing to full-scale red teaming. The blue team handles all the work inside the organisation varying from improving the detection processes to handling regular incidents. 

Red teaming is mostly done by external third-party consultants, who are a separate team with an adversarial mindset. Its activities are used to find gaps in the security controls such as configuration, patch management, information storage, permissions, authorisation, authentication, encryption, logging and incident response processes. 

Blue team is not aware of all the Tactics, Techniques and Procedures (TTP) in use by the red team. This gap between the two teams remains large due to the lack of sharing of resources on an ongoing basis. These resources could be anything from attack techniques, tool-set to approach towards attacking the organisation. 

Purple teaming 

Purple teaming is a process that combines existing red teams and blue teams to ensure a collaborative effort to improve prevent, detect and response measures. It doesn’t represent specific teams, mostly it’s an approach aimed at ensuring the blue team has an understanding of the red team’s capabilities. 

As red teams mimic threat actors Tactics, Techniques and Procedures (TTP), a blue team’s job is to ensure they have understanding and capabilities to detect and respond to the underlying techniques. Building this capability for detection and response requires input from the offensive side with an understanding of how these attacks unfold. This equips the blue team to ensure the configuration of security controls and processes is in place to capture the relevant events.  

Examples:

  • A threat actor targeting the support team of a business with targeted email attacks. The threat is not so obvious because the email contains just a link, and all the payloads are hosted on the internet and used on the fly for decryption and execution from the memory. A blue team’s responsibility is to capture traffic alerts only if relevant controls (such as specific event logging, traffic size, URL reputation, etc settings) on web and email traffic are in place. 
  • Data exfiltration exercises performed by the red team must educate the blue team on how an initial foothold was gained and further privilege escalation was used to gain full control of the affected endpoint.

The above are amongst the most popular scenarios, however, the red team and the blue team must coordinate to create more scenarios together and conduct simulation exercises regularly to improve their purple teaming approach. 

Purple teaming framework

MITRE ATT&CK is a knowledge base consisting of adversary tactics and techniques based on real-world observations. It is a useful resource for purple teams to assist during assessments that simulate and improve detection and response capabilities.

For every business, purple team tools and scenarios may change based on certain factors. Therefore, you should look into tactics that are relevant to you based on sophistication. It provides four use cases that are:

  1. Threat intelligence
  2. Detection and Analytics
  3. Adversary Emulation and Red Teaming
  4. Assessments and Engineering

This would ensure purple teaming is producing the greatest ROI when tailored and real-world scenarios in the context of their organisation drive the defensive strategy. 

Discuss your concerns today


How Cyphere can help

Cyphere have real-world expertise across multiple sectors delivering red teaming, penetration testing and security validation exercises for more than 10 years. By utilising our sector-specific expertise and offensive security skill-set, we help organisations to continually assess and mitigate their risks across the estate.

Tailored scenarios such as purple teaming training are a testament to how security providers (where required) should have the flexibility to work as team players than ‘report and run’ consultancy. 

Be it be a big or small business, security strategy should provide a balance between risk remediation and usability. To eliminate threats, actionable insights into your weaknesses and ongoing improvements towards current controls are two strengths of our team that help businesses improve their cyber attacks preparedness. 

Get in touch to discuss your concerns and one of our consultants will be in touch with you. 

Table of Contents

BOOK A CALL