Popular terms that come to mind in discussions about security testing are the so-called red team and blue team. These represent two sides in an attack scenario, wherein the red team is the attacker and the blue one is the defender. The red team employs methods such as vulnerability scanning, penetration testing, port scanning, as well as social engineering tactics. The latter undertakes data analysis, network monitoring, risk assessments, and threat detection strategies.
Having these two teams supposedly covers the essential areas of interest a cyber defense strategy needs. Their activities simulate what attackers and defenders do to generate meaningful insights on how to improve a cybersecurity system. They advance security validation without preconceptions, presumptions, and other forms of biases since the two teams operate separately and do not come from the same organization.
So why is there a need for purple teaming? What makes it a better strategy?
The purple misconception
Before anything, it’s important to clarify that purple teaming is not exactly the establishment of a new team that has both red and blue team members. It is not a standalone group of security experts. Rather, is a system that seeks to bridge the gap between the red and blue teams.
Purple teaming enables the sharing of insights between attackers and defenders, something that is missing in the conventional red team and blue team operations. Often, red and blue teams hesitate to share their information with each other except for the report they are expected to deliver.
After the red team launches several white hat attacks, they then inform the organization of what they did, including where they failed and succeeded. This report is unlikely to include specific details that help the security team improve the detection and prevention of a specific attack. The blue team has to figure that on their own.
Purple teaming enables red team-blue team exercises, which entails collaboration and promotes healthy competition and out-of-the-box thinking. The opposing teams are not just trying to outdo each other. Instead, they work together to explore other possibilities they would likely miss if they are not working collaboratively.
“Instead of it being a penetration test, it’s about working with the blue team — whether that’s the security operations center or the firewall team or systems administrators. It’s about understanding that we’re going to simulate all these different attacks across your environment,” says noted white hat Dave Kennedy who notes that hostility tends to develop between the red and blue teams (the organization’s security team).
A simple but crucial concept
The idea of purple teaming sounds simple and straightforward, but it is something organizations gradually realize they need. Veteran information security professional Joseph Salazar describes it as a “fast-rising trend in cybersecurity” that represents a new generation in penetration testing characterized by a collaborative approach.
Now, many organizations are turning to it for their cybersecurity validation routines. Many security validation platforms already feature purple teaming modules to help companies take advantage of looking at cybersecurity from the perspectives of both attacker and defender. At least one security validation platform is now offering a purple teaming module for penetration testers, particularly managed security service providers (MSSPs).
Purple teaming is also being undertaken in line with the MITRE ATT&CK framework to amplify the effectiveness of threat detection, prevention, and mitigation capabilities. With the help of this globally accessible knowledge base of adversarial tactics and techniques, organizations come up with better strategies in dealing with threats and are able to respond to attacks with greater agility and efficiency.
The benefits
As mentioned, purple teaming results in more thorough security assessments because independent attacking and defending teams are working together instead of engaging in hostile competition.
A cybersecurity team that keeps failing to detect the command-and-control infrastructure of an attack, for example, could use the insights of attackers to come up with better detection criteria based on SSL termination, privilege escalation, PowerShell commands, or other variables. By working with those who are more well-versed with adversarial tactics and techniques, they get to tweak their defenses with greater sophistication and efficiency.
Purple teaming makes the security testing process active instead of being largely passive. This is because teams are no longer divided by contradicting specific goals. They are working towards common objectives even while maintaining their independence and differences in points of view. They can simulate more aggressive attack scenarios by exploring “what-if” situations they would not be able to consider if they were working separately. The purple team approach allows organizations to effectively correlate security control findings with threats or attacks.
Security validation through purple teaming also creates the benefit of faster outcomes because of the cooperation between the attack and defense teams. “By working together from both sides to test something specific, the teams are able to learn from one another and act on the results in a timely manner. Consequently, the team works faster at identifying and resolving critical security gaps and results in a real-time trend view of security posture,” explains Dan DeCloss, CEO and founder of a security collaboration and reporting platform.
Even better, with the help of automation, purple teaming allows organizations to optimize threat detection and incident response. It significantly enhances SOC validation by generating real-time performance metrics including detection and response mean times. Also, it facilitates greater resilience versus advanced persistent threats (APTs).
Aside from the security posture boost, purple teaming also leads to cost reduction. “Purple teams are typically constructed as an internal resource, which can reduce reaching out to external experts for advice,” shares hacker and cybersecurity expert Matthew Hickey in a talk with Microsoft Product Manager Natalia Godyla about improving security by embracing the hacker culture.
“Unit testing specific attacker behaviors and capabilities against frameworks on an ongoing basis as opposed to performing periodic, full-blown simulated engagements that last several weeks to several months is also a huge time reduction for many companies,” Hickey adds.
In summary
Essentially, the purple team approach is considerably better than red teaming and other traditional penetration testing methods. Collaboration, its key attribute, is good for expediting testing outcomes, achieving more thorough and comprehensive tests, reducing costs associated with security validation, and fortifying the overall security posture of an organization.
It is good to have separate attack and defense teams to simulate the actual cyber threat landscape, but the outcomes can be markedly better if these teams bring their perspectives together to look at possible unexplored instances or combinations of attack and defense approaches based on their differing backgrounds.
