Purple teams are created to maximise the effectiveness of the Red and Blue teams.
They do this by integrating Blue team members with enhanced and in-depth knowledge of defensive tactics and controls, with members of the Red team, whose skills lie in hacking and exploitation. Purple shouldn’t be a permanent team, but rather a dynamic partnership between Red and Blue.
It could be seen more as a function or process between the Red and Blue teams.
So, what should the two teams bring to the party?
The Red team should be looking at cyber intelligence and carrying out objectives-based assessments that imitate known, threat actors. This information can be collected from various tools such as Mitre ATT&CK. As part of this process, the Red team should document the Tactics, Techniques and Procedures (TTPs) to share with the Blue team.
The Blue team should review and understand the TTPs, then build and configure their detection and response capability in-line with these known approaches. For example, if a threat actor is known to use spear-phishing as part of an attack, the Blue team must ensure that it can detect and respond to spear-phishing activity. In this instance, the mail servers and smtp relays log file must be ingested by a SIEM solution technology, then tuned to detect and alert on the phishing campaign.
The Purple team could then use this scenario to build an exercise to test the Blue team’s ability to detect and stop the attack.
The Red team would be tasked to be trying and exfiltrate sensitive data from the internal network using the identified TTP’s, which may include the creation of an attack tree. The Red team might want to compromise an end-user host with malicious links inside a well-crafted phishing attack. This would be with the intent of capturing the target’s credentials to launch further campaigns across the internal network. This might lead to privilege escalation to access a core database before exfiltrating data from the network.
The Blue team must have the right tools, detection techniques, and skills that give them the ability to detect this type of attack. The primary objectives of any Blue team are to detect, record and respond to the attack and prevent the Red team from carrying out its objectives.
By creating a scenario for the Red Team and Blue team together, the Purple Team must work with the White team to organise resources, funding and business objectives.
To read our other InfoSec articles please follow the link below.
Contact us to find out how we can assist you in the development and build of your teams’ skills, and in the testing of your cybersecurity capability.